A joint blog written by Jared Atkinson, Luke Paine, and Jonathan Johnson


A few months ago, Jared Atkinson released a blog post that introduced a detection engineering methodology he referred to as Capability Abstraction. Since then, our team at SpecterOps has been working to implement this approach across a diverse set of attack techniques to learn the strengths and weaknesses of it as a whole. What we’ve learned thus far is that capability abstraction provides analysts with a set of proverbial legos they can use to answer more complex questions that they may not have been aware of initially. Through documentation and research, the understanding of these concepts can be reapplied in situations that they were not initially intended for. …


During Part 1 of this blog series: Engineering Process Injection Detections — Part 1: Research, I covered how you can maximize your detection efforts by following a concept outlined by Jared Atkinson: Capability Abstraction. Moving forward, we will focus on the post-attack phase and how to isolate events to create relationships. This process can become difficult if we don’t know what type of data to look for. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store