If you haven't had a chance to read the Medium article or full whitepaper about abusing Certificate Services in Microsoft Active Directory environments I highly suggest you do. You can find the Medium article HERE and the whitepaper (which is very detailed) HERE.

Quick Overview

Basically SpecterOps (some very smart people) discovered…


As more and more companies start to adopt cloud services to enable remote work and reduce the need for on-prem solutions more and more attackers are starting to target cloud environments. Since cloud is still relatively new a lot of companies make simple mistakes that enable attackers to easily steal…


In this article we’ll discuss using some machine learning concepts/scoring to determine the efficacy or effectiveness of threat detection content. An example of threat detection content (TDC) is (not limited to) custom or vendor provided signatures. We’ll generate a series of scores to measure the efficacy, effectiveness, precision, and recall.

Efficacy


If you have not heard there is a zero-day vulnerability actively being exploited in the wild. The vulnerability was originally “patched” back in the Microsoft June 2020 Patch Tuesday update that was issued on June 8, 2021. Its a big issue because it impacts operating system versions starting with Windows…


In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack.

Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. …


If you missed my previous series in which i go over the methodology to implementing & using VirusTotal API data combined with Splunk’s correlation power to discover malicious activity on your network by detecting network traffic to domains that had recently been registered — check it out HERE and HERE


Identifying the odd TGT Kerberos ticket requests in your environment using Splunk’s Anomalydetection command.

Splunk introduced a few handy anomaly focused commands used in their Machine Learning Toolkit app aimed at helping analysts or data deep divers look for anomalies within their datasets. The commands useful for finding anomalies are…


In a previous article, Detecting Cobalt Strike by Fingerprinting Imageload Events, we discussed how we can potentially identify Cobalt Strike being initially executed on a system by focusing on the common DLLs loaded at runtime.

Additional research into CS led me to some pretty interesting research posts, one by The…


Overview

For anyone who has created or written SIEM alerts/alarms you’re all to familiar with the balancing act between developing signatures that a Security Operations Center (SOC) analyst can investigate or will find useful to start an investigation. A long time ago there was a time, right after taking SANS 508…


UPDATE — Check out a related detection technique to find execute-assembly activity https://link.medium.com/MXY9ntLs3db

While 2020 has been pretty miserable for many people one small silver lining is this year I’ve been fortunate enough to engage in multiple Purple Team exercises affording me the opportunity to observe some pretty interesting TTP…

redhead0ntherun

Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store