Security Research

Detecting discovery commands using MITRE Caldera and Splunk

We are going to review logs in Splunk based on our BAS testing of Discovery techniques from MITRE Caldera. One discovery technique we want to detect is identifying which antivirus software is running on a machine. An attacker can use this information to disable or evade detection by the antivirus. We can review the report…

MITRE Caldera demo

Breach and Attack Simulation (BAS) is a technology that enables organizations to continuously and automatically simulate cyberattacks, replicating the tactics, techniques, and procedures (TTPs) used by real-world threat actors. BAS tools are designed to test and assess the effectiveness of an organization’s security controls, helping identify vulnerabilities and weaknesses in their defenses before an actual…

How to Generate YARA Rules with YarGen

This guide provides a straightforward method for creating YARA rules from malware samples using YarGen and MalwareBazaar. 1. Setup Your Environment CRITICAL: Before you start, use a completely isolated virtual machine (VM). Do not handle malware on a machine connected to your network or containing sensitive data. Inside your VM, open a terminal and follow…

Detecting Windows memory based attacks

For effective detection, it’s crucial to collect the right data. A best practice is to enable the collection of DLL load events (Event ID 7) using Sysmon on your Windows endpoints. Be aware that this can generate a high volume of data, so you may want to create filters to exclude routine DLL loads from…

Creating a Honeypot server for threat intel IOC matching

Honeypot using IONOS VPS and Cowrie I want to create a safe honeypot to try to capture malicious IPs and perform research on them. To do so, I am going to run a cheap VPS in the cloud and remotely pull logs from it. Requirements Optional Outcomes Step #1: Login to public facing VPS using…