Detections XYZ

Building on my previous article, in this article we will adopt the “Immutable Artifacts” methodology to detect such artifacts for enabling/disabling RDP connections on a Windows machine. The registry architecture for RDP … Read More

Lately I’ve been reading a LOT of materials on how to write better detection rules. The main reason this whole thing started is that I’ve had a very interesting thought. … Read More

What is “evil-winrm”/WinRM? Evil-WinRM is a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM). It’s widely used in penetration … Read More

What is Impacket / PSExec? Impacket PsExec is a Python-based implementation of the PsExec functionality, created by the open-source library Impacket. Impacket is a collection of tools and Python classes for working with network … Read More

Recently, there’s been quite a buzz in the infosec community about a new tool called “EDRSilencer”. From the tool’s Github description: “A tool uses Windows Filtering Platform (WFP) to block … Read More

Hello all, Some of you may remember me from my first course “Modern IBM QRadar 7.5 Administration”. I recently created a new course and its now live on Udemy. This … Read More

UPDATE 16/7/2024 – Identified a pattern where the affected commands are “external” commands to cmd.exe, as in, they are actual executables themselves. Ipconfig, net, arp and ping each trigger an … Read More

So today wasn’t anything special, except that those really annoying Powershell windows that occasionally open on my screen for a split-second and close finally broke me. I started noticing them … Read More

Original research credit: TheDFIReport TL;DR Summary Required Logging Event ID Channel Details 4688 / 1 Security, Sysmon New process creation. 17 Sysmon Pipe creation event. 4698 Security New Task Creation. Detection … Read More