Liran Ravich, Author at CardinalOps

Bash and Switch: Hijacking via Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) is a feature in Windows that allows users to run a real Linux user space directly inside Windows, without needing a virtual machine or dual-boot setup. This feature is commonly

Living off WinRM: Abusing Complexity in Remote Management

Key Context: What Is LOLBAS Anyway? LOLBAS (Living Off The Land Binaries, Scripts, and Libraries) are legitimate Windows tools and binaries that attackers abuse to perform malicious actions without using custom malware. One of the

The Art of Anomaly Hunting: Learning from Legitimate Patterns for Detection

When writing detections based on threat reports, research blogs or other sources, common sense dictates that we should find a way to alert on the malicious actions as best as possible, ideally using TTPs. This

Safeguarding Azure Blobs: Detecting Public Network Access Configurations

Microsoft Azure utilizes blobs to house large amounts of unstructured data. An Azure blob can be configured to be accessed from specific IP addresses only. This is the common configuration and a known best practice

CardinalOps Contributes Updates to MITRE ATT&CK Techniques Related to Abuse of Mail Transport Rules

Adversaries are hijacking corporate email systems such as Office 365 by abusing email transport rules. Learn how these sophisticated attacks work, plus how to detect them in Splunk, Microsoft Sentinel, IBM QRadar & Sumo Logic.

SIEM Detections for Okta PassBleed (Splunk, Microsoft Sentinel, IBM QRadar, Sumo Logic)

Summary This blog post summarizes new password stealing and impersonation risks recently discovered for Okta, along with recommended SIEM detection rules and associated MITRE ATT&CK techniques for SIEM solutions including Splunk, Microsoft Sentinel, IBM QRadar,

Splunk and other SIEM detections for Follina, a clever MS-Office 0-day

Summary This blog post summarizes Follina, an RCE zero-day discovered in Microsoft Office. It provides recommended detections in the native query languages for Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, along with associated MITRE

Enterprise SIEMs Detect Fewer Than 5 of Top 14 MITRE ATT&CK Adversary Techniques Used in the Wild

“Organizations need to become more intentional about detection in their SOCs. What should we detect? Do we have use cases for those scenarios? Do they actually work? Do they help my SOC analysts effectively triage

Spring into action (with SIEM detection rules for Spring4shell)

Spring into action (with SIEM detection rules for Spring4shell) The Spring Framework is an open source application framework that provides infrastructure support for developing Java applications. The framework can be used by any Java application

Lapsus$ vs the world: SIEM detection rules with ATT&CK mapping

Image credit: World of Dictionary A new player has entered the game The ”Lapsus$” group, unknown before December 2021, has made multiple headlines in recent weeks, following multiple data breaches in big companies such as