Introduction In this post we will look at the DCSync OS Credential
Dumping technique targeting domain controllers (T1003.006), the
shortcoming of logs to efficiently detect and investigate this attack,
and how network data provides a better approach....
Hafnium, a state-sponsored APT group, is believed to have potentially
compromised tens of thousands of organizations globally by leveraging
multiple 0-day vulnerabilities (such as CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, and CVE-2021-27065) af...
Zerologon (CVE-2020-1472) is a vulnerability with a perfect CVSS score
of 10/10 being used in the wild by attackers, allowing them to gain
admin access to a Windows Domain Controller. As more public exploits for
this vulnerability are being published...
The Maze ransomware has recently been making the news due to some
high-profile infections. In addition to requesting, in some instances,
ransoms of 6+ million USD to regain access to the files, the group
behind the malware has also leaked some of the...
Hi David. This is because I still had the old SMB parser enabled in my
environment (it should be disabled), and that parser registers it under
the username meta key. As seen in the below screenshot for the same
dataset, the same meta is extracted und...
Hello Dipin, You could create an application rule on the packet decoder
that matches all the traffic for which you don't want to store the
packets for (such as "did exists" to match all traffic) and then enable
"Stop Rule Processing" and chose "Trunc...
