- SVCHost.exe and Internet Sharing TriageIntro I recently had an interesting case, which involved some digging into SVCHost.exe and command line parameters parsed to it. The Scenario It started with an alert for a large number of DNS requests associated with an InfoStealer, ViperSoftx, from a user laptop. There were thousands of requests to the domains in a 90-minute period. Looking at the Endpoint telemetry available for the device, I could see… Read more: SVCHost.exe and Internet Sharing Triage
- Virtual Machine Aware Phishing SitesThe Phish Page Recently I came across an interesting phishing page which when I browsed to, showed nothing but a white blank page. There was no 404, or server not found error, just an empty page. I found this curious, so I observed the source code for the page. Much of the page was junk, however, after scrolling to the bottom, I did notice a script that… Read more: Virtual Machine Aware Phishing Sites
- A Guide to Threat Hunting in a SOCIntroduction You’d be forgiven for thinking that Threat Hunting is just another Cyber Buzz Word/Phrase spreading throughout the industry, the latest term used to push more product and managed services on a SOC. The reality, however, is that Threat Hunting is an extremely valuable skill and one that every SOC should have. In fact, I believe that Threat Hunting provides more value than the traditional approach that… Read more: A Guide to Threat Hunting in a SOC
- Cobalt Strike – Bypassing C2 Network DetectionsIntro In this mini-post, we’re going to look at how to easily bypass network detections for Cobalt Strike beacons. Many AV products like Symantec Endpoint Protection (SEP) have network detection capabilities that monitor traffic passing through a device’s network interface. Additionally IDS and IPS also have basic detections for C2 traffic. These detections are basically looking for specific patterns in network packets. For popular tools like Cobalt… Read more: Cobalt Strike – Bypassing C2 Network Detections
- How to install Elastic SIEM and Elastic EDRInstalling Elastic EDR & SIEM A few months ago I released a couple of blog posts on how to create enterprise monitoring at home with ELK and Zeek. This post is a continuation of that series….sort of. A lot has changed since those posts, mainly updates to the ELK stack and the release of a number of free EDR tools. OpenEDR released by Comodo and Elastic EDR.… Read more: How to install Elastic SIEM and Elastic EDR