In today's interconnected world, cyber adversaries are increasingly targeting and exploiting Internet-facing appliances and devices with unconventional or restricted operating systems. A pressing concern for users is whether it's possible to perform a compromise...
How to scan Docker images using THOR – Part 1
In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case: Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!Prerequisites Docker image...
How to scan ESXi systems using THOR
More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR. Following up on...
Antivirus Event Analysis Cheat Sheet v1.4
Download the newest version of our Antivirus Event Analysis Cheat Sheet here. --- Update 09.09.18 10:30am CET Thanks to Markus Neis, I've updated version 1.4 and created a version 1.5 just a few hours after my tweet. You can download version 1.5 here.
SPARK uses Sigma Rules in Eventlog Scan
Sigma is a rule format for threat detection in log files. It is for log data what "Snort rules" are for network traffic or "YARA signatures" are for file data. It is easy to write and read. Writing a Sigma rule is a matter of minutes. On the right you can see a simple...
How to Write Sigma Rules
Sigma is an open standard for rules that allow you to describe searches on log data in generic form. These rules can be converted and applied to many log management or SIEM systems and can even be used with grep on the command line. In this article I'd like to give...
How to Fall Victim to Advanced Persistent Threats
During the last four years, I was engaged on incident response teams for several large advanced persistent threat (APT) cases involving different German corporations. In this time, we have developed methods and tools to detect compromised systems, while also planning...