This blog was originally written by me and posted by Red Canary. Detection engineers are frequently beset with the challenge of detecting a technique for which optics are poor, non-existent, or difficult to collect at scale. …

Introduction This past week I briefly talked about Process Access data within a talk that Olaf and I gave at ATT&CKCON 3.0 (YouTube link isn’t live yet). During this presentation I talked about the significance of this sub-data source and what it meant to defenders. My portion was heavily focused on…

Introduction The Elastic Research team recently released work surrounding stripping the Windows Defender binary (MsMpEng.exe) of its privileges, making it effectively useless. Being that MsMpEng.exe …

Introduction In an attempt to understand access tokens at a deeper level as of late, I have come across a couple of members within the TOKEN structure that have connected some dots for me. They are not novel findings, but I hope these findings help someone else, as they have me…

Impossible to spoof, process integrity levels dictate trust between securable objects, offering defenders great visibility into privilege escalation. — This blog was originally written by me and posted by Red Canary. In this second installment of our Better know a data source series, we’re showcasing process integrity levels. Integrity levels define the trust between process/thread and another object (files, processes, threads) and help control what that object can or…

Story was first released on the Red Canary Publication. MSRPC to ATT&CK is a one-stop shop for learning more about Remote Procedure Calls, how adversaries abuse them, and how you can detect related malicious activity. Microsoft Remote Procedure Call (MSRPC) is an interprocess communication protocol mechanism that adversaries can abuse…

Introduction: A common issue within the investigation process is alert fatigue. Alert fatigue leads to the delay of incident handling and/or alerts being lost or passed over due to the high volume of events being funneled to analysts. To combat this issue, many organizations attempt to classify events within the detection…

Introduction The term evasion is derived from the Latin word “evadere” which means — “To escape, to get away.” The DOD defines evasion as — “The process whereby isolated personnel avoid capture with the goal of successfully returning to areas under friendly control.” Fairly often I come across a post on…

Written by: Jonathan Johnson and Matt Hand Introduction Capability Abstraction has been adopted as one of the core components of the research phase within the detection engineering process at SpecterOps. …