Mehmet Ergene @Cyb3rMonk Twitter profile

Pinned Tweet

Mehmet Ergene

7 months

💥"Hands-On Kusto Query Language (KQL) for Security Analysts" Course is Now Live! Use the code "BLU2023" at the checkout! #KQL #threathunting #dfir #microsoftsentinel #microsoftdefender #DataScience

Hands-On KQL for Security Analysts

Learn Kusto Query Language (KQL) for security analysis and incident response in a hyper-realistic lab environment with real logs!

academy.bluraven.io

7

25

102

Last Seen Profiles

@W_zero_x

@Nahochie

@JenningsCh43490

@breathlessx22

@EstefaniaOS

@RoninElWolf

@ENTpIus

@braylen_tanner

@dak_daze

@msrkmywrds

@GaryGoldsmithX

@steadycruise

@nseporcena

@LB3912155289053

@malumope

@RealMonaim

@oranghutankun

@GlorityFR

@MZinopoulou

@BrianHolthus

@MaesSafaa11506

@HeatherBan45832

@mothfred

@jjodx

@subdere_arica_

@enacaiin

@HayleeAnise

@_peeboy

@A3nzix

@hijabjilbab1

@LandonKuhn4

@angiesez

@coachnlansdell

@jorja14991293

@josephanyaa

@pizza_jhut

Mehmet Ergene

@Cyb3rMonk

2 years

What do you do for your mental health? #infosec

305

43

390

Mehmet Ergene

@Cyb3rMonk

3 years

Ransomware in an hour: CVE-2021-44228(log4j) + CVE-2021-42287(NoPac/SAMAccountName spoofing) 👀

6

94

403

Mehmet Ergene

@Cyb3rMonk

3 years

If you want to create a baseline for Rundll32.exe, here is a list of default commands and their descriptions:👇 #ThreatHunting #Rundll32 #T1218 #MITRE

0

143

375

Mehmet Ergene

@Cyb3rMonk

11 months

I'm happy to introduce AC&CD! You are detecting the wrong C2 beaconing traffic(and I was, too, long ago), so I've fixed it and put it in a Jupyter Notebook! Wanna detect Cobalt Strike, Sliver, Mythic, and all known C2 frameworks' beaconing? #ThreatHunting

GitHub - Cyb3r-Monk/ACCD: Active C&C Detector

Active C&C Detector. Contribute to Cyb3r-Monk/ACCD development by creating an account on GitHub.

github.com

9

127

361

Mehmet Ergene

@Cyb3rMonk

3 years

When my data gets stolen, why does the government get the money as a fine from the organisation and pay me nothing?🤔

10

59

329

Mehmet Ergene

@Cyb3rMonk

1 year

As an infosec person, one of my biggest fears is malicious versions of Python packages used for data science or SOC related tasks. Is there an easy way to analyze Python packages for backdoors, etc.?

18

37

337

Mehmet Ergene

@Cyb3rMonk

3 years

Friendly reminder: You can detect NTLM relay attacks

Detecting NTLM Relay Attacks

It is possible to detect NTLM relaying using only logon events. No magic!

medium.com

1

80

332

Mehmet Ergene

@Cyb3rMonk

2 years

Free cyber defense training from @Mandiant experts #threathunting #DFIR

Free Cyber Defense Training | Mandiant

www.mandiant.com

4

90

328

Mehmet Ergene

@Cyb3rMonk

2 years

Automated Incident Response and Forensics Framework from AWS #DFIR

GitHub - awslabs/aws-automated-incident-response-and-forensics

Contribute to awslabs/aws-automated-incident-response-and-forensics development by creating an account on GitHub.

github.com

1

111

320

Mehmet Ergene

@Cyb3rMonk

3 years

Threat Intelligence, TTP Extraction, Atomic Adversary Emulation, Log Analysis, #ThreatHunting and Detection. I've put all of them in a two-part series using #NOBELIUM as an example. I hope you like it. #AzureSentinel #MicrosoftDefender #Sysmon #KQL #DFIR

5

107

295

Mehmet Ergene

@Cyb3rMonk

2 years

Want to detect Cobalt Strike or ALL beacons? I've added data size scoring and improved the score calculations to reduce false negatives. Still, there are some false negative possibilities. I'll work on them next. Stay tuned! #ThreatHunting #DFIR

GitHub - Cyb3r-Monk/RITA-J: Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter...

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm. - Cyb3r-Monk/RITA-J

github.com

7

110

289

Mehmet Ergene

@Cyb3rMonk

3 years

If you want to hunt for threats with proxy logs, I have a guide and a cheat sheet. And please, stop focusing only on the EDR telemetry. #ThreatHunting

Threat Hunting and Detection with Web Proxy Logs

As I mentioned in my "detecting and responding to ransomware attacks" post, I created a hunting and detection guide using proxy logs…

link.medium.com

7

114

288

Mehmet Ergene

@Cyb3rMonk

2 years

Want to test BOF but don't have Cobalt Strike? Airbus CERT to the rescue! 🚀 #threathunting #dfir

GitHub - airbus-cert/Invoke-Bof: Load any Beacon Object File using Powershell!

Load any Beacon Object File using Powershell! Contribute to airbus-cert/Invoke-Bof development by creating an account on GitHub.

github.com

1

92

278

Mehmet Ergene

@Cyb3rMonk

11 months

Another attack simulation tool for purple teaming

GitHub - facebookincubator/TTPForge: The TTPForge is a Cybersecurity Framework for developing,...

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs). - facebookincubator/TTPForge

github.com

2

73

274

Mehmet Ergene

@Cyb3rMonk

2 years

🚨 The DLL Hijacking post is here! It was quite challenging, but I managed to develop something. More to come! #ThreatHunting #DFIR #DLLHijacking #MicrosoftDefender

Detecting DLL Hijacking Attacks — Part 1

DLL hijacking (T1574) is one of the favorite techniques used by attackers. In this post, I’ll explain a method for hunting and detection

link.medium.com

1

75

268

Mehmet Ergene

@Cyb3rMonk

3 years

Detecting PetitPotam and other Domain Controller Account Takeovers Thanks @exploitph ! #ThreatHunting #DFIR #AzureSentinel #KQL #PetitPotam

Detecting PetitPotam and other Domain Controller Account Takeovers

In this post, I’ll explain how to detect a successful PetitPotam or any attack in which the DC certificate is stolen and used.

link.medium.com

4

106

266

Mehmet Ergene

@Cyb3rMonk

2 years

New files are being signed with the stolen #NVIDIA certificate. #Lapsus You can search for the files signed with the stolen cert using the below query in #MDE : DeviceFileCertificateInfo | where CertificateSerialNumber == "43BB437D609866286DD839E1D00309F5" #ThreatHunting #dfir

2

106

262

Mehmet Ergene

@Cyb3rMonk

9 months

My #SANS #DFIR Summit '23 talk "Hunting C2 Beaconing at Scale in the Modern Age" is now available on YouTube! #ThreatHunting

Hunting C2 Beaconing at Scale in the Modern Age

As organizations continue to adopt new applications and services, more network traffic is beginning to resemble beaconing activity. Furthermore, threat actor...

www.youtube.com

1

59

260

Mehmet Ergene

@Cyb3rMonk

11 months

Not many people know there are ways to detect DLL Side-Loading and other hijacking attacks. This is just one way, there are other alternatives 😎 #ThreatHunting

Detecting DLL Hijacking Attacks — Part 1

DLL hijacking (T1574) is one of the favorite techniques used by attackers. In this post, I’ll explain a method for hunting and detection

posts.bluraven.io

1

86

251

Mehmet Ergene

@Cyb3rMonk

1 year

Finally, a detailed blog on Microsoft Sentinel Workbooks! It was incredibly hard to find such information.

Advanced Workbook Concepts with Workbooks 202

Looking to advance your knowledge in Workbooks? You'll find some great content here.

techcommunity.microsoft.com

8

60

236

Mehmet Ergene

@Cyb3rMonk

2 years

This is a masterpiece #ThreatHunting #DFIR #threatintelligence

4

60

233

Mehmet Ergene

@Cyb3rMonk

3 years

Want to detect NTLM Relay Attacks? #ThreatHunting #DFIR #MicrosoftSentinel #AzureSentinel #MicrosoftDefender #NTLM

Detecting NTLM Relay Attacks

It is possible to detect NTLM relaying using only logon events. No magic!

link.medium.com

0

90

231

Mehmet Ergene

@Cyb3rMonk

1 year

SOC analysts, How do you make sure an alert is a false positive? How confident are you when making the false positive decision? What makes you more confident or provides confidence? #DFIR

40

36

231

Mehmet Ergene

@Cyb3rMonk

6 months

SOC Analysts, What is the first thing you do when you start investigating an alert/incident?

102

19

218

Mehmet Ergene

@Cyb3rMonk

3 years

C2 beacon detection for everyone, especially for small/medium organisations, using jupyter notebook. Coming soon! #threathunting #DFIR

4

23

217

Mehmet Ergene

@Cyb3rMonk

3 years

How to detect software supply chain attacks with #Sysmon , #MicrosoftDefender , or any other #EDR : 1. You use specific software in your environment. 2. The software is usually installed on a few servers that have privileges across the environment.

3

68

212

Mehmet Ergene

@Cyb3rMonk

3 years

🚨C2 beaconing detection for everyone 👉RITA-J : #ThreatHunting #DFIR #DataScience #jupyterthon

InfoSec Jupyterthon 2021 - Day 2

Day 2 of the InfoSec Jupytertthon 2021 edition!An open community event for security researchers to share their experience and favorite notebooks with the inf...

www.youtube.com

4

73

210

Mehmet Ergene

@Cyb3rMonk

2 years

This can be quite useful for Live Response in Defender for Endpoint. Since MDE doesn't support YARA, running it manually during live response sounds interesting. #ThreatHunting #DFIR #YARA

GitHub - BinaryDefense/YaraMemoryScanner: Simple PowerShell script to enable process scanning with...

Simple PowerShell script to enable process scanning with Yara. - BinaryDefense/YaraMemoryScanner

github.com

4

65

206

Mehmet Ergene

@Cyb3rMonk

8 months

🚀 Exciting News for Security Analysts! 🚀 I'm thrilled to announce the first-ever "Hands-On Kusto Query Language (KQL) for Security Analysts" training course! 🛡️ Read more 👇 #KQL #Training #ThreatHunting #DFIR #MicrosoftSentinel #MicrosoftDefender

Blu Raven Academy

Elevate your threat hunting, detection engineering, and incident response skills with transformative KQL training courses, featuring hands-on experience in a hyper-realistic lab environment using...

academy.bluraven.io

5

46

202

Mehmet Ergene

@Cyb3rMonk

3 years

If you are trying to detect C2 beaconing using #Sysmon logs, you should be careful. Apparently, TCP socket timeout on Windows has a big impact. By default, the timeout is 120s, meaning that a C2 beacon may reuse the same TCP socket. 1/2 #ThreatHunting #DFIR

Mehmet Ergene

@Cyb3rMonk

3 years

Sysmon experts, Does Sysmon have a bug like logging only the first connection of a process per each destination?

1

2

13

2

57

193

Mehmet Ergene

@Cyb3rMonk

3 years

🚨If you are collecting Windows Firewall events or EID 5156 into #MicrosoftSentinel , I've developed beaconing detection for both of them. Grab it here 👇 #ThreatHunting #DFIR #Beacon

6

72

191

Mehmet Ergene

@Cyb3rMonk

3 years

An easy way to detect #CobalStrike that uses #malleable profile: Most malleable profiles use a legitimate URL host like www\.amazon\.com. 1/4 #ThreatHunting #ThreatDetection #DFIR

1

63

188

Mehmet Ergene

@Cyb3rMonk

9 months

Friendly reminder #ThreatHunting #DetectionEngineering #MITRE

An Alternative Way of Using MITRE ATT&CK® for Threat Hunting and Detection

Using MITRE ATT&CK framework for a better threat detection coverage

medium.com

5

47

189

Mehmet Ergene

@Cyb3rMonk

2 years

Recently finished reading. This is a masterpiece! #threathunting #DFIR

Adversarial Tradecraft in Cybersecurity: Offense versus defense in real-time computer conflict

www.amazon.com

3

24

180

Mehmet Ergene

@Cyb3rMonk

2 years

If you want to learn #KQL (Kusto Query Language), Microsoft has covered you. I'm a huge fan of this training webinar series. Although it covers #Microsoft #Defender , you can apply everything on #MicrosoftSentinel as well. #threathunting

3

46

178

Mehmet Ergene

@Cyb3rMonk

3 years

I haven't explained C2 beacon detections only. I've explained how to perform statistical analysis to find anomalies with KQL as well. Friend link(no paywall) 👇 #AzureSentinel #MicrosoftDefender #KQL #MachineLearning #DataScience #ThreatHunting #DFIR

1

78

178

Mehmet Ergene

@Cyb3rMonk

2 years

Hey DFIR peeps, How often do you need event logs(EDR/Sysmon) during IR engagements? Also, why do you deploy EDR/Velociraptor during an IR engagement? Is it to collect and analyze event logs or let them detect stuff? (I'm talking only about the "logs", not AmCache, etc.) #dfir

20

32

174

Mehmet Ergene

@Cyb3rMonk

1 year

EDRs do not log every process creation, every network connection, every registry modification, and so on. Sometimes they don't need to, sometimes they don't, sometimes they can't. I can assure you at least for MDE. Be wary what you read on the Internet.

10

20

166

Mehmet Ergene

@Cyb3rMonk

3 years

🚨C2 beaconing detection for everyone!🚨 On Friday, I'll be releasing and giving a demo of the Jupyter notebook I just started to develop for C2 beaconing detection. Just your firewall/proxy logs and a piece of code, that's all. Registration 👇

InfoSec Jupyterthon

@jupyterthon

3 years

🚨 By popular demand.. 🥁 The #Infosec Jupyterthon is back! Mark your 🗓️ Dec 2nd & 3rd 2021🙏 A FREE virtual event to share & learn about @ProjectJupyter #notebooks applied to InfoSec ❤️💙💜 🚀 CFP Registration @OTR_Community

7

72

134

2

54

165

Mehmet Ergene

@Cyb3rMonk

3 years

Seems like my old but gold process tree analysis query is able to catch CVE-2021-40444 exploitation. #ThreatHunting #DFIR #AzureSentinel #MicrosoftDefender

0

57

153

Mehmet Ergene

@Cyb3rMonk

9 months

Since it's becoming too much, I've started categorizing GitHub repos when giving a star.

4

8

155

Mehmet Ergene

@Cyb3rMonk

1 year

Next blog is coming #ThreatHunting

5

11

152

Mehmet Ergene

@Cyb3rMonk

3 years

Process command-line monitoring is so powerful that you can even hunt for #phishing URLs. #ThreatHunting #AzureSentinel #KQL #Sysmon #DFIR #T1566

Hunting for Phishing Links Using Sysmon and KQL

In this post, I’ll explain how to perform threat hunting for detecting phishing links using Sysmon and KQL

posts.bluraven.io

1

57

154

Mehmet Ergene

@Cyb3rMonk

1 year

Window functions are amazing! I also shared a query for #cloud account takeover detection. #ThreatHunting #DFIR #DataScience #KQL

Advanced KQL for Threat Hunting: Window Functions — Part 1

Window functions can take your threat hunting and DFIR skills to a next level!

medium.com

1

41

147

Mehmet Ergene

@Cyb3rMonk

3 years

An alternative way of using @MITREattack framework: Many people are counting on the ATT&CK framework. It's not even complete, and it can't be complete. Here is why: 1/7 #CyberSecurity #ThreatHunting #ThreatDetection #DFIR #MITRE #ATTACK

4

44

149

Mehmet Ergene

@Cyb3rMonk

2 years

🚨Detecting Cloud Account Takeover Attacks (Device Code Phishing, etc.) #ThreatHunting #DFIR

Detecting Azure AD Account Takeover Attacks

An easy and generic approach for detecting cloud account takeover attacks using KQL

posts.bluraven.io

5

55

149

Mehmet Ergene

@Cyb3rMonk

3 years

💡If you want to detect post exploitation and have only firewall/proxy logs, you can use RITA-J for C2 beaconing detection 👇 #log4j #Log4Shell

GitHub - Cyb3r-Monk/RITA-J: Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter...

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm. - Cyb3r-Monk/RITA-J

github.com

0

58

147

Mehmet Ergene

@Cyb3rMonk

9 months

We are bringing #DetectionEngineering to #DFIR . With a tiny bit of #DataScience . It's neither #YARA , nor Sigma, btw.😎 #ThreatHunting

2

34

143

Mehmet Ergene

@Cyb3rMonk

1 year

Collecting and parsing almost everything, running #Sigma , #YARA , and #Osquery , and displaying results in an interactive UI with MITRE ATT&CK mapping is finally possible!🔥 (More to come) #DFIR #ThreatHunting

5

44

146

Mehmet Ergene

@Cyb3rMonk

3 years

I just emulated the latest #NOBELIUM phishing attack. HTML file -> ISO -> LNK -> C2 beacon. I'll start writing a blog about not only emulating the attack, but also extracting the TTPs from the @MsftSecIntel 's report and developing detections. Hopefully, it'll be like a training.

2

24

146

Mehmet Ergene

@Cyb3rMonk

7 months

📢 I'm looking for a red teamer who is interested in understanding how threat hunters/detection engineers work, or who wants to switch to that area. Details: I want to see if my training course helps red teamers. - I'll give you a free seat on my course.

Hands-On KQL for Security Analysts

Learn Kusto Query Language (KQL) for security analysis and incident response in a hyper-realistic lab environment with real logs!

academy.bluraven.io

4

37

144

Mehmet Ergene

@Cyb3rMonk

2 years

One of the most common detection engineering mistakes/biases I've observed so far is about brute force. Most of the time, the logic is "if there are X amount of login failures from the same IP/host for the same user, alert". The problem with this logic:🧵 #DetectionEngineering

5

22

144

Mehmet Ergene

@Cyb3rMonk

5 months

Introducing the "Cloud Threat Landscape" — the full cloud security incident database by Wiz Research. #ThreatHunting

Cloud Threat Landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques. Powered by Wiz Research.

threats.wiz.io

1

35

143

Mehmet Ergene

@Cyb3rMonk

2 years

📢 I'll start writing blogs about Windows forensics artifact analysis and finding anomalies/evil using Jupyter Notebook. If you want me to cover something specific, reply to this tweet. Follow @binalyze to get notified when blogs are out! #DFIR #threathunting

3

23

143

Mehmet Ergene

@Cyb3rMonk

2 years

Seems like the same stuff with the new MS-DFSNM attack. You have to use the DC computer account from a machine that's not the DC itself. Detection is easy regardless of the attack as long as the DC computer account is stolen and used. Details👇

Detecting PetitPotam AD CS and other Domain Controller Account Takeovers

In this post, I’ll explain how to detect a successful PetitPotam or any attack in which the DC certificate is stolen and used.

posts.bluraven.io

1

40

139

Mehmet Ergene

@Cyb3rMonk

3 years

Awesome talk and hypotheses for detection! Threat Hunting in Active Directory Environment #ThreatHunting #DFIR

Threat Hunting in Active Directory Environment

Mandiant conducted multiple investigations and observed techniques that attackers preferred as they conducted privilege escalation to move laterally, persist...

www.youtube.com

0

61

140

Mehmet Ergene

@Cyb3rMonk

1 year

Wanna hunt for suspicious DLLs? #ThreatHunting 🤡

3

16

140

Mehmet Ergene

@Cyb3rMonk

2 years

It's updated and has a summary book as well. If 450 pages are too much for you, read the 20-page highlights document. #soc #securityoperations #CyberSecurity #Mitre

11 Strategies of a World-Class Cybersecurity Operations Center | MITRE

For enhancing digital defense by security operations center (SOC) operators, MITRE offers free downloads of 11 Strategies for a World-Class Cybersecurity Operations Center.

www.mitre.org

0

40

138

Mehmet Ergene

@Cyb3rMonk

5 months

I am giving away 1 seat for the "Hands-On Kusto Query Language (KQL) for Security Analysts" course. ✅ Lots of hands-on examples in the lessons ✅ A total of 23 exercises ✅ 2 Investigation scenarios Please Reply, Like AND Repost to participate. The winners will be announced

74

90

133

Mehmet Ergene

@Cyb3rMonk

3 years

An alternative approach of using MITRE ATT&CK framework: #ThreatHunting #ThreatIntelligence #MITRE #DFIR #riskmanagement

An Alternative Way of Using MITRE ATT&CK® for Threat Hunting and Detection

Using MITRE ATT&CK framework for a better threat detection coverage

link.medium.com

0

42

135

Mehmet Ergene

@Cyb3rMonk

3 years

#HAFNIUM I've just created queries for Azure Sentinel (Sysmon) and M365D to detect anomalous network connections made by the servers. @cyb3rops , @ashwinpatil @MsftSecIntel @MSSPete @blueteamblog

1

60

132

Mehmet Ergene

@Cyb3rMonk

1 year

#DFIR folks and #SOC analysts, What are your daily go to tools either for triaging alerts or responding to a true positive alert/incident? Which ones make you faster and more efficient?

16

19

133

Mehmet Ergene

@Cyb3rMonk

1 year

If you want to level up your #threathunting and #detectionengineering , you should read this awesome post by @ditrizna

Architecture of AI-Driven Security Operations with a Low False Positive Rate

This article discusses a mindset on building production-ready machine learning solutions when applied to cyber-security needs

towardsdatascience.com

3

48

128

Mehmet Ergene

@Cyb3rMonk

2 years

Even if the task is hidden, the malicious file it must be run by the task scheduler service which is "svchost.exe -k netsvcs -p -s Schedule". I think this is the most resilient place to perform hunting, especially for network conn. I wrote this last year👇

Hunting for the Behavior: Scheduled Tasks

Incorporating some behavioral analysis into threat hunting to increase the effectiveness.

posts.bluraven.io

Microsoft Threat Intelligence

@MsftSecIntel

2 years

While investigating the forensic artifacts related to threat actor HAFNIUM’s recent activities, Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. Details:

7

175

298

2

32

127

Mehmet Ergene

@Cyb3rMonk

3 years

I'll write a separate blog from a hunting perspective, but you can read a more detailed and awesome post here 👇

How attackers abuse Access Token Manipulation (ATT&CK T1134)

This blog teaches security practitioners how attackers abuse legitimate Windows functionalities to move laterally and compromise Active Directory domains....

www.elastic.co

5

30

128

Mehmet Ergene

@Cyb3rMonk

2 years

Worried about #BruteRatel ? How about detecting the beaconing behavior instead? #ThreatHunting #DFIR

GitHub - Cyb3r-Monk/RITA-J: Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter...

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm. - Cyb3r-Monk/RITA-J

github.com

1

49

124

Mehmet Ergene

@Cyb3rMonk

3 years

What an amazing idea to add an IP address that hosts hundreds of websites as a log4j IOC.

14

120

Mehmet Ergene

@Cyb3rMonk

1 year

This is 🔥🔥🔥 #ThreatHunting #DFIR

Fuzzy hashing logs to find malicious activity

Microsoft Incident ResponseDuring incident response, the investigators aims to find all traces of threat actor activity in forensic logs. We introduce a new..

techcommunity.microsoft.com

1

40

118

Mehmet Ergene

@Cyb3rMonk

2 years

I've included the analysis of @_dirkjan 's krbrelayx and added detection queries both for krbrelayx and @cube0x0 's KrbRelay. #ThreatHunting #DFIR #MicrosoftSentinel #MicrosoftDefender #Kerberos

Detecting Kerberos Relaying Attacks

Detecting Kerberos relaying attacks published by cube0x0 (KrbRelay) and by Dirk-jan (krbrelayx)

posts.bluraven.io

0

35

116

Mehmet Ergene

@Cyb3rMonk

7 months

#threathunting

Insider Threat: Hunting and Detecting | Google Cloud Blog

cloud.google.com

0

24

116

Mehmet Ergene

@Cyb3rMonk

1 year

Many folks use the binning method when developing rules. It's prone to false negatives if not used carefully. Sliding window method is a way better approach. #ThreatHunting #DFIR

Advanced KQL for Threat Hunting: Window Functions — Part 2

Using sliding window functions in KQL for better detection.

medium.com

3

24

114

Mehmet Ergene

@Cyb3rMonk

10 months

Sigma is quite useless to be used as detection rules in practice. The best it can do is to kill your SIEM performance and generate lots of FPs. It also makes you blind about your SIEM capabilities. There might be other use cases where it can shine, though.

John Breth (JB) | CyberInsight® on YouTube

@JBizzle703

10 months

What's your unpopular cybersecurity opinion that gets a reaction like this?

374

88

467

21

9

111

Mehmet Ergene

@Cyb3rMonk

1 year

Amazing! #YARA

Automating Malware Analysis Operations (MAOps) - JPCERT/CC Eyes

I believe that automating analysis is a challenge that all malware analysts are working on for more efficient daily incident investigations. Cloud-based technologies (CI/CD, serverless, IaC, etc.)...

blogs.jpcert.or.jp

2

40

112

Mehmet Ergene

@Cyb3rMonk

3 years

This blog was quite unnoticed. Don't you want to detect Cobalt Strike? 🤔How about beacons of all C2 frameworks? Pro tip: you can implement this in Python using Pandas and NumPy. #threathunting #DFIR #AzureSentinel

Implementing RITA in Azure Sentinel using KQL

In this post, I’ll explain how RITA beacon analyzer works and implement the algorithm in Azure Sentinel using KQL…

link.medium.com

2

37

111

Mehmet Ergene

@Cyb3rMonk

3 months

Open source Threat Informed DetectionOps Platform. The presentation was impressive.

OpenTIDE · GitLab

Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat...

code.europa.eu

2

26

111

Mehmet Ergene

@Cyb3rMonk

3 years

Book recommendation for everyone, especially for SOC analysts, #ThreatHunting , and #DFIR people: "Mastermind: How to think like Sherlock Holmes" The book has repetitive examples as you might see from the the reviews, but it will definitely provide you with new ways of thinking.

0

19

112

Mehmet Ergene

@Cyb3rMonk

1 year

I'm super excited to share that I'll be speaking at SANS #DFIRSummit 2023! You might be hunting the wrong beacons, and I'll show why. I'll also share a cool #DFIR tip. There might be some tips for red teamers as well! 🤓 #ThreatHunting #redteam @sansforensics @DFIRSummit

2

16

109

Mehmet Ergene

@Cyb3rMonk

1 year

Started writing the part two after some procrastination. Just the title for now 🥲

5

12

108

Mehmet Ergene

@Cyb3rMonk

3 years

Serious question: If you have a good #EDR solution, do you think you should perform threat hunting on endpoints? EDRs definitely have gaps about specific techniques, but do they have any gap about detecting an entire attack, like not triggering anything at all? #ThreatHunting

36

19

109

Mehmet Ergene

@Cyb3rMonk

2 years

I love blogs that provide step-by-step instructions. This is an excellent guide if you are into YARA. Thanks, @stvemillertime ! #ThreatHunting #DFIR #MalwareAnalysis

0

34

106

Mehmet Ergene

@Cyb3rMonk

2 years

Still one of the best presentations I've watched so far. It's just 20 minutes, highly recommended. If I have a product, I don't like/want to create basic detections that should already be done by the vendor that I'm paying. @jaredcatkinson #ThreatHunting

Taking Your Detection Program to the Next Level | SANS Cyber Defense...

We’ve gotten really good at collecting piles of data. Our customers send us plenty of it and they think every event from every device is being monitored. Are...

www.youtube.com

4

22

108

Mehmet Ergene

@Cyb3rMonk

2 years

Why do many #DFIR reports lack about network forensics? I don't think finding the C2 address is enough. Why don't you create a timeline using the network data? Like 👇 "C2 comm started with 5min sleep, then was changed to 10sec and data transfer was observed during this period...

10

7

106

Mehmet Ergene

@Cyb3rMonk

1 year

Amazing publication by @WithSecure !

EDR bypassing via memory manipulation techniques

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations. This success is a...

labs.withsecure.com

0

39

105

Mehmet Ergene

@Cyb3rMonk

3 months

New tool in the arsenal for M365 and Entra ID red teaming #redteam

GitHub - RedByte1337/GraphSpy: Initial Access and Post-Exploitation Tool for AAD and O365 with a...

Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI - RedByte1337/GraphSpy

github.com

1

24

103

Mehmet Ergene

@Cyb3rMonk

2 years

I'd rather have an adversary using Cobalt Strike instead of a custom C2 framework.

4

16

104

Mehmet Ergene

@Cyb3rMonk

8 months

Saturday night fever: If a company has a dedicated team, there is probably an EDR in place. If so, there is no need to develop custom detections for well-known methods/tools. If the company's risk is high, it should focus on methods/tools that the EDR can't detect. These

23

14

103

Mehmet Ergene

@Cyb3rMonk

3 years

I've fully ported RITA beacon analyzer to KQL and will publish a blog soon. I've also some improvements to implement, but they will be in the next iteration. #threathunting #DFIR #CommandAndControl #C2 #KQL #AzureSentinel

1

17

101

Mehmet Ergene

@Cyb3rMonk

2 years

I keep saying #Cybersecurity is a data problem. If you have the right data which is consistent across all different products AND you have the right tools to analyse and transform the data (searching is NOT enough!), there is hope. by @anton_chuvakin

Left of SIEM? Right of SIEM? Get It Right!

This post is perhaps a little basic for true SIEM literati, but it covers an interesting idea about SIEM’s role in today’s security. I…

link.medium.com

1

31

97

Mehmet Ergene

@Cyb3rMonk

3 years

Implementing RITA using KQL to detect C2 beacons 👇 #ThreatHunting #DFIR #AzureSentinel #KQL #DataScience #CommandAndControl #Beacon

Implementing RITA using KQL | Threat Hunting & Detection Handbook

RITA is an open-source network traffic analysis tool for detecting C2. In this post, I'll explain how its beacon analyzer works and implement the same algorithm in Azure Sentinel using KQL.

book.bluraven.io

3

36

98

Mehmet Ergene

@Cyb3rMonk

3 years

"Defenders think in lists, attackers think in graphs. As long as this is true, attackers win". Now, open MITRE ATT&CK framework. What do you see? List of tactics and techniques, right? Can you see a graph? If not, can you draw graphs / think in graphs? #ThreatHunting #DFIR

10

19

97

Mehmet Ergene

@Cyb3rMonk

2 years

Appending malicious code into a signed binary without invalidating its signature. 🥶 #DFIR #threatintelligence

Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature...

Research by: Golan Cohen Introduction Last seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information, is back with a simple yet sophisticated infect...

research.checkpoint.com

2

33

96

Mehmet Ergene

@Cyb3rMonk

1 year

If you are popping calc.exe to simulate TTPs, you are doing it wrong. You're basically discarding your AV/EDR's heuristics, behavioral, and ML features and making a wrong statement that the TTP is not covered by your AV/EDR. The same applies to logging as well.

10

8

94

Mehmet Ergene

@Cyb3rMonk

1 year

Attackers think in graphs they said Think like an attacker they said I've become one of them, because why not? Highly recommended (especially if you're on the defensive side)! Thanks @_RastaMouse and @zeropointsecltd ! Now I can share #redteamtips 🤣

3

17

93

Mehmet Ergene

@Cyb3rMonk

3 years

Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks) Credits to @synzack21 #ThreatHunting #DFIR #KQL #MicrosoftDefender #AzureSentinel #EDR

Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks)

Detection of EDR Bypass where a malicious driver is used for removing kernel callbacks.

link.medium.com

1

34

94

Mehmet Ergene

@Cyb3rMonk

3 months

Free #KQL course is coming very soon! No April fools 😎 #KQL #Kusto #free

2

15

93

Mehmet Ergene

@Cyb3rMonk

7 months

🎁 GIVEAWAY TIME! 🎁 - I'm giving away 2 seats for my brand new "Hands-On Kusto Query Language (KQL) for Security Analysts" course! Please follow @BluRavenSec , Comment, and Repost to participate. 👉 Two random winners will be announced on 5 December

Hands-On KQL for Security Analysts

Learn Kusto Query Language (KQL) for security analysis and incident response in a hyper-realistic lab environment with real logs!

academy.bluraven.io

50

81

87

Mehmet Ergene

@Cyb3rMonk

2 years

Seems like you can disable auto mounting of image files. This can have a huge impact on #Ransomware attacks combining with disabled macros. No GPO is available but maybe @Microsoft adds it in the future? Also, gist from @wdormann

Removing mount ISO image functionality by GPO - Microsoft Q&A

For security reasons, I want to diable the Windows 10 functionality mounting ISO image files. Is there any GPO to deactivate the possibility of mounting an image as a drive?

learn.microsoft.com

1

21

89

Mehmet Ergene

@Cyb3rMonk

2 years

Dashboarding apps in Jupyter/Python is the next big thing and it can change the whole #threathunting , #DFIR , and #securityoperations flows. You can watch the recording of my talk on interactive dashboarding with @Panel_org libraries for data analysis 👇🧵

Jupyterthon 2022 Day 2

Day 2 of the Infosec Jupyterthon 2022 Conference

www.youtube.com

2

18

91

Mehmet Ergene

@Cyb3rMonk

3 years

Context is the key! Let's hunt for C2 or Lateral Movement originating from Scheduled Tasks by using #KQL . @ashwinpatil @olafhartong @maarten_goet @Cyb3rWard0g #cybersecurity #threathunting #threatdetection #behavioralanalytics #dataanalysis #datascience

Hunting for the Behavior: Scheduled Tasks

Incorporating some behavioral analysis into threat hunting to increase the effectiveness.

link.medium.com

2

37

89