Starting a Threat Intelligence Program? Here’s what you need to know
Cyber Threat Intelligence is an important part of a comprehensive security program, but it needs to be approached deliberately. Threat intelligence comes in multiple forms; the two I am going to focus on are Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs). The MITRE ATT&CK Framework, Diamond Model ... Read More
Security Advisory Regarding Microsoft Active Directory Vulnerabilities
Summary On November 9, 2021, Microsoft released two Active Directory vulnerabilities (CVE-2021-42287 and CVE-2021-42278) with patches (KB5008102 and KB5008380). These vulnerabilities continue to fly under the radar due to Log4Shell; however, on December 11, 2021, a proof of concept (PoC) was released on GitHub and Twitter. Details All versions of ... Read More
Security Advisory Regarding Log4Shell
Summary On December 9, there was a Remote Code Execution (RCE) discovered in the Java logging library log4j given CVE-2021-44228. The RCE is triggered by Java-based applications logging the exploit string and executing a remote payload that the string is pointing to. This vulnerability leaves any server hosting an unpatched ... Read More
GreyNoise: Alert Tuning for the SOC Analyst’s Soul
Here at Hurricane Labs, we process a high volume of alerts for our customers–including a lot of noisy alerts, such as known benign scanners and internet background noise. We spend a lot of time tuning customers’ environments to bring the noise down. As we add new customers and more detections, ... Read More
Security Advisory Regarding HiveNightmare
HiveNightmare Summary On July 19th, Twitter user @jonasLyk released a vulnerability they thought was just on the insider edition Windows 11, but ended up being a part of current Windows 10 releases. This vulnerability allows easy privilege escalation if local access is obtained. There is not a current patch available; ... Read More
Kaseya VSA Ransomware: A Practical Guide for Future Threat Prevention
On July 2nd, cybercriminals used Kaseya VSA to initiate a widespread ransomware attack on multiple Managed Service Providers (MSPs) and the customers they support. Currently we do not know the full extent of the damage, but it appears to be among the largest ransomware attacks observed, with some reports estimating ... Read More
Splunking with Sysmon Part 4: Detecting Trickbot
Trickbot and Ryuk With the recent outbreak of Ryuk in hospitals, detecting the precursors to the ransomware has become a more visible priority. Ryuk has a history of being deployed after an enterprise has been compromised by Trickbot. The problems with detecting Ryuk is that once it is detected, it ... Read More
Splunking with Sysmon Part 3: Detecting PsExec in your Environment
PsExec is another powerful tool created by Windows Sysinternal. It was created to allow Administrators to remotely connect to and manage Windows systems. Because of the power of PsExec, many different malware actors have used it in various forms of malware as well as a part of pass-the-hash attacks. PsExec ... Read More
Splunking with Sysmon Series Part 2: Tuning
This Splunk tutorial is a continuation of my previous Sysmon article, Splunking with Sysmon Part 1: The Setup. In part 1, I went over the basics of getting Sysmon installed in your environment and forwarding to Splunk. This second part will help you to take your initial configuration, either Modular ... Read More
