At DerbyCon I had a conversation with Ross Wolf (@rw_access) from EndGame about the capabilities of EQL (Event Query Language) and how to integrate it in other tools. The purpose of this blog is to share my gained knowledge in that area and Python code to help others to integrate EQL within their tools.
A month ago (Ruben and I) released the first version of DeTT&CT. It was created at the Cyber Defence Centre of Rabobank, and built atop of MITRE ATT&CK. DeTT&CT stands for: DEtect Tactics, Techniques & Combat Threats.
In this blog we start off with an introduction on ATT&CK and continue with how DeTT&CT can be used within your organisation.
During several months we worked together with a number of Dutch financial institutions to create the threat hunting methodology called TaHiTI. Which stands for Targeted Hunting integrating Threat Intelligence. You can obtain it from here: https://www.betaalvereniging.nl/en/safety/tahiti.
This will be the last blog in this series on OPSEC for Blue Teams. I will share some of my thoughts on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.
This second blog in the series on OPSEC for Blue Teams is about testing tools used to get context and/or OSINT on domains and IPs. While performing these tests it also showed results that can be interesting for Red Teams.
This is a three-part blog about OPSEC for Blue Teams. This first part expresses some of my ideas about the risk of alerting the adversary and OPSEC for getting OSINT and context on domains and IPs. The second part is about testing tools (I performed tests on PassiveTotal and VirusTotal) which provide context and/or OSINT in relation to OPSEC. The last part will be on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.
Within this blog post I will explain how JA3 can be used in Threat Hunting. I will discuss a relative simple hunt on a possible way to identify malicious PowerShell using JA3 and a more advanced hunt that involves the use of Darktrace and JA3.