In this hashtag#Splunk Threat Research Team (STRT) blog, we take a close look at a malicious campaign that used a weaponized Inno Setup installer. This malicious installer runs Pascal scripts to download and install malware on victims’ computers.

We show how the attackers use services like TinyURL and Rentry to hide their activity and avoid detection. Our analysis follows the campaign up to the point where it uses the HijackLoader, a sophisticated shellcode, to load or deliver the final payload, which in this case is the Redline Stealer.

We also share the tactics, techniques, and procedures (TTPs) we identified, along with Splunk detection ideas to help spot events related to this threat. 😊
#malwareanalysis #blueteam #reverseengineering #detectionengineering #incidentresponse

https://lnkd.in/dCTc6GZV

@letswastetime https://podcasts.apple.com/dk/podcast/detection-challenging-paradigms/id1547105821

Best #DetectionEngineering content ever.

THRUNTING isn’t just a buzzword. It’s a mindset. 🐑

Inspired by Tim Peters’ 19 aphorisms for Python, THOR Collective Dispatch introduces "The Zen of Thrunting."

https://dispatch.thorcollective.com/p/the-zen-of-thrunting

Stay curious. Happy thrunting.

#threatintelligence #threathunting #cybersecurity #thrunting #detectionengineering #infosec #THORcollective

Why You Should be Testing Your Detection Rules:
- Part 1: https://v22bis.medium.com/why-you-should-be-testing-your-detection-rules-part-1-ab6f74fc5116

- Part 2: https://v22bis.medium.com/why-you-should-be-testing-your-detection-rules-part-2-0c485b55bc82

#detectionengineering #soc

Tuning Detections isn’t Hard Unless You Make it Hard: https://www.cyberseccafe.com/p/tuning-detections-isnt-hard-unless

#detectionengineering #tuning

LummaC2 Uncovered: Detection Strategies for a Growing Stealer Threat: https://medium.com/@MrAmazin/lummac2-uncovered-detection-strategies-for-a-growing-stealer-threat-03496681dd83

#lummac2 #detectionengineering #threatdetection

🔌 That browser extension? That IDE plugin? Might not be doing what you think.

New on THOR Collective Dispatch: five hunt ideas + a PEAK deep dive into sneaky plugin abuse.

Start with visibility. Hunt what blends in.

📖 https://dispatch.thorcollective.com/p/your-plugins-and-extensions-are-probably-fine

#threathunting #thrunting #PEAKFramework #THORcollective #detectionengineering

Detection Engineering Field Manual #1 - What is a Detection Engineer? https://www.detectionengineering.net/p/detection-engineering-field-manual

#detectionengineering #detectionengineer

Do you know your Detection Surface? https://detect.fyi/do-you-know-your-detection-surface-8981289b0d25

#siem #detectionengineering

In a new blog, Proofpoint threat research engineers disclosed their discovery of Amatera Stealer, a newly rebranded and upgraded malware-as-a-service (MaaS) version of the ACR Stealer.

Read the blog: https://brnw.ch/21wTvkx

While maintaining its roots in ACR Stealer, the latest variant, #Amatera, introduces new features—including sophisticated delivery mechanisms, anti-analysis defenses, and a revamped control structure—making it stealthier and dangerous.

See the Threat Research Engineering blog for IOCs and Emerging Threat signatures.

#securityengineering #detectionengineering #securitycontrols

🎉 Just dropped a new Kunai release! 🎉

We've been working hard on some exciting new features and performance boosts that we can't wait for you to try out! Here's what's new:

New Features:
🔍 Track io_uring operations with new io_uring_sqe events!
📝 Get more context with parent command line information for execve and execve_script events.
🔎 Get information about matching filtering rules in final events.
🧪 Test your filters with ease using the new test command.

Improvements:
⚡ Experience performance boosts thanks to changes in the event matching engine and code refactoring.

Ready to dive in? Check out the full release notes here: https://github.com/kunai-project/kunai/releases/tag/v0.6.0

Don't hesitate to give Kunai a try and share your feedback! Let's make Kunai even better together!

#Linux #ThreatHunting #ThreatDetection #DFIR #DetectionEngineering #OpenSource

🚀 Kunai Sandbox is now live! 🚀

Curious about Kunai? Want to analyze Linux malware logs? Or share malware analysis to build detection rules? Kunai Sandbox has you covered! 🛡️

🔍 Check out what Kunai can do:
✅ Explore Kunai's log structure without running it locally
✅ Analyze logs generated by Linux malware
✅ Share malware analysis with others to build detection rules

🔗 See an example analysis of the perfctl #linux #malware: https://sandbox.kunai.rocks/analysis/59edbf8c-41b7-4144-97e0-9b0571446c02

#detectionengineering #infosec #dfir #soc

I wrote a @greynoise blog about Suricata, poor documentation, overlapping RFCs, and weird historical choices. Hope you like it!

If you like "things about Suricata that annoy Ron" blogs, let me know.. I have way more. :)

https://www.labs.greynoise.io/grimoire/2025-06-05-suricata-url-decoding/

#infosec #detectionengineering #blog

Blog posts from Recon Infosec regarding building detection capabilities using Sigma;

- SigmaHQ Essentials - Building Robust Detection Capabilities: https://blog.reconinfosec.com/sigmahq-essentials-building-robust-detection-capabilities

- SigmaHQ Essentials - Building Robust Detection Capabilities - Part 2: https://blog.reconinfosec.com/sigmahq-essentials_-building-robust-detection-capabilities-part-2

#sigma #detectionengineering

@chrissanders88 100% agree. From a SOC perspective, it’s all assumptions on why it fired, and not seeing the exact logic prevents the analyst from fully understanding the reason for alerting and where to potentially pivot next. I’m gonna guess there’s “secret sauce” involved for why they don’t share, but from a detection engineering perspective I need to confirm your logic to ensure I don’t need to supplement it with my own. Is your rule too narrow in scope? Is it outdated and no longer relevant? Does it cover multiple OSes? Security teams have been burned too many times assuming a vendor’s detection base provides coverage for certain threats when in reality it sat there and watched while it happened. Custom logic should always have comments for what it’s looking for, relevant cyber threat intelligence reporting to support its creation, MITRE ATT&CK T-code for tracking, and tips for SOC analysis. #soc #dfir #DetectionEngineering #threatintelligence #cti

This blog is a little bitter, but it's what it is🫠

Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way

https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql

#ThreatHunting #DetectionEngineering

If you’re #purpleteam ’ing without #OpenTIDE, why don’t you want your work to be actionable for your #SOC #DetectionEngineering :P

I published a blog post about testing Security Onion's DNS C2 detection capabilities: https://akusilvennoinen.fi/posts/security-onion-dns-c2/

Sliver DNS C2 traffic is not detected by Security Onion 2.4.111 using the default detection rules.

None of the Security Onion detections (at least from the default sources) are statistical anomaly detections or some other behavioral detections, and detecting DNS C2 traffic requires a statistical or some other behavioral method to avoid an excessively high number of false positives.

Security Onion 2.4.111 contains Zeek (formerly known as Bro), a network traffic analysis framework. Zeek can be used for defining statistical detections with its event-driven scripting language.

Jeremy Baggs has developed Zeek scripts for detecting anomalous DNS traffic. The scripts are available at https://github.com/jbaggs/anomalous-dns.

The blog post describes a method for adding these scripts to Security Onion.

#securityonion #sliver #zeek #detectionengineering

🔍 Detection rules are only as good as the tests behind them. 💡📊

Ariel Ropek's #BSidesBoulder25 talk "Incorporating End to End Integration Tests into your Detection Engineering Workflow" will provide a practical guide to moving beyond brittle unit tests and validating detections with full attack simulations. If you're building detection-as-code or maintaining a SIEM, this talk is your blueprint for making sure your alerts fire when it really matters! #BSides #BSidesBoulder #CyberSecurity #DetectionEngineering #E2ETesting #CyberDefense

Check out our full schedule at https://bsidesboulder.org/schedule/

Tickets are available for purchase for our 13 June event here: https://www.eventbrite.com/e/bsides-boulder-2025-registration-1290129274389

Okta has published a decent repository of custom detection and hunting queries for your Okta tenant. I highly recommend taking a look and considering implementation, bearing in mind the likelihood of false positives.

I also recommend monitoring for any user enabling impersonation access for support cases. This allows Okta engineers into your tenant, and threat actors will abuse this to pivot. Any attempts to turn this on should be audited to ensure it aligns with remote troubleshooting with Okta engineers.

Finally, audit any Okta admins who run reports from the admin portal. Threat actors love these reports to identify org MFA policies, password health, and admin role assignments.

https://sec.okta.com/articles/2025/05/leveraging-okta-syslogs-for-proactive-threat-detection/

https://support.okta.com/help/s/article/approving-a-read-only-impersonation-access-request-for-a-support-case?language=en_US

https://help.okta.com/en-us/content/topics/reports/report-types.htm

#cti #detectionengineering #soc #threatintel