Chris Sanders proposed the following scenario: One of your web servers hosted in the Amazon cloud launched a new process named sqlserver.exe. What do you look for to investigate whether an incident occurred?
Chris Sanders proposed the following scenario: Proxy logs indicate a host on your network made a few HTTP requests with no User Agent string (field is empty). What do you look for to investigate why this is happening and whether an incident has occurred?
In this post, I described a new reliable technique to detect Golden Ticket attacks in Active Directory environments thanks to a recent EventID introduced in Windows 10.
In my previous post, I declared my undying love for continuous integration and deployment capabilities applied to Detection Engineering. Now, let's put the theory into practice! Today, this post will address the unit-testing's part, applied to Splunk.
When you have the chance to catch an attacker live, it is always a delight to monitor 🍿 and dissect their moves in real-time, even a posteriori. To make it happen, you must have some kind of Full Packet Capture in the first place, then, of course, you need a thorough reverse-engineering of the malware will document the encoding, fields, and structures. Ok, you have all the materials needed, now how can we transform the pcap into human transcripts? "You just have to parse the application layer" As usual, while it may seem easy in theory, it is a bit more complicated in real life (especially during an Incident Response engagement, so it is better to be prepared!), this post describes my experience to write such dissector for the last 10 years.
The SOCs are currently suffering from their growth, plagued by bad quality assurance and an extreme fragility to changes. This situation used to be the pain and butter of the developers in the 90s. Fortunately, the Agile manifesto came out and a new way of working took off. This post describes an alternative way to run the detection pipeline.