2022-04-18 07:14   Auditing Protected Lsass (RunAsPPL) Access using Sysmon    #MENASEC #安全文章  Auditing Lsass access using Sysmon is one of the key settings that blueteam are using to detect suspicious instances in an attempt to detect behaviour like Mimikatz. It's also known that a lot of legit programs (including MS native services) are requesting process access handle (including VM_R

2022-03-21 00:34   Structured Approach to Triage New Detection Ideas    #MENASEC #安全文章  Triaging new detection ideas is an important aspect of detection engineering, as it allow us to focus on the most important tasks and to optimize the utilization of the existing limited resources (both human and technology).It doesn't have to be perfect, but it needs to minimize the effect of

2021-12-10 20:29   Detecting Token Stealing using Sysmon v13.30 and EQL    #MENASEC #安全文章  Access token manipulation is a well known technique often used to elevate privileges or to execute in the context of a different identity.  There are different implementations of this technique but the most observed one seen in malwares as well as in common offensive frameworks (i.e. meta

2021-05-24 06:05   Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS)    #MENASEC #安全文章 BITS Overview  Background Intelligent Transfer Service (BITS) is used by programmers and s

2021-01-05 04:23   How to Design Abnormal Child Processes Rules without Telemetry    #MENASEC #安全文章     In detection engineering we often encounter attack techniques that result into a syste

2020-11-27 20:35   How to Design Detection Logic - Part 1    #MENASEC #安全文章    In this first part we are going to share with you some common logical and high level st

2020-09-04 21:10   Hunting Local Accounts and Groups Changes using Sysmon    #MENASEC #安全文章    Visibility on local accounts and groups changes is as important as for Domain ones for

2020-09-02 02:57   Discovering Windows Registry Symbolic Links using Sysmon    #MENASEC #安全文章 When accessing the HKEY_CURRENT_USER or HKEY_CLASSES_ROOT registry hives from code, people usually a

2020-08-28 23:44   New Trick to Detect Lateral Movement via Network File Shares    #MENASEC #安全文章 Lateral movement via windows file shares is an important technique for an attacker to both move late

2019-12-01 03:53   Forensics traces of NTDS.dit dumping using ntdsutil utility    #MENASEC #安全文章 Active Directory stores information about members of the domain including devices and users to verif

2019-11-22 19:54   Hunting for suspicious use of TeamViewer - Part 1/2    #MENASEC #安全文章 N.B: TeamViewer (TV) is a great Remote Support (++) tool, and the objective of this post is to share

2019-07-16 06:27   Interesting DFIR traces of .NET CLR Usage Logs    #MENASEC #安全文章 As most of you already know .NET has become an increasingly important component in the offensive wor

2019-04-30 06:17   Detecting Namedpipe Pivoting using Sysmon    #MENASEC #安全文章 In this quick post we will be sharing with you a detection trick you can use to detect lateral movem

2019-04-16 22:36   The "-" impact of Network Level Authentication on failed logon events - 4625    #MENASEC #安全文章 In this short post we will be highlighting some of the observed abnormal failed logon events (relate

2019-04-02 23:55   Credential Access - Detecting Browser's secrets stealing    #MENASEC #安全文章 Browser's saved credentials (passwords & permanent cookies) are a juicy target for any attacker