This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.
Enforcing a Sysmon Archive Quota
Author: Maxime Thiebaut
Maxime Thiebaut is a GCFA-certified intrusion analyst in NVISO's Managed Detection & Response team. He spends most of his time investigating incidents and improving detection capabilities. Previously, Maxime worked on the SANS SEC699 course. Besides his coding capabilities, Maxime enjoys reverse engineering samples observed in the wild.
Detecting & Preventing Rogue Azure Subscriptions
In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.
Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
Anatomy and Disruption of Metasploit Shellcode
In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. Throughout this blog post we will … Continue reading Anatomy and Disruption of Metasploit Shellcode
Anatomy of Cobalt Strike’s DLL Stager
This blog post will cover the Cobalt Strike DLL stager's anatomy, design choices and highlight ways to reduce both log footprint and time-to-shellcode.
