The DEATHCon 2025 Call for Workshops is now open!
If you have a great idea for teaching people how to do #detectionengineering or #threathunting or an adjacent skill through hands-on experience in our lab, we'd love to hear it! https://deathcon.io/cfp.html Submit before June 1
“Why would they give us an alert but not the permissions to view it?”
“It’s because they’re a SOC tease”
“…”
The conclusion (part three) of our series on #DetectionEngineering is finally here! https://blog.sekoia.io/detection-engineering-at-scale-one-step-closer-part-three/
Hey Hey People,
DA Here.
Do you, have a Suricata sensor in your network?
Do you, use Suricata as a part of sandbox that you run?
Have you, been hammering away at finding evil, and want to find more?
I'm doing a webinar courtesy of OISF this Thursday. 3PM UTC, which translates to 10am EST.
I'll be talking about two things during this meeting: One, is making good use of the ET INFO rule category as an early warning system.
Sure, there is a lot of noise to sift out of ET INFO, and for that reason, some choose to just cut it entirely. I'm here to show you how to grab the stuff we've seen in our sandboxes that can help to lead anomaly detection.
In the second part of this talk, I will talk about how you can convert network and system-specific artifacts into a set of Honeytoken-like IDS rules that again, can lead to anomaly detection, and perhaps even catching advanced or unidentified threats.
Here is a link to register for the meeting: https://us02web.zoom.us/webinar/register/WN_MJogFww8S4mIpEOctaTZlw#/registration
Discover the first part of Sekoia.io's in-depth series on detection engineering at scale! This new report offers a holistic approach to tackle the myriad challenges faced by SOC and #DetectionEngineering teams.
"Sweet QuaDreams or Nightmare before Christmas? Dissecting an iOS 0-Day" (Christine Fossaceca & Bill Marczak)
Things I learned:
BlastDoor is the sandbox for objects in messages on iOS. (curious if something similar exists in macOS?)
The keychain is a target of attacks on iOS too.
Persistence is hard on iOS, and some attackers just don't bother. If you're exploit is good enough, you can just re-exploit the device after a reboot.
Other notes:
There's a cute theoretical attack on the Zecops blog "No Reboot" where you can fake the reboot screen so the user thinks they've rebooted their device when they actually haven't.
QuaDream subverted iCloud 2FA by giving false dates to the process that generates TOTP codes. Malware can generate/cache TOTP codes that are valid at future times.
QuaDream stored XML data in a backdated calendar item. At the time, backdated calendar items didn't generate notifications.
QuaDream used triggering events to decide when to send data - i.e. screen locked or unlocked.
#detectionengineering
For iOS, code executing from /private/var/db/com.apple.xpc.roleaccountd/staging/ is sus. (True for macOS as well?)
A system process that doesn't normally make a network connection uploading data (for QuaDream, BackupAgent was used)
OBTS link: https://objectivebythesea.org/v7/talks.html#Speaker_25
BlackHat Slides: https://i.blackhat.com/EU-23/Presentations/BHEU23-Fossaceca.pdf
I'm in a weird position professionally and guess I am looking for a #mentor ? Maybe just someone more experienced than me to talk to and not necessarily some long term commitment of expectations? Growth just isn't going to happen where I'm at and I think I keep getting stuck in an under-/overqualified limbo.
Mainly work in #malwareanalysis #threatintel #detectionengineering with heavy #programming skills.
Always see #CyberMentoringMonday does it do anything?
I wrote a thing about #Linux initial access techniques and some strategies around detecting them - check it out:
https://www.magonia.io/blog/commonly-abused-linux-access-detection-strategies
News from #SIGMA team: 'One of the most requested features for Sigma in the last years was the ability to express correlation searches. Since Sigma was introduced, its main focus was set on matching single log events. The first version of the Sigma specification defined a syntax for piped aggregation expressions, but this first approach to match multiple events in defined combinations had various issues & some important aspects were underspecified. https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527 #detectionengineering
I've been going through this series trying to better understand how I can work with my purple team to integrate our threat intel in their workflow and the author brought up something I'd like to elaborate on:
"Detection hints from ATT&CK are also rather generic, since a Technique is itself a concept which clusters different procedures together. Thus, while ATT&CK can give a direction of what a SOC needs to develop, it doesn’t give a way to achieve detection objectives; which is the detection engineer core concern."
I agree that ATT&CK itself is vague. It has its purpose but not so much for the defensive side. When talking about a specific technique, I like to add in the D3FEND ontology to provide more specific artifacts that can be used to narrow the scope of what to look for. In a hunt fashion, I'll add MITRE's Cyber Analytics Repository (CAR) for pseudocode implementations.
So long as you prioritize the (sub)technique that you want detection engineers to focus on, these three sources alone I feel can help CTI teams further explain the threat and assess control coverage.
https://medium.com/anton-on-security/build-for-detection-engineering-and-alerting-will-improve-part-3-dbd433516f95
#DetectionEngineering #ThreatIntel #CTI #MITRE
I explain critical considerations surrounding the detection and response strategies that organizations must adopt to fortify their digital landscapes
A couple weeks back we noticed an uptick of incidents from trojanized Advanced IP Installer's delivered due to #malvertising. We tied it back to a group who were formerly a #darkside #ransomware affiliate according to Mandiant.
You may remember articles circulating about Bing's AI providing malvertising links. This is from the same campaign.
#infosec #malware #ioc #detectionengineering #threatintel #threathunting
Wednesday's are great because it means a new release of Detection Engineering Weekly. I'm still catching up on last week's reading involving masking malicious memory artifacts 
https://www.detectionengineering.net/
#DetectionEngineering
Thrilled to launch So You Want to be a SOC Analyst? 2.0 -- Now, with no requirements to run your own VMs!
SYWTBSA 2.0 enables paid subscribers of my blog to dive into this 6-part threat detection & response lab using a fully self-contained, cloud hosted VM. Also, much of the setup steps have been taken care of for you, enabling you to dive right into the best parts of the lab.
Also, this version of SYWTBSA has been tweaked and revamped specially for this cloud-hosted version.
Check it out here: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-20 #SOC #socanalyst #detectionengineering #dfir #secops #infosec
If you didn't look at the @misp playbook, you should. It's a gold mine of code and processes to improve your CTI pipelines using MISP.
https://github.com/MISP/misp-playbooks
#threatintel #threathunting #detectionengineering #misp #opensource
Thanks to @cudeso for the continuous work on it.
Here's a free #DetectionEngineering tip for finding infostealers.
Many of them will drop mozglue.dll to help them read Firefox stuff. Very little else in C:\Users will have it. Watch for file writes of mozglue.dll in that directory.
At this point I have taught or advised hundreds of aspiring hackers. I've provided instructional content to thousands more.
I can count on one hand the number of times an aspirant has told me they want to go into defensive cybersecurity. #DFIR, #ThreatHunting, #DetectionEngineering...these ain't lighting up the imagination of the padawans.
But I constantly see mid-career pentesters/red teamers decide to move over to defense for one reason or another.
Which leads me to conclude that we've made a fatal flaw in #CyberSecurity training. Since a defender must understand attacks anyhow, I am coming to the conclusion that all technical cybersecurity training should begin with the offensive skills. Then mix in the defense. I believe seeing both sides like this might make defense more appealing earlier—and produce better defenders.
I’m excited to launch our latest online course, YARA for Security Analysts.
We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intelligence research.
In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.
You can learn all about the course and register here: https://www.networkdefense.co/courses/yara/.
It's discounted right now for launch.
I recently wrote an article on #Linux #Ransomware - I was surprised to see that more often than not, variants that have a “Linux” version are really targeting the hypervisor and encrypting the virtual memory.
It’s an import distinction as your #EDR / #Logging will not see a binary execute on the host VMs - you’ll want to ensure your #Hypervisor #Logs are being sent to your #SIEM
https://www.signalblur.io/through-the-looking-glass
#FOSS #Unix #Virtualization #Cloud #RHEL #OpenSource #OpenSuse #CTI #Malware #InfoSec #CyberSecurity #Intel #DetectionandResponse #DetectionEngineering
(Re-posting as killing off all of the JavaScript on my site accidentally messed up the metadata when I share links 
all fixed now)
Want to identify many popular lateral movement techniques?
Master psexec.
Many lateral movement techniques embedded within popular attack tools like Meterpreter, Beacon, and others, behave very very similarly to psexec, just with added obfuscation.
If you thoroughly understand how psexec works, you'll learn to spot many other tools.
https://www.praetorian.com/blog/threat-hunting-how-to-detect-psexec/
