DeTT&CT: Automate your detection coverage with dettectinator

Introduction Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in … Continue reading DeTT&CT: Automate your detection coverage with dettectinator

Can we block the addition of local Microsoft Defender Antivirus exclusions?

Introduction A few weeks ago, I got a question from a client to check how they could prevent administrators, including local administrators on their device, to add exclusions in Microsoft Defender Antivirus. I first thought it was going to be pretty easy by pushing some settings via Microsoft Endpoint Manager. However, after doing some research … Continue reading Can we block the addition of local Microsoft Defender Antivirus exclusions?

Detecting BCD Changes To Inhibit System Recovery

Introduction Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). This post will dive … Continue reading Detecting BCD Changes To Inhibit System Recovery

DeTT&CT : Mapping detection to MITRE ATT&CK 

Introduction Building detection is a complex task, especially with a constantly increasing amount of data sources. Keeping track of these data sources and their appropriate detection rules or avoiding duplicate detection rules covering the same techniques can give a hard time to detection engineers. For a SOC, it is crucial to have an good overview … Continue reading DeTT&CT : Mapping detection to MITRE ATT&CK