How a single space killed my detections
UPDATE 16/7/2024 – Identified a pattern where the affected commands are “external” commands to cmd.exe, as in, they are actual executables themselves. Ipconfig, net, arp and ping each trigger an … Read More
ViperSoft Stealer
So today wasn’t anything special, except that those really annoying Powershell windows that occasionally open on my screen for a split-second and close finally broke me. I started noticing them … Read More
IcedID/Nokoyawa Ransomware
Original research credit: TheDFIReport TL;DR Summary Required Logging Event ID Channel Details 4688 / 1 Security, Sysmon New process creation. 17 Sysmon Pipe creation event. 4698 Security New Task Creation. Detection … Read More
CVE-2021-4436 -> Godzilla Web Shell
Original research credit: TheDFIReport In this report we will learn about the Godzilla web shell, about what artifacts it generates, and what detection rules can be created based on those … Read More
Impacket -> atexec.py
Original research credit: u0041 In this report we will learn about the “atexec” tool of Impacket, about what artifacts it generates, and what detection rules can be created based on … Read More