As more and more companies start to adopt cloud services to enable remote work and reduce the need for on-prem solutions more and more attackers are starting to target cloud environments. Since cloud is still relatively new a lot of companies make simple mistakes that enable attackers to easily steal sensitive information or pivot from cloud infrastructure to internal applications/systems. As these attacks started to increase cloud providers started to offer solutions to natively detect possible malicious activity within the cloud environments. A reasonably good solution by AWS is GuardDuty.

“Amazon GuardDuty is a threat detection service that continuously monitors…

In this article we’ll discuss using some machine learning concepts/scoring to determine the efficacy or effectiveness of threat detection content. An example of threat detection content (TDC) is (not limited to) custom or vendor provided signatures. We’ll generate a series of scores to measure the efficacy, effectiveness, precision, and recall.


Efficacy is “the ability to produce a desired or intended result”. When it comes to TDC the desired efficacy score would be high; that is, we want our detections to detect what they intend to detect. …

If you have not heard there is a zero-day vulnerability actively being exploited in the wild. The vulnerability was originally “patched” back in the Microsoft June 2020 Patch Tuesday update that was issued on June 8, 2021. Its a big issue because it impacts operating system versions starting with Windows 7 SP1 to Server 2019. The vulnerability allows for Remote Code Execution (RCE) and privilege escalation to SYSTEM. Why is this bad? …

In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack.

Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. A detailed explanation can be found HERE.

From a high level the things we’re interested in alerting on are requests/activity for/to some very specific URIs/files. Those are as follows:

  • /home/bin/memread
  • /home/runtime/logs/*
  • /tmp/1
  • meeting_testjs.cgi
  • /home/runtime/logs/*
  • /home/perl/
  • ive-host/dana-na/auth/
  • /tmp/dsactiveuser.statementcounters
  • /tmp/dsstartssh.statementcounters
  • /tmp/dsserver-check.statementcounters
  • compcheckjava.cgi
  • compcheckresult.cgi
  • memread
  • licenseserverproto.cgi
  • dana-na/auth/recover.cgi
  • downloadlicenses.cgi
  • *dana*
  • *meeting*
  • *fb*
  • *smb*
  • *dana-cached*

If you missed my previous series in which i go over the methodology to implementing & using VirusTotal API data combined with Splunk’s correlation power to discover malicious activity on your network by detecting network traffic to domains that had recently been registered — check it out HERE and HERE. Long story short, if you’re developing threat detection content you NEED to provide context for your detections to speed up SOC analysis and decision making. …

Identifying the odd TGT Kerberos ticket requests in your environment using Splunk’s Anomalydetection command.

Splunk introduced a few handy anomaly focused commands used in their Machine Learning Toolkit app aimed at helping analysts or data deep divers look for anomalies within their datasets. The commands useful for finding anomalies are anomalies, anomalousvalue, anomalydetection. This article is focused on the anomalydetection command.

If you’ve been following any of my other articles you’ve probably picked up on the fact that I’m a fan of anomaly detection as a way to substitute IOC detections. These types of detections are very useful when trying…

In a previous article, Detecting Cobalt Strike by Fingerprinting Imageload Events, we discussed how we can potentially identify Cobalt Strike being initially executed on a system by focusing on the common DLLs loaded at runtime.

Additional research into CS led me to some pretty interesting research posts, one by The Wover, MDSec, and MichaelKoczwara which talk about .NET Assembly injection techniques. .NET injection is actually something Microsoft considers a feature and happens quiet a bit within a normal production environment. Turns out there are a few very unique DLLs that will be loaded every time a .NET assembly is loaded…


For anyone who has created or written SIEM alerts/alarms you’re all to familiar with the balancing act between developing signatures that a Security Operations Center (SOC) analyst can investigate or will find useful to start an investigation. …

UPDATE — Check out a related detection technique to find execute-assembly activity

While 2020 has been pretty miserable for many people one small silver lining is this year I’ve been fortunate enough to engage in multiple Purple Team exercises affording me the opportunity to observe some pretty interesting TTP courtesy our Adversary Emulation team. Quick background…


Cobalt Strike, for those of you living under a rock, is a commercial penetration testing platform, developed by Raphael Mudge, used by many of today’s elite Red Teams and, unfortunately, nation state and criminal threat actors. For about $3,500 a bad guy gets…

Using endpoint logs to track down compromised hosts

When attackers gain an initial foothold within an environment they’ll inevitably start looking to perform some sort of lateral movement techniques to achieve their objectives. Attackers will likely start this process through a series of ping sweeps and port scans.

This post assumes you’re lucky enough to be collecting endpoint TCP connection logs from tools like Sysmon, or popular EDR solutions. These logs can be very noisy but can be very helpful when tracking down lateral movement from adversaries. Below is an example of Sysmon EventID 3.

The important fields from this…


Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store