When you work for NVISO, we invest heavily in your personal development: to ensure you reach your full potential as a top class cyber security specialist.
If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. You can use the SHA-1 extracted from the Amcache … Continue reading Amcache contains SHA-1 Hash – It Depends!
Introduction On March 2nd 2022, I observed a new Advanced Hunting table in Microsoft 365 Defender: UrlClickEvents Figure 1 - UrlClickEvents table At time of writing, this table is not yet present in every Office 365 tenant, and the official documentation does not contain information about it. A quick peak at the events it contains … Continue reading Drilling down on phishing campaigns with UrlClickEvents
Introduction When developing the automated SOC workflows for the NVISO Managed SOC and the additional NITRO services on Cortex XSOAR, we have started to make use of automations to do complex tasks instead of playbooks. Automations have much better performances and, if your team has a decent level of Python skills, developing complex tasks in … Continue reading Cortex XSOAR Tips & Tricks – Execute Command Function
Introduction With our Managed Detect and Respond (MDR) service, NVISO provides a managed Security Operations Center (SOC) for a large variety of clients across different industries. Since the beginning of this service, we had an “automate first” principle where we tried to automate as much of the repetitive tasks of the SOC analysts as possible, … Continue reading Cortex XSOAR Tips & Tricks
Last updated on 2022-03-17/ 8am CET 2022-02-25: added key historical operation: Cyclops Blink2022-03-02: added note on spillover and recommendation2022-03-03: added further information on attacks, updated recommendations2022-03-07: added info on HermeticRansom decrypter and our mission statement2022-03-15: added info on CaddyWiper and fake AV update phishing campaign used to drop Cobalt Strike2022-03-17: added info on the removal … Continue reading Threat Update – Ukraine & Russia war
It's time for the season finale. In this post we explore several bypasses but also look at some mistakes made along the way. 1. From zero to hero: a quick recap As promised in part 8, I spent some time converting the application to disable Driver Signature Enforcement (DSE) into a Beacon Object File (BOF) … Continue reading Kernel Karnage – Part 9 (Finishing Touches)
Introduction With our Managed Detect and Respond (MDR) service at NVISO we provide a managed Security Operations Center (SOC) for a large variety of clients across different industries. In our SOC, we rely heavily on automations performed by our SOAR platform Palo Alto Cortex XSOAR to minimize the manual tasks that need to be done … Continue reading Automated spam detection in Palo Alto Cortex XSOAR
The migration from an on-premises environment towards the public cloud started years ago and is still going on. Both governmental agencies and business organizations are in the journey of migrating and maturing their cloud environments[SW1] , pulled by the compelling need for streamlining, scaling, and improving their production. It won’t potentially come as a surprise but … Continue reading 4 Trends for Cloud Security in 2022
When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. … Continue reading Kernel Karnage – Part 8 (Getting Around DSE)