On Detection: Tactical to FunctionalWhy it is Difficult to Say What a Tool DoesIntroductionOver the years, I’ve noticed that we have a difficult time describing a specific tool’s functionality. I participated in conversations or listened to lectures where someone inevitably attempts to describe the techniques or behavior that they associate with ... Read More

On Detection: Tactical to FunctionalSeven Ways to View API FunctionsIntroductionWelcome back to Part 15 of the On Detection: Tactical to Functional blog series. I wrote this article to serve as a resource for those attempting to create tool graphs to describe the capabilities of the attacker tools or malware samples ... Read More

Attack Path ManagementBecause Every Snowflake (Graph) is UniqueIntroductionOn June 2nd, 2024, Snowflake released a joint statement with Crowdstrike and Mandiant addressing reports of “[an] ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.” A SpecterOps customer contacted me about their organization’s response to this campaign and mentioned that ... Read More

On Detection: Tactical to FunctionalWhen the Operation is not EnoughIntroductionA while back, I was working on deconstructing a standard variation of Token Theft and stumbled into a couple of interesting edge cases that my model still needed to account for. Below is the operation chain for one of the most common ... Read More

On Detection: Tactical to FunctionalWhy a Single Test Case is InsufficientIntroductionIn my previous post, I explored the idea that different tools can implement the same operation chain (behavior) in various ways. I referred to these various ways as execution modalities. In that post, we explored five tools that allowed us ... Read More

On Detection: Tactical to FunctionalPart 12IntroductionAt Shmoocon 2015, Will Schroeder (Harmj0y) gave a talk titled “I Hunt Sys Admins,” describing how attackers can hunt (or find the location of) system administrators throughout the network. The talk is only 15 minutes long, so I highly recommend you watch it to understand ... Read More

Part 11: Functional CompositionIntroductionWelcome back to part 11 of the On Detection blog series. This next article serves as a conceptual foundation upon which we will build over the next few posts. It may not be immediately obvious why this is important, but understanding this concept will make many subsequent ... Read More

Part 10: Implicit Process CreateIntroductionWelcome back to another installment of the On Detection: Tactical to Functional series. In the previous article, I argued that we perceive actions within our environment at the Operational level (especially when it comes to endpoint events), which means that we should “conceive” of attacker tradecraft at ... Read More

Part 9: Perception vs. ConceptionThe concepts discussed in this post are related to those discussed in the 9th session of the DCP Live podcast. If you find this information interesting, I highly recommend checking the session out!https://medium.com/media/89a600d7731c06c483f9d3c89ddc5ff7/hrefAt this point in the series, we understand that attack techniques are abstract concepts that ... Read More

In his 1931 paper “A Non-Aristotelian System and Its Necessity for Rigour in Mathematics and Physics,” Mathematician Alfred Korzybski introduced an idea that many today find helpful when dealing with complex systems. The idea is commonly referred to as “The map is not the territory,” and Korzybski lays it out ... Read More