Goblin Loot

Introduction ❗take the time to read the bottom of this page. Proxmox is a virtualisation technology stack that is quickly becoming the go to product solution for organisations looking to heal the wounds left by Broadcoms acquisition of VMWARE. This post aims to equip detection engineers with the knowledge to identify adversary behaviour and implement their own detection logic. This post explores Proxmox deployments on Linux hosts only The content shared in this article is also a demo of Sonny's (puppy) ( https://detection.wiki/labs/ ) initiative to promote more comprehensive sharing of artefacts and audit logs in threat research posts. This initiative aims to provide every reader with the raw logs for each item addressed in the research and the tools to easily upload and test those logs in a kusto cluster without any friction or manually parsing. Explore the systems that make sharing logs with each other important here:  https:...

Dont Use AI  Analyst work is built on the human capacity for creativity, memory recall and information gathering and using so called 'AI Tools' will actively diminish you in these areas. Your ability to form useful thoughts is built on the continued labour of your mind. Each aspect of the labour you endeavour to partake in creates its own unique quality in your own cognition. Your drive connects you to this labour but does not assure you of any benefits. If you ask AI tools to format documents you will get worse at building narratives and if you ask AI tools to process registry modification events you will get worse at pattern recognition.  After slowly reducing the individual minute qualities of your cognition you will one day be asked to solve a difficult problem. You will fail. You will resign the problem as not possible or unfair blinded by the damage you have already done to yourself. People who lack the capacity to understand even turn to frustration and anger but it wil...

Introduction Detection engineering underpins half of the entire cybersecurity industry but remains only ever softly spoken about or kept in some corner of the conference. So I've started this diary to capture the work I do in my roles and demonstrate different best practices implemented into the real world. This diary has five goals set: share with people the complexity of working in detection engineering highlight best practice and how it fits share candid details on inter-team work and break/fix tasks ensure every entry has something that can be used immediately by other people keep the format like diary with no formal structure and a personal tone Note: The content I generate will be sanitised but will avoid high level overviews. I hope other detection engineers enjoy my pain with me and new aspirants become engorged with new ideas. Starting Slowly.. This entry was made at the start of the week and so I spent time running my regular reporting. I run reporting and metrics...

Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start beating adversaries. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here  Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment  Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest traf...

Introduction Now that I have covered the advanced features obtained from Defender for Cloud and the complexities of Defender for Endpoint with the objective of delivering as much protection as possible to the endpoint, I will now explore how to expand on this greatly and open up even more use cases. Microsoft Sentinel This technology will allow us to unify and correlate data generated by other controls. I have decided to deploy Microsoft Sentinel into 4 primary categories : System Administrator - Asset Uptime, Application Inventory, Device configuration and Troubleshooting Network Engineers - Netflow and session traffic, violations and alerts for potential issues Threat Detection - Analytics and playbooks Threat hunting - Workbooks & Machine learning Using Microsoft Sentinel we can achieve a plethora of incredibly powerful use cases with Defender 365 endpoint data. Below is an illustration of how my SIEM works to enable analysts to prevent and detect threats Data Sources In order t...

 Analysis  In this post, I explain analysis and the associated techniques to mean at the lowest possible level a human’s ability to consume external stimulus of its near-infinite complexity and produce thoughtful and data-backed decisions. Within our industry, we are plagued with information twisted and corrupted by entities wishing to profit, As such this is where your analysis starts as a human. At every moment at every crossroad, you must take a data point and allow it to flower into thousands of other thoughts, then you must evaluate each subsequent thought and draw a line back to “what is already” known, The further away the thought the thinner the line back to known but the greater room the flower to bloom. That is to say don’t discount radical ideas. When presented with an alert security vendors expend significant energy into putting “options” available to the individual reviewing the alert. In general, there will never be an option you should not explore what is key ...

Introduction Continuing on from my last post that captured using Defender for Cloud to gain powerful additional features on top of defender for endpoint to protect your endpoints we are going to take a closer look at Defender for Endpoint itself and extend into some endpoint-specific use cases for Defender for Identity that tie directly back into Defender for Endpoint. Firstly a really important consideration when configuring Defender for Endpoint is that alot of the heavy lifting from a prevention standpoint actually happens in Defender Anti virus. This means that while im going to briefly cover some settings to make sure Defender Anti Virus isnt hindering Defender for Endpoint im going to reserve further Defender Anti Virus controls to the next part in this series. This also of course means that when your doing your own testing just installing the MSSense agent (What you get from the scripts, intune etc) is actually not Defender for Endpoint in its totality so you simply can not m...