This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. We'll go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs.
In this first part we are going through the basic terminology and concepts of a Detection-as-Code approach in Detection Engineering. Throughout this series, we’ll dive deep into a wide range of concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating detections, automating documentation, and delivering them at scale to numerous managed environments. We’ll also explore how to effectively test and monitor your detections to ensure they stay reliable.
In our previous blog post about RMM (Remote Management and Monitoring) tools, we highlighted the prevalence of such tooling in nearly every organization’s environment. In today’s world, where many organizations support remote work, RMM tools are frequently utilized to help provide assistance to end users and to allow IT administrators to perform their tasks from … Continue reading Hunting for Remote Management Tools: Detecting RMMs
In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. In this post we will analyze this new way of malware delivery and create a detection rule for it.
Introduction Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in … Continue reading DeTT&CT: Automate your detection coverage with dettectinator
Introduction A few weeks ago, I got a question from a client to check how they could prevent administrators, including local administrators on their device, to add exclusions in Microsoft Defender Antivirus. I first thought it was going to be pretty easy by pushing some settings via Microsoft Endpoint Manager. However, after doing some research … Continue reading Can we block the addition of local Microsoft Defender Antivirus exclusions?
