Breaking Barriers: Building Zeek for Windows
At Ignite 2022, Microsoft announced their partnership with Zeek, and its corporate sponsor, Corelight, which resulted in Zeek being integrated as a component within Microsoft Defender for Endpoint (MDE). What it means for the rest is that Zeek has finally come to Windows, provided it is still in experimental phase and lacks many features...
Threat Detection Ep I: Are you in sync with DCSync?
Welcome to the first episode of the ThreaD (Threat Detection) series. I am opening up the series with the spotlight on DCSync (T1003.006) attack in Active Directory (AD). Intro A ton of good resources on DCSync already exist such as [1], [2], and [3]. So, I will just attempt to summarize it. Simply put, in […]
Threat hunting process injection with Jupyter notebook and Sysmon
Process injection (T1055) refers to injecting code into other live processes. Adversaries use this technique to either evade detection based on process monitoring or to elevate privileges. Process injection was ranked 6th most used technique by adversaries in Red Canary’s 2021 Threat Detection Report. Anyone that has used popular...
Search Windows EVTX files with precision
Microsoft introduced a proprietary binary format called EVTX back in Vista and Server 2008 packed with new enhancements and features like log channels, new event properties, etc. Check out SANS’s EVTX and Windows Event Logging white paper for a detailed tour. Today one can use various tools for analyzing EVTX files like EvtxECmd...
Detect Addition of New Firewall Rules in Defender Firewall
The release of this old blog is prompted by this nice article on silencing Microsoft Defender for Endpoint (previously Microsoft Defender ATP) using firewall rules. The author of that blog pointed how he didn’t found a proper way of detecting the creation of firewall rules. As pointed by him, Event ID 4947 only shows the […]
Utilize Sysmon’s Clipboard Monitoring Like a Boss
Back in September, Sysmon v12 graced us with the new ability to monitor clipboards. You can read about this new capability in Olaf’s blog. In this blog, I want to focus on how you can use this new capability to detect RDP activity by hands-on keyboard actor families like Human-operated ransomware from your SIEM. Sysmon […]
Detect Domain Admins Logons to Workstations
This is a short blog that shows one technique of detecting logons of Domain Administrators (DA) to workstations from your SIEM. This is very important as it signals either malicious activity or policy violation by your admins. Requirements Audit Group Membership audit policy must be enabled from Logon/Logoff category. WINDOWS_DC_HOSTS...
Monitoring Microsoft Defender Like a Boss
Microsoft Defender, formerly Windows Defender, is Microsoft’s in-built Antivirus solution for Windows. In recent times, Microsoft has significantly improved Defender’s capabilities to make it viable as a standalone Antivirus solution. However, we are not here to talk about all of Defender’s capabilities but rather a new...