Splunk is arguably one of the most popular and powerful tools across the security space at the moment, and for good reason. It is an incredibly powerful way to sift through and analyze big sets of data in an intuitive manner. SPL is the Splunk Processing Language which is used to generate queries for searching through data within Splunk. The organization I have in mind when writing this is a SOC or CSIRT, in which large scale hunting via Splunk is likely to be conducted, though it can apply j...| Posts on br0k3nlab
The farm is growing! A new way to live off the land, in this case, by blending in with it. What is LoFP? Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.| br0k3nlab
Security efficacy has diminishing value, at some point, as rule quantity grows Rule count is not an absolute measure of successful coverage Coverage is not an absolute measure of security Alert count has an inverse relationship with their manageability Threats are not static Security posture is temporal and so only instantaneously representative| br0k3nlab
Abstract The Zen of python does a perfect job succinctly capturing guiding principles for developing via 19 aphorisms. This is the zen of writing security rules, for fostering high-quality, high-efficacy rules as simply as possible. The Zen of Security Rules almost all points from the Zen of Python are applicable to security rules - start there favor inclusion-by-exception over exclusion-by-exception, or else endure perpetual whack-a-mole have a propensity towards performance; expensive rules...| br0k3nlab
2024 BSidesOK 2024 Rolling your own Detections as Code 2023 DEFCON 31 Cloud Village Google Workspace Red Team Automation with SWAT TROOPERS 2023 Homophonic Collisions: Hold me Closer Tony Danza BSidesSATX 2023 Homophonic Collisions: Hold me Closer Tony Danza 2022 Webinar: Tidal Cyber We’ve Got This Covered: An ATT&CK Introspection with Elastic 2019 SANS DFIR Summit 2019 (sponsored) Lunch and Learn: Chopping Down a Dense Forest of Teleme-Trees: Making Telemetry Work for You 2017 Rackspace So...| br0k3nlab
This is a non-exhaustive list of executables associated with a top RMM list, correlated against observations for unique executables. Wildcard (*) patterns are used to generalize random values (and to sanitize). download as json original source Windows Ninja RMM executable code_signature.subject_name C:\Program Files*\*\NinjaRMMAgentPatcher.exe NinjaRMM, LLC C:\Program Files*\NinjaRMMAgent\NinjaRMMAgentPatcher.exe NinjaRMM, LLC C:\ProgramData\NinjaRMMAgent\ninjarmm-cli.exe C:\Program Files*\*\...| br0k3nlab
REx: Rule Explorer and DETR REx: Rule Explorer is a collection and breakdown of several of the most popular open security detection rules for analysis and exploration, enabled by the powerful search and visualization capabilities of the Elastic stack! The Detection Engineering Threat Report (DETR) is the visual component of the REx project, where the data speaks for itself, with minimal interpretive narration. LoFP Living Off the False Positive: Living off the False Positive is an autogenerat...| br0k3nlab
(originally posted on github) The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious. if the software is not used in the environment could it be legitimate by a random employee? is it an attacker BYOL even so, all occurrences could probably be considered suspicious if it is used in the environment is every use of it legitimate? Probably not this also creates significant living off the land (LOL) opportunity some occurrence...| br0k3nlab
Event category and field distribution over ATT&CK techniques Analysis of Elastic detection-rules, showing event types and field distribution per technique. The full results are represented in the file below (fields_by_technique.json) The structure is: "library": { # event.category (generic if event.category not defined) "fields": { # field distribution for that event.category within that technique "dll.code_signature.status": "100.00%", # field with percentage "dll.code_signature.trusted": "1...| br0k3nlab.com
The REx project is a collection and breakdown of several of the most popular open security detection rules for analysis and exploration, enabled by the powerful search and visualization capabilities of the Elastic stack! The docs can be found at rulexplorer.io . The Detection Engineering Threat Report (DETR) is the visual component of the REx project, where the data speaks for itself, with minimal interpretive narration. What is the purpose of the REx project?| br0k3nlab.com
