In the past few months we’ve been busy doing a major overhaul of the Sigma project, which includes rules re-writes, metadata enhancements (titles, descriptions, false positives notes) and much more. Last month we introduced the logsource-guides a new addition that aims to ease the process…

This blog was originally written in February 2022 and update through out the year as vendors responded Introduction Usually when people think of LOLBINs they tend to think of built-in OS only binaries. …

We’re happy to announce a new backend addition to the growing list of PySIGMA supported backends thanks to a community contribution by Cori Smith (7RedViolin). Using the latest and greatest version of sigma-cli you can immediately make use of this backend and start converting SIGMA rules into SentinelOne Deep Visibility…

Introduction At the start of the year, I was doing some research into AV uninstaller tools, understanding how they work, and trying to find misconfigurations and other ways they can be abused I’ve compiled my findings in the repository that I’ll make public soon. One AV uninstaller, in particular, we’ll be…

Part I: Getting Started — Hello and welcome to this brand new blog series that I'm starting where I’ll be looking at some different techniques/tools used in the wild by different actors from the lens of Sysmon and the Windows Event Log and build/showcase available SIGMA rules to detect them. This post will serve as…

While doing some research on persistence, I stumbled upon an interesting technique to persist on a windows machine using Windows Terminal profiles. I’ve tweeted about this technique as the method fits in a single tweet 😅 But I decided to formalize everything in a blog so here it goes. Windows Terminal …

Inspired by Rasta Mouse blog on Notepad++ Plugins for Persistence this blog talks about how to use Fidder Classic extensions/plugins as a persistence mechanism. First a quick definition from the website: Fiddler Classic and fiddler Everywhere are special-purpose proxy server tools for debugging web traffic from applications like browsers. …

Introduction Continuing with the same idea as my last two articles about “F-Secure FSDIAG” and “CyberGhost VPN”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at 360 Total Security Note: This issue has been reported to the 360 Total Security team but no response…

Introduction In the same spirit as my last article about “F-Secure FSDIAG”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at CyberGhost VPN Note: Since the CyberGhost team doesn’t have a vulnerability program, I’ve reported this issue to the support team which they forwarded…