Detect Modify Registry with this “Free Splunk” Rule

Detect Modify Registry with this “Free Splunk” Rule Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level…

Stay Ahead of Threats Part 1: A Comprehensible Introduction to Security Operations Center (SOC)

A Comprehensible Introduction to Security Operations Center Cybercriminal activity is among the most significant challenges that humanity will face in the next two decades. In 2019, over 15.1 billion records were exposed. According to Cybercrime Ventures, the global cost of cybercrime will rise from US$3 trillion in 2015 to US$6 trillion by 2021. Cybercriminals steadily make efforts…

what is threat hunter

Who is a Threat Hunter and what role do they play?

Who is a Threat Hunter and what role do they play? With the growing technological world, cyberattacks are evolving to be more sophisticated than ever; furthermore, a lack of attention given to cyber threats—due to budget, technology, processes, and above all, the team of experts—has led to an increase in the number of successful malware…

How SIEM Automation Can Improve Threat Management

How SIEM Automation Can Improve Threat Management

How SIEM Automation Can Improve Threat Management Let’s see why it is important to know about SIEM Automation. An ocean of data and security alerts are dispatched to organizations on a regular basis. According to the Achieving High-Fidelity Security research by EMA, 92% of organizations were receiving up to 500 events per day, and 88%…

Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations

Detect Indirect Command Execution With this Free Splunk Rule

Detect Indirect Command Execution With this Free Splunk Rule Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, For files, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem…

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. Root certificates are used in public-key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in…

Indicator Removal

Detect Deobfuscate/Decode Files or Information with this free Splunk Detection Rule

Detect Indicator Removal on Host Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however, standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*. These actions may…