Detecting Lateral movement through event logs

Japan Cert has recently released a new research paper in wich the show the value of envent logs for the detection of lateral movement. The research papers is outstanding following the quaility of all documentation that the Japan Cert often releases to the public. The research provides and insight into the current tools used by…

A Lustrum of Malware Network Communication: Evolution and Insights

I recently came across this white paper which focuses in the dynamic analysis of network indicators for threat detection. The paper is very easy to read and I found very surprising some of the conclusions obtained from the research. The most revealing one is the fact that months before researchers have access or discovered a…

Cyber Deception: Building the scientific foundation

Looking to understand better cybe deception systems and current state of this technology, I made a thorough search in internet fiding this books in Amazon. The books is a compendium of different research papers aimed at defining cyber depection, its capabilities and technicalities to design them. If you are interested specifically in the design of…

Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)

This is a review of one of the new generation continuous security monitoring solutions. They have been evolving from a reactive to a proactive approach, today we call them threat hunting platforms. Sqrrl combines outstanding visualization capabilities and strong cyber analytics models to make threat hunting and incident detection a walk in the park. To…

Memory Forensics with Vshot and Remnux (code injection, 4)

With this post we are getting nearly to the end of these series of memory analyis with Vshot and Remnux. In this post we are covering some of the plugins to detect the most targeted and stealthy attacks you can find today out there. More often than in previous years, I am coming across more…

The right ingredients for Threat Hunting

Threat Hunting and training such as GCFA are proving to be beneficial to lower the internal detection and dwell time. Not long ago we were discussing the long time that was taking to do internal detection and average dwell time but this is currently changing. Rob Lee and the SANS Institute in their GCFA update…

Hunting down Threat Infrastructure (2, with PassiveTotal)

It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here. The first post explained how attackers…

The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read. The top 10 windows logs event id's used v1.0 from Michael Gough