Image for post
Image for post

In my previous post, I explained how to generate process trees originating from specific processes and find unusual patterns. How about if we could generate process trees and get extra information about these process trees so that we can quickly detect suspicious/malicious activity? Let’s have a look at one of the most common techniques: Scheduled Tasks.

Adversaries create scheduled tasks to achieve persistence. You can detect suspicious scheduled task creations if it’s created in a normal/common. However, if the scheduled task is created by using Windows API or via a misconfigured GPO etc., it might be difficult and time consuming…


Image for post
Image for post

A couple of months ago, I came across some blog posts about detecting threats by analyzing process trees or process parent-child relationships. The idea behind this method is to create process trees and find rare patterns that might be an indication of malicious activity. To make it more clear, let’s have a look at an example:

You open a document you received and click “enable content”. Then, all of a sudden, you get compromised. When you opened the document and clicked “enable content”, here is what happened (in orange):


Image for post
Image for post

The recent spread of Ryuk ransomware in October showed that even big companies had critical issues with their defenses. What surprised me is that everyone started to talk only about detection as if there could be no prevention at all. In this post, I’ll go through some common steps of the attacks and provide some tactical strategies for prevention, detection, and hunting. These strategies are not only applicable to ransomware attacks, they can be applied to many types of attacks.

User Opens a Malicious attachment and clicks a link

Prevention

If extracting URLs from attachments is possible, an email sandbox may prevent the attack by opening the URL, downloading the…


Image for post
Image for post

Kerberoasting is one of the most used techniques by attackers. By enumerating service principal names and requesting Kerberos service tickets for them, an attacker gets the password hash of those accounts and cracks them offline.

One of the detection methods is checking the volume of service ticket requests for a period and generating an alerting if the volume is higher than a defined threshold. This approach can generate false positives, and more importantly, false negatives.

To detect Kerberoasting in a better way, I've created a query by using time series functions in KQL. The query analyses service ticket requests and…


Image for post
Image for post

There has been an interesting idea for detection engineering recently. It is about developing detection in a DevOps way by using CI/CD pipelines. As I have some experience with this approach, I’ll try to shed some light on it and answer the question “do we really need it?”.

Working in a DevOps way with CI/CD pipelines requires development(DEV), acceptance(UAT), and production(PROD) environments. The way of working is simply as follows:

  1. You develop your code and test it in the development environment. …


I have been reading and watching a lot of content about threat hunting for quite a while now. However, something regarding the threat hunting process is not very clear to me. The common threat hunting process is more or less as follows:

Image for post
Image for post

Based on this process, each hunting investigation results in one of the following:

  • Uncover new TTPs
  • Respond to an incident
  • Improve/Enrich Analytics (develop detections)

What if it is not possible to improve analytics; in other words, it is not possible to develop an automated detection mechanism? Should we just leave the hypothesis and not address it anymore? …


Image for post
Image for post

Email is the most used vector for both malware distribution and phishing. As I promised in my Phishing Hunting guide, I will dwell on ways of threat hunting and detection by using Email logs in this post.

Unfortunately, email gateways don’t produce enough information to be used for hunting purposes. Sometimes, even the logging mechanism is terrible. Despite the difficulties, there are still some ways to hunt and detect attacks. The information that can be used for hunting includes Sender IP, Sender Domain, Sender Address, From Address, Recipient Address, Recipient Domain, URL Info, Attachment Info, and Size.


After the SANS data breach, I decided to write a post about phishing attack detection and hunting.

Image for post
Image for post
Image from Pixabay

As you all know (or you should know!), the main goals of phishing attacks are to steal credentials, run malware on the victim’s machine for malicious purposes, or make configuration changes for malicious purposes. To achieve these, attackers use some methods like tricking users into clicking a link, or downloading and opening an attachment. A more recent one is to trick the victim into giving consent to an OAuth app. Each method has its own mechanisms.

Now, let’s have a closer look at…


Image for post
Image for post
image from pixabay

As I mentioned in my previous post about detecting and responding to ransomware attacks, I created a hunting and detection guide using web proxy logs.

Web Proxies generate a common set of information that can be used for threat hunting and detection. These information contains Duration, HTTP Status, Bytes In, Bytes Out, Protocol, HTTP Method, HTTP Version, URL Category, URL Hostname, URL Path, URL Query, Mime Type, File Name, User Agent.

Below, I explained how we can use this information to hunt or detect threats.

Duration

This information shows how long the transaction has taken. Malware can communicate with the C2…


Image for post
Image for post

After writing Defeating Ransomware by Using Sysmon and PowerShell, I continued my research on modern ransomware techniques and found new methods that can be applied for almost all kinds of ransomware. In this post, I’m going to explain modern ransomware techniques and how to detect and respond to them by using built-in Windows features and free tools. As a bonus, I’m going to use Binalyze AIR, a commercial product for incident response, to demonstrate acquiring a full forensics evidence in an event of ransomware on an endpoint.

Ransomware encryption methods

All modern ransomware use RSA + AES encryption to encrypt the files. They…

Mehmet Ergene

Cyber Defense Professional. Threat Hunting | Active Defense | Cyber Deception | SOC | SIEM | @Cyb3rMonk

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store