IT Security Blog

Click the button below to start exploring my website
Start exploring

Sigma vs. WannaCry

In this blog post, I will test the WannaCry malware against almost all Windows Sigma detection rules from the subfolders builtin, process_creation and sysmon (a total of 192 detection rules). WannaCry was one of the biggest cyber attacks affecting over 200.000 computers in 150 countries. In order to run the malware in a secure way, […]

Sigma vs. TeslaCyrpt

The Sigma repository contains over 200 Sigma detection rules. But we all know, quantity is not equal to quality. That’s why I started a new blog series, in which I will test real malware against a bunch of Sigma detection rules. In this blog post, I will test the TeslaCrypt malware against almost all Windows […]

CI/CD in Detection Rule Development

Continuous Integration (CI) and Continuous Delivery (CD) is a well-known concept in software development. In this blog post, I will introduce the concept of CI/CD and adapt it to the IT Security world based on the example of detection rule development. Continuous Integration (CI) means that the main branch is continuously validated by creating a […]

Sigma2SplunkAlert Tutorial

This blog post is a tutorial about a newly created tool Sigma2SplunkAlert converter. Many Security Operations Center (SOC) are using scheduled searches for their detection rules. Sigma is the new standard for describing detection rules. Deploying multiple Sigma detection rules into Splunk was a time-consuming task. Sigma2SplunkAlert converts multiple Sigma detection rules into a Splunk […]

Detect Privilege Escalation Preparation in Linux with Sigma

In this blog post, I will introduce a Sigma detection rule, which detects privilege escalation preparation in Linux. If an adversary has a limited shell and wants to escalate privileges, different information needs to be collected over the machine. This information includes the distribution type, kernel version, environment variables, running root services, applications, cron jobs […]

Splunk Deployment Best Practice

In this blog post, I will introduce the Splunk Deployment Server and give some best practice recommendations for apps and server class structure. I already see a lot of Splunk deployments with a terrible app and server class structure, which makes it very difficult to manage the Splunk infrastructure. Therefore, I decided to write this […]

Update Splunk Enterprise Single Instance

In this blog post, the Splunk update process of a Splunk Enterprise single instance is described. First of all, a backup of the Splunk configuration is performed: Download newest version of Splunk Enterprise on the Splunk homepage. I used the wget command to download the newest Splunk Enterprise rpm file: Subsequently, stop Splunk Enterprise as […]