Tareq AlkhatibHow To Respond To Alerts? Introducing “Suspects”Summary: A “Suspect” is the object that took the malicious action. Statistical rules can generate alerts with no “suspect”. Whitelisting…Sep 6, 2022Sep 6, 2022
Tareq AlkhatibHow To Objectively Measure A Detection Rule’s StrengthSummary: Rule strength is a function of the level of control the attacker has over the rule fields, blacklisting vs. whitelisting, data…Aug 3, 2022Aug 3, 2022
Tareq AlkhatibCyber Certifications Are A Scam!Summary: Vendor Certifications serve the vendor more than they do the student. Skill-based certifications with written exams can’t…Jul 11, 20222Jul 11, 20222
Tareq AlkhatibPetition: Hey Microsoft, help us detect LOLBAS usage!Summary: Can we just update the LOLBAS to log when they get executed instead of having to monitor every single process across the whole…Jun 30, 2022Jun 30, 2022
Tareq AlkhatibYou Cannot Detect Techniques in the Execution Tactic! And What To Do InsteadSummary: There is a difference between a rule detecting a technique vs detecting a lower tier on the pyramid of pain that might be related…Jun 1, 20221Jun 1, 20221
Tareq AlkhatibIt’s Not You! Windows Security Logs Don’t Make SenseSummary: Windows logs are designed to track the execution of the application, regardless of whether this facilitates cyber investigations…Mar 14, 20223Mar 14, 20223
Tareq AlkhatibWhat Does Deprecating WMIC Mean to the Blue Team?Summary: Deprecating WMIC.exe reduces the number of ways attackers can use WMI, which can simplify detection for defenders, but it may also…Feb 12, 2022Feb 12, 2022
Tareq AlkhatibFinding Inconsistencies In MITRE ATT&CK Data SourcesSummary: The “Command Execution” data source can be merged into either “Process” or “Script Execution”. Also, “User Account Authentication”…Feb 3, 20221Feb 3, 20221