Ifu see 4738 OR 4742 with ALL Changed Attribs equal to "-" (almost 0 in normal behavior), then its strong evidence of DACL based attacks (manipulating ACEs and AD specific Objects's Rights) Powerview\Add-DomainObjectAcl| Set-DomainObject|Set-DomainObjectOwner #threathunting #dfir

QRadar SIEM Sysmon App comes by default with almost 80 use cases, for those planning to adopt it, here you can find the needed events mapped to use cases' description 👉goo.gl/hWRCih #threathunting #SIEM #Sysmon #Qradar #DFIR

[Credential Access] - short write-up explaining one way to detect malicious programs dumping browser's saved credentials or permanent cookies 👉 blog.menasec.net/2019/04/creden… … #ThreatHunting #DFIR

[Credential Access] - KeePass.exe credential dumping using KeeFarce.exe can be detected using the following SIGMA rule #ThreatHunting #DFIR #SIGMA

The negative impact of Network Level Authentication on Windows Failed RDP Logon Events -> blog.menasec.net/2019/04/the-im… #DFIR #threathunting

Detecting Namedpipe Pivoting using Sysmon blog.menasec.net/2019/04/detect… … #threathunting #DFIR #sysmon

Interesting DIFR traces of .NET CLR Usage Logs blog.menasec.net/2019/07/intere… #DFIR #ThreatHunting #SharpShooter

A starting point to hunt for suspicious usage of Remote Support Tools blog.menasec.net/2019/11/huntin… #threathunting #dfir

Forensics traces of NTDS.dit dumping using ntdsutil utility blog.menasec.net/2019/11/forens… #threathunting #dfir

blog.menasec.net/2020/08/new-tr… #ThreatHunting

Discovering Windows Registry Symbolic Links using Sysmon blog.menasec.net/2020/09/discov…

Hunting for T1078.003 - Local Accounts and Groups Changes using Sysmon blog.menasec.net/2020/09/huntin… #ThreatHunting

good understanding of the offensive technique, filtering out normal behavior while in the same time balancing detection resilience, alert context and performance impact are key concepts for detection engineering. blog.menasec.net/2020/11/how-to…

📌How to Design Abnormal Child Processes Rules without Telemetry by MENASecurity [BLOG]➡️ blog.menasec.net/2021/01/how-to… #ThreatHunting #BlueTeam #security #DFIR

Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS) blog.menasec.net/2021/05/huntin… #ThreatHunting

Integrating process protection level information into all #EDR #Sysmon events. As suggested by MENASecurity in blog.menasec.net/2022/04/auditi… using Win API instead of checking RunAsPPL registry key (which seem to apply only to lsass) #dfir #threathunting github.com/0xrawsec/whids

Just pushed the code to embed process protection level in severa events of our #opensource #EDR #dfir #threathunting github.com/0xrawsec/whids thanks to MENASecurity for the idea

We just released 1000+ yara rules and 200+ endpoint behavior rules github.com/elastic/protec…