Introduction CrackMapExec (CME) is a popular post-exploitation framework and penetration testing tool, and it’s frequently used in the field. Although CME is versatile and modular, it has become a target for threat actors exploiting its features for malicious purposes. For that reason, it’s important for blue teams to keep up with…

Threat hunting is a crucial aspect of information security, but measuring its effectiveness can be challenging. In this article, we will explore the good and bad metrics for threat hunting, helping you to understand what works and what doesn’t. Picture threat hunting as a skilled archer. Just as the archer…

This is the second blog of this series which displays the actions that threat actors are taking upon post-exploitation efforts. Just a reminder, these short blog posts come with sanitized artifacts of the intrusion I observed. This is so people can use it for training materials or recreate the investigation…

I am starting these short-form blog posts that aim to provide insights into attackers’ actions once they gain access to a network. Although the intrusions I will cover do not require lengthy reports, they are still useful for understanding the mindset behind the adversaries’ actions. One of my main goals…

Endpoint Detection and Response (EDR) products have become essential to organizations’ cybersecurity strategies. As a result, understanding the telemetry provided by these products is crucial for building additional detections and conducting threat hunting. Having the appropriate logs is important for creating detection rules as well as for responding to detection…

Threat hunting is becoming mainstream, and despite the attention it receives, many people need help to differentiate it from other roles, such as detection engineering. This confusion leads to endless discussions on places like Twitter and Reddit. I wrote this article to share my perspective on what makes threat hunting…

This post will demonstrate how threat emulation can be used for threat hunting. I often use threat emulation to understand the evidence an attack leaves behind upon execution. While there are many use cases for threat emulation, this post will focus on emulating attackers’ techniques to help with threat hunting…

In the previous posts of the series, I covered the basics of threat hunting and the core competencies a threat hunter should have. This post will show you the structural process I follow for threat hunting. Anyone who works solely as a threat hunter understands how chaotic the task can…

Continuing with the second post in this series, I felt it was necessary to address the skills and knowledge required to become a threat hunter before diving into the threat hunting process. This article will hopefully assist people in understanding the different areas that they might need to work on…