threathunting   181

« earlier    

"Windows logging Cheat Sheet", "Splunk Logging Cheat Sheet"
Windows  Security  Registry  Powershell  Forensics  SIEM  Splunk  ThreatHunting  DFIR  CheatSheet 
12 days ago by snkhan
ThreatStream Matches As Notable Events in Splunk? Here's How...
The search looks like this:

| `ts_tstats_all` | `ts_lookup_details` | `ts_get_time_offset(_time, ts_date_last)` | where ts_confidence >= 80 AND Age < 31 AND (like(ts_itype, "apt%") OR like(ts_itype, "c2%") OR like(ts_itype, "mal%")) | eval orig_sourcetype=sourcetype
splunk  anomali  threatstream  threathunting  cyberthreatintel 
20 days ago by bwiese
Building Integrations for Splunk Enterprise Security | Splunk
Splunk ES - includes prepackaged dashboards, correlations, and incident response workflows to help security teams analyze and respond to their network, endpoint, access, malware, vulnerability, and identity information.

Use Frameworks: Notable Events, Asset & Identity, Threat Intelligence, Risk, Adaptive Response
splunk  cybersecurity  siem  threathunting 
20 days ago by bwiese
Attack inception: Compromised supply chain within a supply chain poses new risks – Microsoft Secure
Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

In early 2017, we discovered operation WilySupply, an attack that compromised a text editor’s software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.
cybersecurity  supplychain  scrm  software  pdf  threathunting 
4 weeks ago by bwiese
Threat Hunting: 10 Adversary Behaviors to Hunt For | Sqrrl
As a reminder, Sqrrl has developed a hunting methodology called the Threat Hunting Loop. The hunting loop has four steps:
1) create hypotheses
2) investigate via tools and techniques
3) uncover new patterns and ttps
4) inform and enrich analytics

These behaviors are generally aligned to Lockheed’s Cyber Kill Chain and the MITRE Attack Matrix. One way to determine which behaviors to hunt for is to develop a Hunting Heat Map that identifies where you have detection gaps. Below are 10 behaviors that you might consider prioritizing for hunts depending on your current detection capabilities.
threathunting  cybersecurity  sqrrl 
7 weeks ago by bwiese
Cyber Threat Hunting (1): Intro
After some long months debating whether to write a white paper, and what potential topics I could write about – I just decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current experience and I am sharing it with you. I will be brief and to the point – it is not my intention to spend much time in the bushes. I want to provide you with a solid foundation to start hunting an understanding the “creativity” behind the process.
cybersecurity  threathunting 
7 weeks ago by bwiese
Cyber Threat Hunting (2): Getting Ready
In my previous post I went through the basics of hunting and its benefits for the organization and for analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. We are covering preparations and locations to hunt.
cybersecurity  threathunting 
7 weeks ago by bwiese
Cyber Threat Hunting (3): Hunting in the perimeter
In this third post we are going to see what we need to look at when hunting and detecting adversaries in the perimeter. We are also going to look at some of the firewall technologies and their log formats in order to detect anomalies in the inbound and outbound traffic in your network.
cybersecurity  threathunting 
7 weeks ago by bwiese
The applicability of Graphs for Information Security combatants – Medium
“ The relations between entities are often more interesting that the individual entities themselves in the context of modern Information Security ”
“ Maliciousness is often determined by something that is not normal in the given context ”
“ The creativity, ingenuity and brain power of the humans involved in Information Security matters more than the individual tools you buy from Infosec vendors”
threathunting  cybersecurity  graphs  dfir 
7 weeks ago by bwiese

« earlier    

related tags

ad  ai  analysis  analytics  anomali  anomaly  apt  aptsimulator  attack  auditing  automation  azure  bash  blog  blueteaming  book  bro  c2  carbonblack  certificates  cheatsheet  china  commandline  conference  course  cryptocurrency  cryptojacking  cuckoosegg  cyberkillchain  cyberreason  cybersec  cybersecurity  cyberthreatintel  defenderatp  dfir  dlp  dns  domain  download  dragos  drupal  edr  elasticsearch  elk  endgame  eventlogs  exfil  fileless  flash  forensics  gdpr  github  goldenticket  graphs  grr  helk  history  howto  hunting  ics  incidentresponse  informationsecurity  infosec  isc  jumpbox  jupyter  kerberos  lateralmovement  lockheedmartin  machinelearning  maliciousadvertising  malvertising  malware  metasploit  microsoft  mimikatz  misp  mitre  monitoring  network  news  notpetya  osquery  passivetotal  pdf  pentest  philosophy  podcast  powershell  presentation  producerconsumerratio  psexec  python  quote  r  ransomware  redcanary  redteam  redteaming  reference  registry  review  rtb  sans  satellite  scom  scripting  scrm  securid  security  segmentation  siem  sigma  soar  software  splunk  sqrrl  supplychain  symantec  sysmon  threatactors  threatstream  thrip  tls  todo  tools  tor  toread  training  ueba  unittest  url  video  vimeo  virustotal  vulnerability  vulnwhisper  webinar  whitelisting  whois  windows  winrm  wmi 

Copy this bookmark: