This is a follow-up article based on SpecterOps recent article that walked through a few attack paths using Azure API permissions to elevate all the way up to Global Admin. I encourage everyone to read the article which can be found HERE. Basic information about the attack path identified in…

If you haven't had a chance to read the Medium article or full whitepaper about abusing Certificate Services in Microsoft Active Directory environments I highly suggest you do. You can find the Medium article HERE and the whitepaper (which is very detailed) HERE. Quick Overview Basically SpecterOps (some very smart people) discovered…

As more and more companies start to adopt cloud services to enable remote work and reduce the need for on-prem solutions more and more attackers are starting to target cloud environments. Since cloud is still relatively new a lot of companies make simple mistakes that enable attackers to easily steal…

In this article we’ll discuss using some machine learning concepts/scoring to determine the efficacy or effectiveness of threat detection content. An example of threat detection content (TDC) is (not limited to) custom or vendor provided signatures. We’ll generate a series of scores to measure the efficacy, effectiveness, precision, and recall. Efficacy …

If you have not heard there is a zero-day vulnerability actively being exploited in the wild. The vulnerability was originally “patched” back in the Microsoft June 2020 Patch Tuesday update that was issued on June 8, 2021. Its a big issue because it impacts operating system versions starting with Windows…

In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack. Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. …

If you missed my previous series in which i go over the methodology to implementing & using VirusTotal API data combined with Splunk’s correlation power to discover malicious activity on your network by detecting network traffic to domains that had recently been registered — check it out HERE and HERE…

Identifying the odd TGT Kerberos ticket requests in your environment using Splunk’s Anomalydetection command. Splunk introduced a few handy anomaly focused commands used in their Machine Learning Toolkit app aimed at helping analysts or data deep divers look for anomalies within their datasets. The commands useful for finding anomalies are…

In a previous article, Detecting Cobalt Strike by Fingerprinting Imageload Events, we discussed how we can potentially identify Cobalt Strike being initially executed on a system by focusing on the common DLLs loaded at runtime. Additional research into CS led me to some pretty interesting research posts, one by The…