Steven Dick

icon location I pretend to do DFIR and Detection Engineering

Results 13 issues of Steven Dick

Nterl0k - T1068 Escalate or Elevate, You Decide.

### Details A few detections that pull forward suspect process elevation/escalation behaviors - Detect when a low integrity process spawns a high integrity process from user controlled locations - Detect...

Nterl0k - T1110.003 [Spray and Pray] or [Boring but Works]

### Details This is a generic password spray detection that can be used across all CIM compliant authentication sources. Works based on a failure to success ratios common with malicious...

ImageLoad detections from hijacklibs.net

Data sourced from https://hijacklibs.net / https://github.com/wietze/HijackLibs/tree/main. This include file was written mostly programmatically for each DLL in this project and it's known/expected load locations. It is rather long, so any...

Nterl0k [T1098] - O365 Azure Workload things

### Details This PR includes a number of detections written for the O365 Azure Active Directory workload from the universal audit log (o365 management activity). A few of the detections...

Nterl0k - T1110.003 NTLM Bruteforce

### Details A set of detections bult to detect anomalous behaviors using the NTLM Operational via organization domain controllers. - https://www.varonis.com/blog/investigate-ntlm-brute-force - https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 Pending https://github.com/splunk/attack_data/pull/887 ### Checklist -...

Nterl0k - [T1566++] - A bunch of O365 built-in / premium security content

### Details Mostly focused on bubbling up the various O365 security alerting for both built-in and premium features. ZAP, DLP, Safe Links, Safe Attachments Security & Compliance alerting Report A...

Nterl0k - [T1574] Hijacks Gone Wild 2

1 comment

### Details Rewrote the previous tstats based search to work solely on EID7, while using backwards compatible evals/extractions in the detection. It's less efficient cause no tstats, but shouldn't break...

Nterl0k t1036 lolbas

Data for upcoming content submission.

Nterl0k o365 azure ual events

Data for upcoming detection submissions

Nterl0k o365 various alerts

Detection data for upcoming content submission. Data taken from testing in a production E3/E5 licensed environment, but sanitized. Covers a number of O365 default/premium security feature alerts or changes to...