Description: This genral plan is designed to detect and respond to potential Qbot malware activity by monitoring for specific indicators of compromise (IOCs) associated with this malware. The plan includes steps for investigating the alert, identifying infected hosts and users, and remediating the infection to prevent future Qbot malware infections. …

Abstract: Adversaries can use Login Hooks as a technique to establish persistence and execute malicious code upon user logon on macOS. This white paper explores the mechanism behind Login Hooks, the techniques adversaries use to exploit them, and preventive measures that organizations can implement to protect their systems. …

Introduction: The world is becoming increasingly digital, and with that, the importance of cybersecurity is only growing. Cybercriminals are getting more sophisticated, and their attacks are becoming more targeted, causing significant financial and reputational damage. …

Abstract: In recent years, Advanced Persistent Threat (APT) groups have been increasingly targeting government organizations worldwide. The APT29 group, also known as Cozy Bear, is a well-known Russian state-sponsored group that has been involved in numerous cyber espionage operations targeting government, military, and defense organizations. In this paper, we analyze…

Introduction: Mimikatz is a powerful open-source tool that can be used to extract sensitive information from Windows systems, including passwords and hashes. This tool was created by Benjamin Delpy and is widely used by both penetration testers and cybercriminals alike. …

Abstract: Log retention and rotation policies are crucial for maintaining the integrity of an organization’s data, especially in today’s data-driven environment. However, determining the appropriate policies for an organization can be challenging. In this white paper, we provide a quick guide on how to estimate log retention and rotation policies…

Abstract: Security Information and Event Management (SIEM) systems are critical components of modern security architectures. They provide a centralized platform for collecting, correlating, and analyzing security data from various sources, including network devices, servers, applications, and endpoints. In this paper, I explore the use of SIEM as a data lake…

Exploiting public-facing applications is a common tactic used by adversaries to gain unauthorized access to a system or network. Such applications can include websites, databases, network device administration and management protocols, and other applications with open sockets accessible over the Internet. Adversaries can take advantage of a weakness in the…

Introduction BITS (Background Intelligent Transfer Service) is a Windows service that provides a low-bandwidth, asynchronous file transfer mechanism between machines. BITS is commonly used by updaters, messengers, and other applications that operate in the background, using available idle network bandwidth without interrupting other networked applications. BITS jobs are implemented as…