Customers frequently ask me about malware that uses domain fronting and
how to detect it. Simply put, domain fronting is when malware or an
application pretends to be going to one domain but instead is going
somewhere completely different. (Mitre ATT...
In line with some of my other integrations, I recently decided to also
create a proof-of-concept solution on how to integrate RSA NetWitness
meta data into an ELK stack. Given that I already had a couple of Python
scripts to extract NetWitness meta v...
Eric Partington mentioned on his recent post Log - Sysmon 6 Windows
Event Collection that a lot is being said about the use of Sysmon with
logging solutions. As Incident Responders or even as simple malicious
activity hunters one of the key sources o...
Hi, I recently found out that several people use this script regularly
and some have even tweaked or updated it, so it seems logical that we
have a place to host it and share ideas about it. Hopefully this will be
that place, I may look at moving the...
As @WilliamMotley1 mentioned headerCatalog() was not supported and has
now been discontinued, with that in mind, I've updated the rules to make
use of the customHeaders() option in HTTP_lua_options.lua instead, as
partially shown below: The list will...
The following CyberChef recipe may help with command extraction from IIS
Exchange Logs:
https://gchq.github.io/CyberChef/#recipe=Filter('Line%20feed','/ecp/default.aspx',false)Fork('%5C%5Cn','%5C%5Cn-----%5C%5Cn',false)Find_/_Replace(%7B'option':'Reg...
Quick update: We are aware of the following session DEF CON Safe Mode -
Erik Hunstad - Domain Fronting is Dead, Long Live Domain Fronting Using
TLS 1.3 - YouTube With the provided detection details we have added this
detection to the TLS_Lua Live par...
Hi Richard, Well spotted and great use of the tool It's to do with
the Customer Experience Improvement Program that can be disabled under
Admin > System > Info. It seems to default *on* instead of *off* but I
will let others comment on that. Hope t...
