Detection knowledge repository – by Daniel Koifman
Detection engineering isn’t just about finding bad behavior. It’s about understanding how attackers appear normal — on accident or by design.Some of the most successful evasion techniques don’t involve zero-days or encryption … Read More
Ok, so before we start, I personally think this is a bit of an “offside” topic. While the tech exists, personally I am not familiar with orgs who actually implement … Read More
“Until you make the unconscious conscious, it will direct your life — and you will call it fate.” — Carl Jung Before I begin this very odd post, let me … Read More
If a log falls in the SIEM, does it generate an alert? 2025 has been an interesting year for me so far. Not too long ago, I joined a startup … Read More
Building on my previous article, in this article we will adopt the “Immutable Artifacts” methodology to detect such artifacts for enabling/disabling RDP connections on a Windows machine. The registry architecture for RDP … Read More
Lately I’ve been reading a LOT of materials on how to write better detection rules. The main reason this whole thing started is that I’ve had a very interesting thought. … Read More
What is “evil-winrm”/WinRM? Evil-WinRM is a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM). It’s widely used in penetration … Read More
What is Impacket / PSExec? Impacket PsExec is a Python-based implementation of the PsExec functionality, created by the open-source library Impacket. Impacket is a collection of tools and Python classes for working with network … Read More
Recently, there’s been quite a buzz in the infosec community about a new tool called “EDRSilencer”. From the tool’s Github description: “A tool uses Windows Filtering Platform (WFP) to block … Read More
Hello all, Some of you may remember me from my first course “Modern IBM QRadar 7.5 Administration”. I recently created a new course and its now live on Udemy. This … Read More
