Hunt // Detect // Respond
-
Mind the Gap: How Spaces Sabotage Security Detections
When building custom detections, it’s easy to rely on spaces when matching multiple strings or arguments in a command. The problem is that this creates a simple evasion path. This weakness frequently appears in Microsoft Defender for Endpoint (MDE), Microsoft Sentinel, and Sysmon, but it can just as easily impact other tools. KQL At first…
-
Abuse of the Run Dialog: Tactics, Detection, and Hunting
The Run dialog box has been a core feature of the Windows operating system for many years. While it serves as a powerful tool for IT professionals to execute commands quickly and efficiently, it has also been leveraged by threat actors to launch malicious commands—and even entire scripts—with minimal user interaction. Recently, there has been…
-
Hunting for SocGholish Malware
SocGholish is a malware family that disguises itself as a fake software update. Attackers typically compromise legitimate websites and inject SocGholish delivery pages into them. Because users trust the websites they are visiting, they are more likely to believe the fraudulent update prompts are legitimate, unaware that the site has been hacked. The primary goal…
-
Hunting for VPNs in Microsoft Sentinel
Virtual Private Networks such as NordVPN, ExpressVPN, CyberGhost, Surfshark, and ProtonVPN are advertised as tools to enhance internet security. Often, VPN activity is expected from end users seeking to “improve” their privacy. Attackers will often leverage these services to launch attacks that could go undetected. Seeing an IP address from a VPN provider appears far…
-
Balancing life and work
How do you balance work and life in cybersecurity? The harsh truth—you don’t. Written at 12:40 AM, fresh off responding to yet another security incident.