Activity
3K followers
-
Teoderick C. shared thisDon’t let a "trusted" format fool you. Threat actors are becoming increasingly creative in how they bypass traditional security layers. A prime example is the BlankGrabber malware. In this campaign, adversaries use a batch script stager that mimics a Base64-encoded certificate. In reality, this "certificate" is a malicious loader designed to: ✅ Evade Detection: It identifies and bypasses sandbox and virtualization platforms. ✅ Deliver the Payload: It successfully deploys the final BlankGrabber Stealer. The Splunk Threat Research Team (STRT) has performed analysis into this threat. We’ve deconstructed these loaders and the payload to map out the relevant MITRE ATT&CK® tactics and techniques, helping us develop detections and comprehensive detection coverage for this threats. 🙂 🔍 Read the full technical analysis here: https://lnkd.in/dkU5zDgS #CyberSecurity #ThreatIntelligence #Splunk #MalwareAnalysis #MITREAttack #InfoSec #reverseengineering #int3 #detectionengineering #incidentresponse
-
Teoderick C. shared this#Splunk Threat Research Team (STRT) looking more into XML-based attacks lately, and we often think of malware arriving via .exe or .zip files, but the "MMC/MSC XML Runner Loader" technique reminds us that attackers are constantly evolving. What makes this one particularly sneaky? It exploits the current AI hype. 🤖 The malicious .msc file often masquerades as a helpful "AI Prompt Guide" or technical configuration tool. To the average user, it looks like a harmless PDF, but underneath, it’s a malicious loader designed to execute code while staying under the radar of traditional defenses. In this latest blog from the STRT, we provide an analysis of this loader and more importantly, actionable detection strategies. Continuous learning is the best defense. 🙂 Full article: https://lnkd.in/dnY5SR-J #BlueTeam #CyberSecurityTips #Splunk #TechCommunity #ThreatDetection #MalwareAnalysis #int3 #ReverseEngineering #DetectionEngineering #IncidentResponse
-
Teoderick C. reposted this🚀 Releasing the Splunk MCP / LLM SIEMulator (Windows v2) — a fully local Docker lab for AI/LLM security detection development. As AI systems become part of enterprise infrastructure, defenders need practical environments to build and test detections before attackers find the gaps. This tool gives you that environment. 🏗️ What's inside: • Splunk SIEM + Ollama LLM connected via Model Context Protocol (MCP) • Promptfoo for OWASP Top 10 LLM red team testing • OpenWebUI chat interface with AI-powered SPL query generation • Raw HEC log shipping for real-time event ingestion • Detection queries mapped to MITRE ATLAS techniques (AML.T0051, AML.T0054, AML.T0043, and more) 🛡️ Use it for: ✅ Developing detections for prompt injection, model exfiltration, and adversarial inputs ✅ Running OWASP LLM security assessments in a controlled lab ✅ Learning how MCP traffic looks in a SIEM ✅ Training blue teams on AI threat patterns — no cloud required https://lnkd.in/e--4-GyH #ai #strt #cisco #mcp #llm #splunk #splunkthreatresearchGitHub - rsfl/splunk-mcp-llm-siemulator: A Docker lab integrating Splunk SIEM with Ollama LLM via MCP for AI security operations. Features Promptfoo OWASP evaluation, TA-ollama and TA-mcp-jsonrpc add-ons, dual bind-mount log ingestion, and real-time HEC streaming across six indexes for MITRE ATLAS TTP detection.GitHub - rsfl/splunk-mcp-llm-siemulator: A Docker lab integrating Splunk SIEM with Ollama LLM via MCP for AI security operations. Features Promptfoo OWASP evaluation, TA-ollama and TA-mcp-jsonrpc add-ons, dual bind-mount log ingestion, and real-time HEC streaming across six indexes for MITRE ATLAS TTP detection.
-
Teoderick C. reposted thisTeoderick C. reposted this🚀 New Blog Alert (Part 2) Part 1 was all about getting the foundation right: building the lab, turning on Cisco Isovalent telemetry (Tetragon + Hubble), and streaming rich eBPF signals into Splunk Enterprise Security. Now it’s time for the fun part — proving what that visibility can actually catch. In Part 2: Splunking Isovalent Data — Attack Simulations and Detections, I run real-world, kubectl-driven attack simulations inside a Kubernetes cluster and validate how Tetragon’s kernel-level visibility turns into high-fidelity detections in Splunk. Each exercise maps back to MITRE ATT&CK for Containers, and highlights why eBPF is such a game changer: you get process lineage, syscall context, and workload-level attribution — the stuff traditional approaches often miss (especially in fast, ephemeral environments). 👉 In this post you’ll see: - Practical attack simulations you can run in your own lab (kubectl-based) - What telemetry to look for (ex: process_exec events via Tetragon/Hubble) - Example Splunk detections + how to hunt them - Why each behavior matters (and what it usually leads to in real incidents) 🎥 Bonus: I also experimented with AI video tools to create a short demo that summarizes the research — if you prefer a quick visual walkthrough, check that out too. Please hit me up incase you have any questions or need help with setting something similar for your research! Check it out here - https://lnkd.in/gnTEt2yW 🔐📊 #Kubernetes #CloudSecurity #eBPF #Splunk #Isovalent #ThreatResearch #K8sSecurity #DetectionEngineering #MITREATTACKSplunking Isovalent Data: Attack Simulations and Detections | SplunkSplunking Isovalent Data: Attack Simulations and Detections | Splunk
-
Teoderick C. reposted thisTeoderick C. reposted thisWant a cloud lab environment that's misconfigured on purpose? BadZure deploys #EntraID tenants and #Azure subscriptions populated with exploitable attack paths. Explore cloud tradecraft, run purple team exercises, or build and test your detections! I just shipped a major update: new privesc techniques, expanded Azure coverage, and documentation now live! https://badzure.com
-
Teoderick C. reposted thisTeoderick C. reposted thisThis threat actor used Facebook for domain fronting, so that infostealer traffic blends right into normal social media requests. And for whatever reason, the binary contains the exact same payload six times. Not six variants. Not six stages. The same thing, six times... Thought I'd do a quick writeup. Turned out to be 5,000 words. Link in the comments. #CyberSecurity #MalwareAnalysis #ThreatIntel #ReverseEngineering #InfoStealer
-
Teoderick C. reposted thisTeoderick C. reposted this🚀 Excited to share: Splunk Attack Range v5 is here! The security community just got a game-changing upgrade to their favourite security lab platform. Attack Range v5 brings cloud-powered security testing to your fingertips with some incredible new capabilities: What's New in v5: 🌐 Multi-Cloud Support: Now works seamlessly across AWS, Azure, and GCP - deploy your security labs wherever your infrastructure lives 🖥️ Three Ways to Deploy: Intuitive Web UI for quick setups, REST API for CI/CD integration andCommand line for power users 🔒 VPN-Only Access: Zero public internet exposure - all lab environments are secured behind WireGuard VPN with private IP addressing ⚡ One-Command Setup: Docker Compose gets you up and running instantly - no more complex local installations of Python, Ansible, or Terraform Why This Matters: Security teams can now: ✅ Build production-like lab environments in minutes ✅ Simulate real-world attacks using Atomic Red Team techniques ✅ Generate authentic telemetry for Splunk detection development ✅ Test purple team scenarios in isolated, safe environments ✅ Automate detection testing in CI/CD pipelines Whether you're a detection engineer tuning rules, running purple team exercises, or automating security tests, Attack Range v5 gives you a consistent, repeatable platform across all major clouds. The best part? It's completely open source and integrates with the broader Ansible Galaxy ecosystem for unlimited extensibility. Ready to level up your security testing game? 👀 Check out the full guide: https://lnkd.in/daJYTWyQ #Cybersecurity #ThreatDetection #CloudSecurity #SecurityTesting #Splunk #PurpleTeam #DetectionEngineering
-
Teoderick C. reposted this🚨 AI agents powered by Model Context Protocol (MCP) are creating a massive security blind spot. While MCP enables LLMs to access databases, filesystems, and APIs, it also introduces threats like SQL injection and privilege escalation that bypass traditional security controls. The Splunk Threat Research Team just released the MCP Technology Add-On to finally provide visibility into these previously invisible AI agent operations. As organizations rush to adopt AI, security teams must adapt—monitor MCP servers, enforce least privilege, and mandate logging for all agent interactions. The full technical breakdown and free TA are available here: https://lnkd.in/eS-ZJGAd #AISecurity #ThreatDetection #Splunk #MCP #CyberSecurity #strt #ciscoWhen AI Tools Turn Against You: Operationalizing MCP Server Security with the Splunk MCP TA | SplunkWhen AI Tools Turn Against You: Operationalizing MCP Server Security with the Splunk MCP TA | Splunk
-
Teoderick C. reposted thisTeoderick C. reposted thisDifferent RATs families, same playbook. 🐀 The Splunk Threat Research Team analyzed 18 malware families and found strikingly similar techniques. Understanding these patterns helps defenders focus on high-impact detection strategies instead of chasing individual threats. Read their analysis: https://splk.it/4tlnwJB #SplunkSecurity
-
Teoderick C. liked thisTeoderick C. liked thisThe FLARE Learning Hub freely distributes quality educational content on reverse engineering and malware analysis from the FLARE team. We are excited to share with the wider security community FLARE’s nearly two decades of experience in instructing thousands of students and professionals across higher education, private industry, government, and premier conferences. Our content emphasizes hands-on practice. Modules include demonstrations and lab exercises that reinforce the material, helping you integrate practical skills into your workflow. The modules are hosted as web-published Google Docs, while the GitHub repository contains all corresponding artifacts, including lab binaries, scripts, and disassembler databases. We are launching today with three modules: - Malware Analysis Crash Course: An adaptation of our foundational course that teaches the fundamental assembly skills and essential Windows knowledge necessary to begin reverse engineering Windows malware. - The Go Reverse Engineering Reference: A comprehensive reference for reverse engineering Go executables, including three reference sections: the implementation of Go language features, the Go runtime, and Windows Go executables. Additional Go content, including labs and demos, will be released later in the year. - An Introduction to Time Travel Debugging (TTD): This module applies WinDbg’s TTD technology to malware triage. TTD is a powerful but underutilized tool that can significantly speed up the analysis process and offer solutions to complex situations involving anti-analysis and obfuscation. This is a full release of content we previously shared through the blog post Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study and through the Accelerating Malware Analysis with WinDbg Time Travel Debugging workshop at DEFCON 33. We plan to publish updates and corrections to existing modules on an ongoing basis. We also have additional modules in the pipeline for the remainder of the year, so check back frequently! 💻: https://bit.ly/48JcDbN
-
Teoderick C. liked thisTeoderick C. liked thisThe top 10 attack techniques from the 2026 CrowdStrike, Red Canary, and Mandiant reports are the same techniques from 2021. From 2019. From years before that. PowerShell. WMI. cmd.exe. RMM tool abuse. Scheduled tasks. Signed binary abuse. They're enumerated in public GitHub repos. They're versioned. They have machine-readable artifacts. And most of them are blockable today with tooling that already ships with Windows. We're not writing detections because we have to. We're writing them because we've convinced ourselves prevention is impossible, while the evidence stacks up in the other direction every single year. The average eCrime breakout time is now 29 minutes. The fastest observed: 27 seconds. At that speed, detect-and-respond isn't a strategy. It's a coin flip. New blog, we pulled the receipts. 👉https://lnkd.in/ermhemdF
-
Teoderick C. liked thisTeoderick C. liked this🤯 I’ve spent the last few months deep in a major retooling of my own reversing workflow. For a long time, I was stuck thinking I could only work with what the decompiler gave me—a limitation that many of us hit when facing modern, compiler-integrated obfuscation. This realization led me down a deep rabbit hole: working with intermediate representations (IR), sharpening my knowledge of Abstract Syntax Trees (ASTs), and even brushing up on a little linear algebra. In the process, I noticed a massive knowledge gap. Despite how critical these topics are for modern malware analysis, there are very few structured, formal learning paths. While there are excellent individual trainings and amazing blogs out there, I felt like I was back in time—hunting for pieces of tribal knowledge scattered across the internet. While I’ve certainly been utilizing LLMs to accelerate my research and tool generation, they aren't a shortcut for the analysis itself. I'm finding this area still requires a fundamental understanding of how these diverse topics converge into a single binary manifestation. After months of diving head-first into these abstractions, I’m pleased to announce the fruit of those struggles. I’ll be teaching "Syntactical Supremacy: Defeating and Designing Nation-State Obfuscation" at Black Hat this summer in Las Vegas. If you'd like to take a peek at what I've been working on, you can check out the syllabus below. Have questions? Don't hesitate to send me a message or drop a comment below :) 🔗 https://lnkd.in/gJqnNYmV
-
Teoderick C. reacted on thisTeoderick C. reacted on thisExcited to release Phoenix | Sigma Rule Intelligence Platform Check it out today - https://lnkd.in/eNGrcjVN Been working on this for a moment. The ultimate place to interact with SigmaHQ rules. I've bundled in a bunch of features. Here is a quick overview: - A new way to explore Sigma rules - Giving you a structured, interactive way to understand detections and breaking down logic, fields, and intent - Search & discovery - Quickly find rules by behavior, technique, or signal. - Convert rules leveraging the Sigconverter API on the fly. - Get your own author card with stats and information around your contribution. - Access testing data and linked simulation from Atomic Red Team And a bunch more things that I'll leave you to explore :D
-
Teoderick C. liked thisThis idea amazing specially for folks trying and collecting telemetry from attacks eg detection development but also test preventions in a safe space!
-
Teoderick C. liked thisTeoderick C. liked thisI recently came across two undocumented kernel driver samples on MalwareBazaar — both signed by Microsoft via the WHCP attestation program, both linked to the same Chinese developer account: 陕西阿牛创汇网络科技有限公司 (Shaanxi Aniu Chuanghui Network Technology Co., Ltd.). The two samples are Core64.sys (signed Jan 2025) and EtwTraceHook.sys (signed Feb 2025). The second name is particularly telling — ETW (Event Tracing for Windows) is the telemetry backbone used by virtually every EDR and AV product. Hooking or disabling it means going dark for most security tooling. Static analysis reveals both drivers expose an identical IOCTL interface built on four kernel primitives: 1000 — resolve any kernel export by name via MmGetSystemRoutineAddress 1001 — call an arbitrary kernel function pointer with up to 4 arguments 1002 — write a value into an internal kernel table (~100k entries) 1003 — read from the same table Combined, these primitives give a userland client full ring-0 capability: resolving and calling any kernel function enables process termination bypassing PPL, ETW provider patching to blind EDR telemetry, and kernel memory manipulation. The internal table (read/write commands) likely serves as a shared state store between the driver and its loader component — possibly caching resolved addresses or storing hook targets. The stealth mechanism is particularly interesting: the IRP_MJ_CREATE handler immediately deletes both the device object and its symbolic link on first access. After the first CreateFile(), the device vanishes from \\.\ entirely — invisible to WinObj, handle scanners, and most EDR visibility layers. The signing method mirrors the POORTRY technique documented by Mandiant, Sophos and SentinelOne in 2022-2023: illicitly obtained developer accounts used to push malicious drivers through Microsoft's WHCP attestation process, resulting in a valid Microsoft-issued signature. These two samples follow the exact same playbook — same account, two builds one month apart, neither attributed to a known family. IOCs: 17aae57cf6255c7eb169bf62ea67376d9708976eb7831f8cdd0ea38bdcb37dc4 — Core64.sys 6ae294cb5c71118350342e6a26350d0e95ea23d0548125b09056efa0ea19bf45 — EtwTraceHook.sys #malwareanalysis #byovd #kernelsecurity #threatintelligence #windowsinternals #dfir #etw #poortry
Recommendations received
1 person has recommended Teoderick
Join now to viewOther similar profiles
Explore more posts
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content