Home - On The Hunt

SVCHost.exe and Internet Sharing TriageOctober 25, 2023
Intro I recently had an interesting case, which involved some digging into SVCHost.exe and command line parameters parsed to it. The Scenario It started with an alert for a large number of DNS requests associated with an InfoStealer, ViperSoftx, from a user laptop. There were thousands of requests to the domains in a 90-minute period. Looking at the Endpoint telemetry available for the device, I could see… Read more: SVCHost.exe and Internet Sharing Triage
Virtual Machine Aware Phishing SitesAugust 3, 2021
The Phish Page Recently I came across an interesting phishing page which when I browsed to, showed nothing but a white blank page. There was no 404, or server not found error, just an empty page. I found this curious, so I observed the source code for the page. Much of the page was junk, however, after scrolling to the bottom, I did notice a script that… Read more: Virtual Machine Aware Phishing Sites
A Guide to Threat Hunting in a SOCJune 28, 2021
Introduction You’d be forgiven for thinking that Threat Hunting is just another Cyber Buzz Word/Phrase spreading throughout the industry, the latest term used to push more product and managed services on a SOC. The reality, however, is that Threat Hunting is an extremely valuable skill and one that every SOC should have. In fact, I believe that Threat Hunting provides more value than the traditional approach that… Read more: A Guide to Threat Hunting in a SOC
Cobalt Strike – Bypassing C2 Network DetectionsMarch 3, 2021
Intro In this mini-post, we’re going to look at how to easily bypass network detections for Cobalt Strike beacons. Many AV products like Symantec Endpoint Protection (SEP) have network detection capabilities that monitor traffic passing through a device’s network interface. Additionally IDS and IPS also have basic detections for C2 traffic. These detections are basically looking for specific patterns in network packets. For popular tools like Cobalt… Read more: Cobalt Strike – Bypassing C2 Network Detections
How to install Elastic SIEM and Elastic EDRDecember 3, 2020
Installing Elastic EDR & SIEM A few months ago I released a couple of blog posts on how to create enterprise monitoring at home with ELK and Zeek. This post is a continuation of that series….sort of. A lot has changed since those posts, mainly updates to the ELK stack and the release of a number of free EDR tools. OpenEDR released by Comodo and Elastic EDR.… Read more: How to install Elastic SIEM and Elastic EDR