To me, the phrase ‘Attackers Living off the Land’ evokes imagery of a foreign army sacking and plundering the countryside. Like Attila the Huns’ destructive campaign through Gaul in 451CE. During this destructive campaign, Attila had pillaged much of medieval Gaul, before withdrawing back to his homeland after the Battle…

Found a suspicious file that you think could be malware, but you don't know what to do? Read on! Malware is a term used to describe any ‘malicious software’ which will cause damage to a computer. Malware has caused significant financial damage to organisations for some decades. The most common…

Part 2: How to Enable Process Creation Events and How they can Track Malware and Threat Actor Activity This is the second part of a three-part blog series discussing Windows process creation events. Part 1 introduced process creation events and discussed why they should be enabled. In post, we will firstly look at how to enable process creation events, then look at a number of examples that describe…

LogRhythm.Tools is a PowerShell framework which acts as a wrapper for the LogRhythm API. This simplifies interactions with the LogRhythm API because you only need to run a PowerShell cmdlet to call an API function, rather than a direct interaction with your own code. Automating tasks with the LogRhythm API…

In this article, I will explore the possibility of monitoring a blockchain network with a traditional SIEM tool. But first, some background.. What is a Blockchain? At the risk of alienating the non-technical reader, a blockchain is a distributed data structure which stores records with a cryptographic integrity guarantee. This means that it is…

This article will show you how to use the LogRhythm SIEM API. It is important to understand what the API can do and how you can use it. This will help you get better value from your SIEM deployment. A Practical Use Case To showcase use of the API, we will walk through a…

Threat hunting is a great way of uncovering cyber-attacks or malicious activity within your environment which would otherwise have gone undetected. This post outlines a small, guided and task-oriented hunting expedition. In this expedition we will be looking for evidence of account compromise or insider threat activity by examining authentication…

Credential Misuse is a risky but common practice. Such as when someone uses their domain credentials to run a service or a script. This is risky because a bad guy could get hold of the script, which means that the person then has the credentials. Like what happened to this…

Part 3: Centralising Process Creation Events with a SIEM This is the third part of a three-part blog series discussing Windows process creation events. Part 1 introduced process creation events and discussed why they should be enabled. Part 2 showed how to enable process creation events and gave some examples showing why they are valuable for threat detection. We…