SYSMON – ELK Integration and Monitoring APT34 Tools

Summary The previous post Monitoring for Windows Event Logs and the Untold Story of proper ELK Integration, explained how to leverage monitoring of Windows Event Log through Elasticsearch while using Kibana Winlogbeat and Logstash. The blog post also provided a list of Windows Event Log records (based on their functionality and […]

Read More

Monitoring for Windows Event Logs and the Untold Story of proper ELK Integration

Summary I have been searching online for some time now for any information about the proper method for monitoring Windows Event Log records via Elasticsearch. Nonetheless, there are several blogs that explain how to accomplish this process including some documentation from the Elastic team. However, each one provides a small […]

Read More

Technical Analysis of the Malspam Pushing Kovter Payload & Nemucode Ransomware – Part I

Summary On July 3, 2017, Myonlinesecurity (Twitter @dvk01uk) reported a new spam campaign targeting organizations around the world with a new Nemucod ransomware and a Kovter payload. The victims that were targeted in this campaign received a phishing email from “UPS Parcel” service. The email also included a ZIP file attachment and the […]

Read More

Discovering Process Hollowing Injection in Memory – DarkComet Use Case

Summary DarkComet Remote Administration/Access Tool (RAT) is an application that provides remote access and administration to remote systems. Typically, the creators of this RAT can determine its capabilities during the creation process. However, some of the common DarkComet capabilities include (and are not limited to) keylogging of system and keyboard […]

Read More