Sign in

Cyber Defense Professional. @Cyb3rMonk ( Threat Hunting | Active Defense | Cyber Deception | SOC | SIEM )

This blog is part two of a two-part series focused on C2 beacon detection.

In the previous blog in this series, I explained approaches and problems in network beacon detection.

In this post, I’ll develop an approach and solve the problems as much as possible with KQL and create queries for Sysmon, Palo Alto, and Microsoft Defender for Endpoint. You’ll be able to modify them according to your environment as well.

Continuing with the same example, CS beacon with 15 minutes sleep and 25% jitter, we can calculate the below values for the beacon(these values can be calculated by analyzing…


Let’s Connect | LinkedIn | Twitter

In data science, the majority of the time is spent on cleaning and normalizing the data. Just like in red teaming/pentest activities where preparation/reconnaissance is the most important step, preparation of data is the most important step in data science activities. In this post, I will explain how we can apply some basics of data science to threat hunting and detect suspicious Registry Run keys on a large scale with KQL in Azure Sentinel/MDATP/MDE/M365D. …


In the previous blog in this series, we extracted behavioral TTPs, prepared the attack emulation, and executed it.

It’s time for analyzing the logs, validating/modifying the hypotheses that we generated after reading the report(or generating new ones), generating detection strategies, and developing detections.

Analyzing the Logs

I analyzed the Microsoft Defender for Endpoint logs, but you can check Sysmon or your EDR logs. Although there can be other events generated during the attack, below are the most important ones for me to generate or validate hypotheses:

1. Mounting an ISO image generates the below Registry event:


This blog is part one of a two-part series focusing on TTP extraction, Attack Emulation(Purple Teaming), Log Analysis, Threat Hunting, and Threat Detection using the latest NOBELIUM email-based attack.

Initial access is the most important part of an attack. However, it can be easily ignored by many organizations or defenders because of the “Assume Breach” mindset. In this two-part series, I’ll explain how an attack can be detected during its initial access stage and hopefully change the “Assume Breach” mindset for some of you. The series can be considered as a crash course on the below topics:

  • Extracting behavioral TTPs…


This blog is part one of a two-part series focused on C2 beacon detection.

Beacons or beaconing is the practice of sending short and regular communications from one host to another. As used in malware, this is mostly used to communicate to an external host that a compromised internal host is active, functioning and ready for further instructions. Not all beacons are malicious in nature. There are many benign use cases of beaconing behaviour, such as system time services, software update services, etc.[1]

In the world of malware, a beacon doesn’t have to use regular intervals. As seen in many…


Let’s Connect! | LinkedIn| Twitter

What is your experience with an XDR product? Have you started using one, or are you considering buying one? As a person who has experience with both EDR, SIEM, and a little bit of XDR, I’ll explain what will be the success or failure factor for the XDR products from my perspective.

Forrester has recently defined the XDR as follows:

XDR is emerging due to the value that endpoint detection and response (EDR) brings to incident response and the appetite to pair EDR data with additional telemetry that can’t be captured from endpoints alone. …


Let’s Connect | LinkedIn | Twitter

I’ve explained How to build a Custom UEBA with KQL to Hunt for Lateral Movement in Microsoft 365 Defender in my previous post. The solution covers domain accounts. In this post, I’ll cover Lateral Movement involving local accounts.

Usually, there are a few local accounts in an enterprise. These accounts often have high privileges on many systems. Compromising one account opens all the doors if the password of each local account is the same. Password management tools like Microsoft LAPS usually mitigate this risk. However, mistakes can be made. For example, an administrator can…


Let’s Connect | LinkedIn | Twitter

Identity is the new perimeter, and monitoring of the identities has become crucial for organizations. Since I’ve only seen unsuccessful UEBA implementations so far, I’ve developed my own custom UEBA-like solution using KQL and Microsoft 365 Defender logs to hunt for account anomalies(T1078.002) and Lateral Movement. Depending on the details that Windows logon events have, the logic explained in this post can be implemented on Azure Sentinel and Splunk.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires…


Let’s Connect | LinkedIn | Twitter

In my previous post, I explained how to generate process trees originating from specific processes and find unusual patterns. How about if we could generate process trees and get extra information about these process trees so that we can quickly detect suspicious/malicious activity? Let’s have a look at one of the most common techniques: Scheduled Tasks.

Adversaries create scheduled tasks to achieve persistence. You can detect suspicious scheduled task creations if it’s created in a normal/common. However, if the scheduled task is created by using Windows API or via a misconfigured GPO etc., it…


Let’s Connect | LinkedIn | Twitter

A couple of months ago, I came across some blog posts about detecting threats by analyzing process trees or process parent-child relationships. The idea behind this method is to create process trees and find rare patterns that might be an indication of malicious activity. To make it more clear, let’s have a look at an example:

You open a document you received and click “enable content”. Then, all of a sudden, you get compromised. When you opened the document and clicked “enable content”, here is what happened (in orange):

Mehmet Ergene

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store