DetectionLabELK
DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
https://github.com/cyberdefenders/DetectionLabELK
#blueteam #detection #elk #lab
DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
https://github.com/cyberdefenders/DetectionLabELK
#blueteam #detection #elk #lab
MAL-CL — Malicious Command-Line
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
MAL-CL aims to collect and document real world and most common "malicious" command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
https://github.com/3CORESec/MAL-CL
#windows #cli #detection #blueteam #redteam
Important Windows processes for Threat Hunting
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
https://www.socinvestigation.com/important-windows-processes-for-threat-hunting/
#edr #detection #forensic #process
Security Investigation - Be the first to investigate
Important Windows processes for Threat Hunting - Security Investigation
Introduction: The various processes that are running in a Windows computer. Some of the processes are parts of the operating system, while others are applications automatically launched at startup or manually by the user or hackers. Knowing What’s normal…
👍2
🛡 On Detection: Tactical to Functional
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
Medium
On Detection: Tactical to Functional
Part 1: Discovering API Function Usage through Source Code Review
👍3
📄 Detecting ADCS Web Services Abuse (ESC8)
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
One of the popular attack vectors against Active Directory Certificate Services is ESC8. This article covers detecting irregular access to some ADCS web services exposed, as well as detecting the NTLM relaying itself.
https://medium.com/falconforce/falconfriday-detecting-adcs-web-services-abuse-0xff20-9f660c83cb36
#adcs #detection #esc8 #blueteam
Medium
FalconFriday — Detecting ADCS web services abuse — 0xFF20
One of the popular attack vectors against ADCS is ESC8 — relaying NTLM creds to the ADCS HTTP(S) endpoints. While preventing this…
👍3