Mastodawn

In a new blog, Proofpoint threat research engineers disclosed their discovery of Amatera Stealer, a newly rebranded and upgraded malware-as-a-service (MaaS) version of the ACR Stealer.

Read the blog: https://brnw.ch/21wTvkx

While maintaining its roots in ACR Stealer, the latest variant, #Amatera, introduces new features—including sophisticated delivery mechanisms, anti-analysis defenses, and a revamped control structure—making it stealthier and dangerous.

See the Threat Research Engineering blog for IOCs and Emerging Threat signatures.

#securityengineering #detectionengineering #securitycontrols

Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication | Proofpoint US

Key takeaways Proofpoint identified a new, rebranded stealer based on ACR Stealer called Amatera Stealer. It is delivered via web injects featuring sophisticated attack

Proofpoint

Kunai Project Jun 10

🎉 Just dropped a new Kunai release! 🎉

We've been working hard on some exciting new features and performance boosts that we can't wait for you to try out! Here's what's new:

New Features:
🔍 Track io_uring operations with new io_uring_sqe events!
📝 Get more context with parent command line information for execve and execve_script events.
🔎 Get information about matching filtering rules in final events.
🧪 Test your filters with ease using the new test command.

Improvements:
⚡ Experience performance boosts thanks to changes in the event matching engine and code refactoring.

Ready to dive in? Check out the full release notes here: https://github.com/kunai-project/kunai/releases/tag/v0.6.0

Don't hesitate to give Kunai a try and share your feedback! Let's make Kunai even better together!

#Linux #ThreatHunting #ThreatDetection #DFIR #DetectionEngineering #OpenSource

Release v0.6.0 · kunai-project/kunai

Release Notes New Features Enhanced Event Tracking: Added support for io_uring_sqe events, improving the tracking of I/O operations. Parent Command Line Information: Added parent command line info...

GitHub

Kunai Project Jun 6

🚀 Kunai Sandbox is now live! 🚀

Curious about Kunai? Want to analyze Linux malware logs? Or share malware analysis to build detection rules? Kunai Sandbox has you covered! 🛡️

🔍 Check out what Kunai can do:
✅ Explore Kunai's log structure without running it locally
✅ Analyze logs generated by Linux malware
✅ Share malware analysis with others to build detection rules

🔗 See an example analysis of the perfctl #linux #malware: https://sandbox.kunai.rocks/analysis/59edbf8c-41b7-4144-97e0-9b0571446c02

#detectionengineering #infosec #dfir #soc

Ron Bowes Jun 5

I wrote a @greynoise blog about Suricata, poor documentation, overlapping RFCs, and weird historical choices. Hope you like it!

If you like "things about Suricata that annoy Ron" blogs, let me know.. I have way more. :)

https://www.labs.greynoise.io/grimoire/2025-06-05-suricata-url-decoding/

#infosec #detectionengineering #blog

Suricata evasion, starring URL decoding – GreyNoise Labs

How does Suricata’s URL decoding work? It’s more complex than you think!

GreyNoise Labs

Tedi Heriyanto May 31

Blog posts from Recon Infosec regarding building detection capabilities using Sigma;

- SigmaHQ Essentials - Building Robust Detection Capabilities: https://blog.reconinfosec.com/sigmahq-essentials-building-robust-detection-capabilities

- SigmaHQ Essentials - Building Robust Detection Capabilities - Part 2: https://blog.reconinfosec.com/sigmahq-essentials_-building-robust-detection-capabilities-part-2

#sigma #detectionengineering

SigmaHQ Essentials - Building Robust Detection Capabilities

This series of blog posts should cover the basics to get you started. What is sigmaHQ? How are detections written? How can detection engineering be integrated into your tools/soc/security team? And a few other fancy uses you can get out of this free and amazing repository of detections.

Show thread

Saltmyhash May 29

@chrissanders88 100% agree. From a SOC perspective, it’s all assumptions on why it fired, and not seeing the exact logic prevents the analyst from fully understanding the reason for alerting and where to potentially pivot next. I’m gonna guess there’s “secret sauce” involved for why they don’t share, but from a detection engineering perspective I need to confirm your logic to ensure I don’t need to supplement it with my own. Is your rule too narrow in scope? Is it outdated and no longer relevant? Does it cover multiple OSes? Security teams have been burned too many times assuming a vendor’s detection base provides coverage for certain threats when in reality it sat there and watched while it happened. Custom logic should always have comments for what it’s looking for, relevant cyber threat intelligence reporting to support its creation, MITRE ATT&CK T-code for tracking, and tips for SOC analysis. #soc #dfir #DetectionEngineering #threatintelligence #cti

Mehmet Ergene May 29

This blog is a little bitter, but it's what it is🫠

Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way

https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql

#ThreatHunting #DetectionEngineering

Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way

Detect vulnerable Windows drivers in MDE the right way using KQL and LOLDrivers.io. Avoid common query mistakes and boost detection accuracy.

Mehmet Ergene

Claus Cramon Houmann May 27

If you’re #purpleteam ’ing without #OpenTIDE, why don’t you want your work to be actionable for your #SOC #DetectionEngineering :P

Aku Silvennoinen May 24

I published a blog post about testing Security Onion's DNS C2 detection capabilities: https://akusilvennoinen.fi/posts/security-onion-dns-c2/

Sliver DNS C2 traffic is not detected by Security Onion 2.4.111 using the default detection rules.

None of the Security Onion detections (at least from the default sources) are statistical anomaly detections or some other behavioral detections, and detecting DNS C2 traffic requires a statistical or some other behavioral method to avoid an excessively high number of false positives.

Security Onion 2.4.111 contains Zeek (formerly known as Bro), a network traffic analysis framework. Zeek can be used for defining statistical detections with its event-driven scripting language.

Jeremy Baggs has developed Zeek scripts for detecting anomalous DNS traffic. The scripts are available at https://github.com/jbaggs/anomalous-dns.

The blog post describes a method for adding these scripts to Security Onion.

#securityonion #sliver #zeek #detectionengineering

Testing Security Onion's DNS C2 Detection Capabilities

In this post, the DNS command-and-control (C2) detection capabilities of Security Onion are evaluated using Sliver. A standalone installation of Security Onion is assumed; however, the solutions presented should be applicable to other deployment models as well. The process begins with the setup of Sliver’s DNS C2 feature.\nSetting up Sliver DNS C2 Step-by-step instructions for setting up DNS C2 are provided in the Sliver documentation. Cloudflare DNS is used as the example in the documentation. When using Cloudflare DNS, the setup process is straightforward due to the detailed guidance.\n

Aku Silvennoinen Infosec Blog

BSides Boulder May 23

🔍 Detection rules are only as good as the tests behind them. 💡📊

Ariel Ropek's #BSidesBoulder25 talk "Incorporating End to End Integration Tests into your Detection Engineering Workflow" will provide a practical guide to moving beyond brittle unit tests and validating detections with full attack simulations. If you're building detection-as-code or maintaining a SIEM, this talk is your blueprint for making sure your alerts fire when it really matters! #BSides #BSidesBoulder #CyberSecurity #DetectionEngineering #E2ETesting #CyberDefense

Check out our full schedule at https://bsidesboulder.org/schedule/

Tickets are available for purchase for our 13 June event here: https://www.eventbrite.com/e/bsides-boulder-2025-registration-1290129274389

Schedule

Schedule is subject to change