Are you having trouble converting Sigma rules in Qualys Query?.I developed the pySigma backend for Qualys, which simplifies the process.

Compiled a comprehensive Windows Event Log cheatsheet mapping 35+ critical Event IDs to MITRE ATT&CK TTPs!.#ThreatHunters #adversary #InfoSec #WindowsSecurity #DFIR.

I've just published a comprehensive guide on detecting Pass-the-Hash attacks in Windows networks. The guide covers key indicators, real-world examples, and practical defence strategies. Check out the full blog!.

In Active Directory, unmanaged workstation logon permissions can be a goldmine for attackers, enabling lateral movement and targeting high-privilege user sessions. Check Out My Blog for more info.

Last year, I explored how Windows' network diagnostic utility could be exploited to load malicious DLLs through the UtilityFunctions.ps1 script⁠⁠. Finally sharing it with you all!.

Lateral movement is fundamentally all about identifying and hunting for high-privilege users.

I successfully completed DanaBot Blue Team Lab at @CyberDefenders! . #CyberSecurity #BlueYard #BlueTeam #InfoSec #SOC #SOCAnalyst #DFIR.

#Detection #Cybersecurity #ThreatHunting #LummaStealer #phishing #Malware.

Considerations:.- Set thresholds for the number of accesses within a certain period to reduce false positives, adjusting based on baseline activity levels. - Configure alerts to notify the security operations team via email or a central dashboard immediately.

Chrome Cookies:

- Alert when the registry path is accessed by any process other than WinSCP.exe. - Alert if there are multiple accesses within a short timeframe, which could indicate a brute force attempt or scanning activity.

Enable Windows registry auditing (Event ID 4657) to track changes or access, capturing details such as the accessing process, time, and what was modified.

WinSCP: WinSCP stores session information and potentially sensitive credentials in the Windows Registry under the path: HKCU\Software\Martin Prikryl\WinSCP 2

Configure the SIEM to trigger alerts when there are unauthorized or anomalous read, write, or modification events on sitemanager.xml and recentservers.xml,

Enable detailed file access auditing through Windows event logs (Event ID 4663) to capture the accessing user account, process name, and the exact time of access.

FileZilla: FileZilla stores FTP credentials in configuration files, which can expose sensitive data on your FTP servers to potential attackers.- file path: %APPDATA%\FileZilla\recentservers.xml

The key targets in this case are:.1. FileZilla FTP Credentials: Parsed from configuration files stored locally. 3. WinSCP FTP/SSH Credentials: Retrieved from registry values. 2. Chrome Cookies: Extracted from Chrome’s SQLite database.

Detection Techniques for Lumma Stealer and Credential Theft in GitHub Phishing Campaigns.

This time my boi is ready with excel.exe 😂.

Lets gooo 🏳.