Sign in

Cyber Defense Professional. @Cyb3rMonk ( Threat Hunting | Active Defense | Cyber Deception | SOC | SIEM )

In data science, the majority of the time is spent on cleaning and normalizing the data. Just like in red teaming/pentest activities where preparation/reconnaissance is the most important step, preparation of data is the most important step in data science activities. In this post, I will explain how we can apply some basics of data science to threat hunting and detect suspicious Registry Run keys on a large scale with KQL in Azure Sentinel/MDATP/MDE/M365D. …


Identity is the new perimeter, and monitoring of the identities has become crucial for organizations. Since I’ve only seen unsuccessful UEBA implementations so far, I’ve developed my own custom UEBA-like solution using KQL and Microsoft 365 Defender logs to hunt for account anomalies(T1078.002) and Lateral Movement. Depending on the details that Windows logon events have, the logic explained in this post can be implemented on Azure Sentinel and Splunk.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their…


In my previous post, I explained how to generate process trees originating from specific processes and find unusual patterns. How about if we could generate process trees and get extra information about these process trees so that we can quickly detect suspicious/malicious activity? Let’s have a look at one of the most common techniques: Scheduled Tasks.

Adversaries create scheduled tasks to achieve persistence. You can detect suspicious scheduled task creations if it’s created in a normal/common. However, if the scheduled task is created by using Windows API or via a misconfigured GPO etc., it might be difficult and time consuming…


A couple of months ago, I came across some blog posts about detecting threats by analyzing process trees or process parent-child relationships. The idea behind this method is to create process trees and find rare patterns that might be an indication of malicious activity. To make it more clear, let’s have a look at an example:

You open a document you received and click “enable content”. Then, all of a sudden, you get compromised. When you opened the document and clicked “enable content”, here is what happened (in orange):


The recent spread of Ryuk ransomware in October showed that even big companies had critical issues with their defenses. What surprised me is that everyone started to talk only about detection as if there could be no prevention at all. In this post, I’ll go through some common steps of the attacks and provide some tactical strategies for prevention, detection, and hunting. These strategies are not only applicable to ransomware attacks, they can be applied to many types of attacks.

User Opens a Malicious attachment and clicks a link

Prevention

If extracting URLs from attachments is possible, an email sandbox may prevent the attack by opening the URL, downloading the…


Kerberoasting is one of the most used techniques by attackers. By enumerating service principal names and requesting Kerberos service tickets for them, an attacker gets the password hash of those accounts and cracks them offline.

One of the detection methods is checking the volume of service ticket requests for a period and generating an alerting if the volume is higher than a defined threshold. This approach can generate false positives, and more importantly, false negatives.

To detect Kerberoasting in a better way, I've created a query by using time series functions in KQL. The query analyses service ticket requests and…


There has been an interesting idea for detection engineering recently. It is about developing detection in a DevOps way by using CI/CD pipelines. As I have some experience with this approach, I’ll try to shed some light on it and answer the question “do we really need it?”.

Working in a DevOps way with CI/CD pipelines requires development(DEV), acceptance(UAT), and production(PROD) environments. The way of working is simply as follows:

  1. You develop your code and test it in the development environment. …

I have been reading and watching a lot of content about threat hunting for quite a while now. However, something regarding the threat hunting process is not very clear to me. The common threat hunting process is more or less as follows:

Based on this process, each hunting investigation results in one of the following:

  • Uncover new TTPs
  • Respond to an incident
  • Improve/Enrich Analytics (develop detections)

What if it is not possible to improve analytics; in other words, it is not possible to develop an automated detection mechanism? Should we just leave the hypothesis and not address it anymore? …


Email is the most used vector for both malware distribution and phishing. As I promised in my Phishing Hunting guide, I will dwell on ways of threat hunting and detection by using Email logs in this post.

Unfortunately, email gateways don’t produce enough information to be used for hunting purposes. Sometimes, even the logging mechanism is terrible. Despite the difficulties, there are still some ways to hunt and detect attacks. The information that can be used for hunting includes Sender IP, Sender Domain, Sender Address, From Address, Recipient Address, Recipient Domain, URL Info, Attachment Info, and Size.


After the SANS data breach, I decided to write a post about phishing attack detection and hunting.

Image from Pixabay

As you all know (or you should know!), the main goals of phishing attacks are to steal credentials, run malware on the victim’s machine for malicious purposes, or make configuration changes for malicious purposes. To achieve these, attackers use some methods like tricking users into clicking a link, or downloading and opening an attachment. A more recent one is to trick the victim into giving consent to an OAuth app. Each method has its own mechanisms.

Now, let’s have a closer look at…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store