Detection of “EDRSilencer”
Recently, there’s been quite a buzz in the infosec community about a new tool called “EDRSilencer”. From the tool’s Github description: “A tool uses Windows Filtering Platform (WFP) to block … Read More
My 2nd Udemy course “Detection-as-Code in IBM QRadar” is live. Grab it for free for a limited time!
Hello all, Some of you may remember me from my first course “Modern IBM QRadar 7.5 Administration”. I recently created a new course and its now live on Udemy. This … Read More
How a single space killed my detections
UPDATE 16/7/2024 – Identified a pattern where the affected commands are “external” commands to cmd.exe, as in, they are actual executables themselves. Ipconfig, net, arp and ping each trigger an … Read More
ViperSoft Stealer
So today wasn’t anything special, except that those really annoying Powershell windows that occasionally open on my screen for a split-second and close finally broke me. I started noticing them … Read More
IcedID/Nokoyawa Ransomware
Original research credit: TheDFIReport TL;DR Summary Required Logging Event ID Channel Details 4688 / 1 Security, Sysmon New process creation. 17 Sysmon Pipe creation event. 4698 Security New Task Creation. Detection … Read More
CVE-2021-4436 -> Godzilla Web Shell
Original research credit: TheDFIReport In this report we will learn about the Godzilla web shell, about what artifacts it generates, and what detection rules can be created based on those … Read More
Impacket -> atexec.py
Original research credit: u0041 In this report we will learn about the “atexec” tool of Impacket, about what artifacts it generates, and what detection rules can be created based on … Read More