Detections XYZ

Research

Immutable Artifacts — Enabling RDP Connections

December 2, 2024

Building on my previous article, in this article we will adopt the “Immutable Artifacts” methodology to detect such artifacts for enabling/disabling RDP connections on a Windows machine. The registry architecture for RDP … Read More

Research

Detecting WiFi dumping via direct WinAPI calls and introduction to “Immutable Artifacts”

November 25, 2024

Lately I’ve been reading a LOT of materials on how to write better detection rules. The main reason this whole thing started is that I’ve had a very interesting thought. … Read More

Research

Detection of “Evil-WinRM”

November 24, 2024

What is “evil-winrm”/WinRM? Evil-WinRM is a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM). It’s widely used in penetration … Read More

Research

Detection of “PSExec.py”

October 28, 2024

What is Impacket / PSExec? Impacket PsExec is a Python-based implementation of the PsExec functionality, created by the open-source library Impacket. Impacket is a collection of tools and Python classes for working with network … Read More

Research

Detection of “EDRSilencer”

October 18, 2024

Recently, there’s been quite a buzz in the infosec community about a new tool called “EDRSilencer”. From the tool’s Github description: “A tool uses Windows Filtering Platform (WFP) to block … Read More

Research

My 2nd Udemy course “Detection-as-Code in IBM QRadar” is live. Grab it for free for a limited time!

September 30, 2024

Hello all, Some of you may remember me from my first course “Modern IBM QRadar 7.5 Administration”. I recently created a new course and its now live on Udemy. This … Read More

Research

How a single space killed my detections

July 14, 2024

UPDATE 16/7/2024 – Identified a pattern where the affected commands are “external” commands to cmd.exe, as in, they are actual executables themselves. Ipconfig, net, arp and ping each trigger an … Read More

Research

ViperSoft Stealer

May 14, 2024

So today wasn’t anything special, except that those really annoying Powershell windows that occasionally open on my screen for a split-second and close finally broke me. I started noticing them … Read More

Research

IcedID/Nokoyawa Ransomware

April 1, 2024

Original research credit: TheDFIReport TL;DR Summary Required Logging Event ID Channel Details 4688 / 1 Security, Sysmon New process creation. 17 Sysmon Pipe creation event. 4698 Security New Task Creation. Detection … Read More

Research

CVE-2021-4436 -> Godzilla Web Shell

March 27, 2024

Original research credit: TheDFIReport In this report we will learn about the Godzilla web shell, about what artifacts it generates, and what detection rules can be created based on those … Read More