Scaling your threat hunting operations with CrowdStrike and PSFalcon

Introduction Most modern day EDRs have some sort of feature which allows blue teamers to remotely connect to hosts with an EDR agent/sensor installed, to aid in their investigation of incidents. In CrowdStrike, this is called Real Time Response, and it provides a wide range of capabilities, from executing built-in commands like ipconfig and netstat … Continue reading Scaling your threat hunting operations with CrowdStrike and PSFalcon →

RPC or Not, Here We Log: Preventing Exploitation and Abuse with RPC Firewall

Welcome, readers, to the first installment of our blog series "Preventing Exploitation and Abuse with the RPC Firewall".In this post, we'll delve into how to create rules for the RPC firewall and how to deploy them onto our servers.In the year 2024, we'll release the second part of this series, where we'll explore detection possibilities … Continue reading RPC or Not, Here We Log: Preventing Exploitation and Abuse with RPC Firewall →

OneNote Embedded URL Abuse

Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix.

OneNote Embedded file abuse

In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. In this post we will analyze this new way of malware delivery and create a detection rule for it.

Detecting BCD Changes To Inhibit System Recovery

Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). This post will dive … Continue reading Detecting BCD Changes To Inhibit System Recovery →

Hunting Emotet campaigns with Kusto

Introduction Emotet doesn't need an introduction anymore - it is one of the more prolific cybercriminal gangs and has been around for many years. In January 2021, a disruption effort took place via Europol and other law enforcement authorities to take Emotet down for good. [1] Indeed, there was a significant decrease in Emotet malicious … Continue reading Hunting Emotet campaigns with Kusto →