detection-engineering

Part 16: Tool Description

Part 16: Tool Description

| | detection-engineering, Infosec, on-detection, research
On Detection: Tactical to FunctionalWhy it is Difficult to Say What a Tool DoesIntroductionOver the years, I’ve noticed that we have a difficult time describing a specific tool’s functionality. I participated in conversations ...
Posts By SpecterOps Team Members - Medium
Malware Morphology for Detection Engineers

Part 15: Function Type Categories

| | detection-engineering, Infosec, on-detection, research
On Detection: Tactical to FunctionalSeven Ways to View API FunctionsIntroductionWelcome back to Part 15 of the On Detection: Tactical to Functional blog series. I wrote this article to serve as a resource ...
Posts By SpecterOps Team Members - Medium
Detection Engineer’s Guide to Powershell Remoting

Detection Engineer’s Guide to Powershell Remoting

| | detection-engineering, powershell, Threat Hunting
Powershell Remoting is a powerful feature in Windows that enables IT administrators to remotely execute commands, manage configurations, and automate tasks across multiple systems in a network. Utilizing Windows Remote Management (WinRM), ...
SnapAttack - Medium
Misconfiguration Manager: Detection Updates

Misconfiguration Manager: Detection Updates

| | configuration management, detection-engineering, SOC, Threat Hunting
TL;DR: The Misconfiguration Manager DETECT section has been updated with relevant guidance to help defensive operators identify the most prolific attack techniques from the Misconfiguration Manager project.BackgroundIf you have been following SpecterOps’s offensive ...
Posts By SpecterOps Team Members - Medium
Blinded by Silence

Blinded by Silence

| | detection-engineering, EDR, Threat Hunting
Blinded by Silence: How Attackers Disable EDROverviewEndpoint Detection and Response systems (EDRs) are an essential part of modern cybersecurity strategies. EDR solutions gather and analyze data from endpoints to identify suspicious activities and ...
SnapAttack - Medium
Linux Persistence Mechanisms and How to Find Them

Linux Persistence Mechanisms and How to Find Them

| | detection-engineering, Linux, persistence, Threat Hunting
Linux persistence mechanisms are used by an attacker to maintain access to a compromised system, even after reboots or system updates. These allow attackers to regain control of a system without re-exploiting ...
SnapAttack - Medium
Hunting Specula C2 Framework and XLL Execution

Hunting Specula C2 Framework and XLL Execution

| | detection-engineering, outlook, specula, Threat Hunting
Specula is a framework that allows for interactive operations of an implant that runs purely in the context of Outlook. It works by setting a custom Outlook homepage via registry keys that ...
SnapAttack - Medium
Detection Rules & MITRE ATT&CK Techniques

Detection Rules & MITRE ATT&CK Techniques

| | detection-engineering, MITRE ATT&CK, snapattack, Threat Hunting
We Can Do BetterAs a Detection Engineer and Threat Hunter, I love MITRE ATT&CK and I whole-heartedly believe that you should too. However, there’s something about the way that some folks leverage MTIRE ...
SnapAttack - Medium
SOC Meets Cloud: What Breaks, What Changes, What to Do?

Guide your SOC Leaders to More Engineering Wisdom for Detection(Part 9)

| | detection-engineering
This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator.In this blog (#9 in the series), we will cover a few higher level ...
Stories by Anton Chuvakin on Medium
Linux Detection Opportunities for CVE-2024-29510

Linux Detection Opportunities for CVE-2024-29510

| | detection-engineering, ghostscript, Linux, Sysmon, Threat Hunting
OverviewA remote code execution (RCE) vulnerability in the Ghostscript document conversion toolkit, identified as CVE-2024–29510, is currently being exploited in the wild. Ghostscript, which comes pre-installed on many Linux distributions, is used ...
SnapAttack - Medium
Load more