Detecting discovery commands using MITRE Caldera and Splunk
We are going to review logs in Splunk based on our BAS testing of Discovery techniques from MITRE Caldera. One discovery technique we want to detect is identifying which antivirus software is running on a machine. An attacker can use this information to disable or evade detection by the antivirus. We can review the report…
MITRE Caldera demo
Breach and Attack Simulation (BAS) is a technology that enables organizations to continuously and automatically simulate cyberattacks, replicating the tactics, techniques, and procedures (TTPs) used by real-world threat actors. BAS tools are designed to test and assess the effectiveness of an organization’s security controls, helping identify vulnerabilities and weaknesses in their defenses before an actual…
How to Generate YARA Rules with YarGen
This guide provides a straightforward method for creating YARA rules from malware samples using YarGen and MalwareBazaar. 1. Setup Your Environment CRITICAL: Before you start, use a completely isolated virtual machine (VM). Do not handle malware on a machine connected to your network or containing sensitive data. Inside your VM, open a terminal and follow…
Using Hayabusa
Analyzing Local Windows Event Logs with Hayabusa This guide shows how to use Hayabusa to scan local Windows Event Logs for threats and view the results in Timeline Explorer. 1. Setup and Update Rules 2. Scan Local System Logs Hayabusa scans local EVTX files and saves all findings into a single results.csv file for analysis.…
Detecting Windows memory based attacks
For effective detection, it’s crucial to collect the right data. A best practice is to enable the collection of DLL load events (Event ID 7) using Sysmon on your Windows endpoints. Be aware that this can generate a high volume of data, so you may want to create filters to exclude routine DLL loads from…
Networking-Dojo 