• Hunting on custom log files with Chainsaw

    The previous posts looked on how we could hunt on forged EVTX files. However, in the course of an incident response or advanced threat hunting, not all logs lies in properly formated EVTX files. For example, some firewalls export their logs in JSON format, some application will output XML. On Windows servers, these might eventually reach an event log but on Linux, it will most likely remains as it is. As I don’t like wasting my time, I want to leverage Sigma rules on JSON and XML files. Today, I focus my post on JSON files.

  • Creating EVTX for malicious activity

    Previous post explained my process for developing Sigma rules to detect suspicious activity. A key element in developing such rules is the log file itself. While incident response will provides you plenty of (large) event logs with malicious activity, it might be time-consuming to read hundreds of thousands log lines to find the one you are interested in detecting. Or you might not even have the possiblity to get such event logs; For example, a new version of SysMon is released and you would like to test the new capabilities.

  • Developing Sigma rules with Chainsaw

    From my experience, when you find evidence of malicious activity in a log file, there is probably more somewhere else, and the actor is likely to continue using the same tools and techniques unless you detect it. Instead of just looking at lines in a log file, when you discovered a malicious activity, write a detection rule that can be applied to all your systems for retro-hunting, added to your detection stack for future events, and shared with peers and partners to benefit the greater good.

  • Introducing SynSharp

    Synapse is a collaborative cyber threat intelligence platform provided by Vertex. The platform allows the analyst to share a common database to perform their analysis and reporting.

  • Loops in Jekyll Liquid templates

    This blog is generated using Jekyll and the templating engine is Liquid. I wanted to display var tags = [ tag1, tag2, tag3 ] with the tags of the post at the end of the page. Note that the comma after tag3 is absent.

  • Learning Kubernetes

    I decided to start diving a lot more into Kubernetes as it appears to become the standard way of deploying web applications. I have a lot to catch up as cloud was barely a buzzword when I was a student.

  • Welcome

    I finally setup a central repository for all my notes. I’ll mostly write about cyber security and software engineering.