Monday, 18 April 2022
Auditing Protected Lsass (RunAsPPL) Access using Sysmon
Auditing Lsass access using Sysmon is one of the key settings that blueteam are using to detect suspicious instances in an attempt to dete...
Sunday, 20 March 2022
Structured Approach to Triage New Detection Ideas
Triaging new detection ideas is an important aspect of detection engineering, as it allow us to focus on the most important tasks and to o...
Friday, 10 December 2021
Detecting Token Stealing using Sysmon v13.30 and EQL
Access token manipulation is a well known technique often used to elevate privileges or to execute in the context of a different identity...
Monday, 24 May 2021
Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS)
BITS Overview Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or ...
Monday, 4 January 2021
How to Design Abnormal Child Processes Rules without Telemetry
In detection engineering we often encounter attack techniques that result into a system process spawning an unusual child process, which...
Friday, 27 November 2020
How to Design Detection Logic - Part 1
In this first part we are going to share with you some common logical and high level steps we tend to follow to design detection logic fo...
Friday, 4 September 2020
Hunting Local Accounts and Groups Changes using Sysmon
Visibility on local accounts and groups changes is as important as for Domain ones for both good systems hygiene and security . attackers...
View web version