How To Respond To Alerts? Introducing “Suspects”Summary: A “Suspect” is the object that took the malicious action. Statistical rules can generate alerts with no “suspect”. Whitelisting…Sep 6, 2022Sep 6, 2022
How To Objectively Measure A Detection Rule’s StrengthSummary: Rule strength is a function of the level of control the attacker has over the rule fields, blacklisting vs. whitelisting, data…Aug 3, 2022Aug 3, 2022
Cyber Certifications Are A Scam!Summary: Vendor Certifications serve the vendor more than they do the student. Skill-based certifications with written exams can’t…Jul 11, 20222Jul 11, 20222
Petition: Hey Microsoft, help us detect LOLBAS usage!Summary: Can we just update the LOLBAS to log when they get executed instead of having to monitor every single process across the whole…Jun 30, 2022Jun 30, 2022
You Cannot Detect Techniques in the Execution Tactic! And What To Do InsteadSummary: There is a difference between a rule detecting a technique vs detecting a lower tier on the pyramid of pain that might be related…Jun 1, 20221Jun 1, 20221
It’s Not You! Windows Security Logs Don’t Make SenseSummary: Windows logs are designed to track the execution of the application, regardless of whether this facilitates cyber investigations…Mar 14, 20223Mar 14, 20223
What Does Deprecating WMIC Mean to the Blue Team?Summary: Deprecating WMIC.exe reduces the number of ways attackers can use WMI, which can simplify detection for defenders, but it may also…Feb 12, 2022Feb 12, 2022
Finding Inconsistencies In MITRE ATT&CK Data SourcesSummary: The “Command Execution” data source can be merged into either “Process” or “Script Execution”. Also, “User Account Authentication”…Feb 3, 20221Feb 3, 20221