Kostas
kostastsale.bsky.social
Kostas
@kostastsale.bsky.social
1.4K followers 130 following 340 posts
https://kostas.page | Opinions are mine only! ๐Ÿ‡ฌ๐Ÿ‡ท๐Ÿ‡จ๐Ÿ‡ฆ
Posts Media Videos Starter Packs
๐—ฅ๐—ฒ๐—ฎ๐—ฑ ๐˜๐—ต๐—ฒ ๐—ณ๐˜‚๐—น๐—น ๐—ฎ๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ: kostas-ts.medium.com/detecting-ab...

๐—ฆ๐—ถ๐—ด๐—บ๐—ฎ ๐—ฃ๐—ฅ: github.com/SigmaHQ/sigm...

๐—œ'๐—ฑ ๐—น๐—ผ๐˜ƒ๐—ฒ ๐˜๐—ผ ๐—ต๐—ฒ๐—ฎ๐—ฟ ๐˜†๐—ผ๐˜‚๐—ฟ ๐˜๐—ต๐—ผ๐˜‚๐—ด๐—ต๐˜๐˜€:
โ€ข Have you encountered similar permissive trial access in other security platforms? We need to document things before it's too late.

Hope you enjoy reading the post!
Detecting Abuse of OpenEDRโ€™s Permissive EDR Trial: A Security Researcherโ€™s Perspective
1. Introduction
kostas-ts.medium.com
I also ๐—ฐ๐—ผ๐—ป๐˜๐—ฟ๐—ถ๐—ฏ๐˜‚๐˜๐—ฒ๐—ฑ ๐˜๐˜„๐—ผ ๐—ฟ๐˜‚๐—น๐—ฒ๐˜€ to the community along with detail explanation of them. They're sitting in a Sigma PR for review.

โ€ข File Event Rule: t.ly/jIE0U (DetectionStream deep-link)
โ€ข Process Creation Rule: t.ly/eTqUW (DetectionStream deep-link)
โ€ข Real-world analysis of permissive trial access (using OpenEDR as the example)
โ€ข How threat actors exploit trusted security tools โ€ข Practical behavioral detection strategies
โ€ข Two production-ready Sigma rules you can deploy today
These are security tools, products that are ultimately trusted and won't raise any flags.

The harsh truth is that when attackers weaponize legitimate, signed security tools traditional detection methods often fail. But there is always hope...

๐—œ๐—ป ๐˜๐—ต๐—ถ๐˜€ ๐—ฎ๐—ฟ๐˜๐—ถ๐—ฐ๐—น๐—ฒ, ๐—œ ๐—ฐ๐—ผ๐˜ƒ๐—ฒ๐—ฟ:
I recently came across the permissive trial access that the OpenEDR platform provides, and it got me thinking, they're definitely not the only ones doing this...

So I decided to use OpenEDR as a case study to highlight a broader issue: ๐—น๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐˜๐—ผ๐—ผ๐—น๐˜€ ๐—ฏ๐—ฒ๐—ถ๐—ป๐—ด ๐˜„๐—ฒ๐—ฎ๐—ฝ๐—ผ๐—ป๐—ถ๐˜‡๐—ฒ๐—ฑ ๐—ฏ๐˜† ๐˜๐—ต๐—ฟ๐—ฒ๐—ฎ๐˜ ๐—ฎ๐—ฐ๐˜๐—ผ๐—ฟ๐˜€.
Detecting Abuse of OpenEDRโ€™s Permissive EDR Trial: A Security Researcherโ€™s Perspective
1. Introduction
kostas-ts.medium.com
๐Ÿ‘‰ ๐—ง๐—ต๐—ฒ ๐—˜๐——๐—ฅ ๐—ง๐—ฒ๐—น๐—ฒ๐—บ๐—ฒ๐˜๐—ฟ๐˜† ๐—ฃ๐—ฟ๐—ผ๐—ท๐—ฒ๐—ฐ๐˜ maps which vendors expose some of these event types:

โœ… File share (File Open) activity โ€“ 5140
โœ… Service modifications โ€“ 7040
โœ… Registry writes โ€“ Sysmon 13
โœ… Image loads โ€“ Sysmon 7

Check your vendor. If these arenโ€™t surfaced or correlated, this will slide right past you!

โžก๏ธ Even better, use a correlation rule to chain the events together (priv logon โ†’ IPC$ โ†’ SCM op โ†’ service mod โ†’ registry write โ†’ cleanup).

When Sigma adds proper correlation support, we can make a clean shared rule for it.

Enable, dump, disable. All within one second.

Now, detection-wiseโ€ฆ yeah, this one hurts. Tons of noise.

๐—” ๐—ด๐—ผ๐—ผ๐—ฑ ๐˜€๐˜๐—ฎ๐—ฟ๐˜:
โžก๏ธ Detect the ๐—ฆ๐—ฒ๐—•๐—ฎ๐—ฐ๐—ธ๐˜‚๐—ฝ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ logon combined with RemoteRegistry Start=3 โ†’ Start=4 ๐˜„๐—ถ๐˜๐—ต๐—ถ๐—ป ๐—ฎ ๐˜€๐—ต๐—ผ๐—ฟ๐˜ ๐˜„๐—ถ๐—ป๐—ฑ๐—ผ๐˜„!
ย ย โ€ข 7040 Service Modification โ€“ RemoteRegistry start type flipped to demand start (Start=3)
ย ย โ€ข Sysmon 13 Registry Modโ€“ Start=3 written
ย ย โ€ข Sysmon 7 Image Load โ€“ svchost.exe loading regsvc.dll
ย  โ€ข Sysmon 13 Registry Mod (cleanup) โ€“ Start=4 (service re-disabled)
This is related to the ๐—ฟ๐—ฒ๐—บ๐—ผ๐˜๐—ฒ ๐—ฆ๐—”๐—  ๐—ฑ๐˜‚๐—บ๐—ฝ
โ†’ ๐—ฆ๐—ฒ๐—•๐—ฎ๐—ฐ๐—ธ๐˜‚๐—ฝ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ โ‡ค That ๐—ฆ๐—ฒ๐—•๐—ฎ๐—ฐ๐—ธ๐˜‚๐—ฝ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—น๐—ฒ๐—ด๐—ฒ is important; it tells you this session can read the SAM/SECURITY/SYSTEM hives.

Then you have the below flow of events in that order:
ย ย โ€ข 5140 File Share Access โ€“ IPC$ connection
ย ย โ€ข 4674 Sensitive Privilege Use โ€“ SC Manager with SeTakeOwnershipPrivilege
๐—ฆ๐—ฒ๐—ฒ๐—ถ๐—ป๐—ด ๐˜€๐—ผ๐—บ๐—ฒ ๐˜€๐—ฒ๐—ฐ๐—ฟ๐—ฒ๐˜๐˜€๐—ฑ๐˜‚๐—บ๐—ฝ ๐—ฎ๐—ฐ๐˜๐—ถ๐˜ƒ๐—ถ๐˜๐˜† ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐˜„๐—ถ๐—น๐—ฑ ๐—น๐—ฎ๐˜๐—ฒ๐—น๐˜†, ๐—ฎ๐—ป๐—ฑ ๐—ถ๐˜โ€™๐˜€ ๐˜๐—ฟ๐—ถ๐—ฐ๐—ธ๐˜† ๐˜๐—ผ ๐—ฐ๐—ฎ๐˜๐—ฐ๐—ต ๐—ฏ๐—ฒ๐—ฐ๐—ฎ๐˜‚๐˜€๐—ฒ ๐—ผ๐—ณ ๐—ฎ๐—น๐—น ๐˜๐—ต๐—ฒ ๐—ณ๐—ฎ๐—น๐˜€๐—ฒ ๐—ฝ๐—ผ๐˜€๐—ถ๐˜๐—ถ๐˜ƒ๐—ฒ๐˜€.

The recent NetExec update (codename SmoothOperator) pushed me to share this one ๐Ÿ‘‡
๐Ÿ”— www.netexec.wiki/news/v1.4.0-...

๐—™๐—ถ๐—ฟ๐˜€๐˜ ๐—ฒ๐˜ƒ๐—ฒ๐—ป๐˜ (๐Ÿฐ๐Ÿฒ๐Ÿณ๐Ÿฎ)
Special privileges assigned to new logon:
With F5โ€™s history of fumbles, this erodes confidence even more. My condolences to the orgs that are using them. Brace for the zero days that are coming your wayโ€ฆ ๐Ÿ˜ž

Their disclosure here: my.f5.com/manage/s/art...
myF5
my.f5.com
And donโ€™t get me started on helping the industry with IOCs or any other technical details, they didnโ€™t even put anything out until a day after their admission and even that was only shared across external reports, partners, and locked support tickets.

3/
Their disclosure is shockingโ€ฆ Itโ€™s full of corporate jargon while admitting some quite bad stuff while playing it cool like the fact that they knew about it since August but they only decided to tell their customers now ๐Ÿคฆโ€โ™‚๏ธ No specifics on what was taken, the exact impact etc.

2/
Here we go againโ€ฆ F5 disclosed a serious intrusion by a sophisticated nation-state threat actor who gained long-term access and stole files from their development and knowledge systems. Likely potential source code and undisclosed ready to exploit.

1/
myF5
my.f5.com
๐—ฃ๐—ฎ๐—ฑ๐˜ƒ๐—ถ๐˜€๐—ต ๐—˜๐——๐—ฅ ๐—ฏ๐—ฒ๐—ฐ๐—ผ๐—บ๐—ฒ๐˜€ ๐˜๐—ต๐—ฒ 21๐˜€๐˜ ๐—ฎ๐—ฑ๐—ฑ๐—ถ๐˜๐—ถ๐—ผ๐—ป ๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐—˜๐——๐—ฅ ๐—ง๐—ฒ๐—น๐—ฒ๐—บ๐—ฒ๐˜๐—ฟ๐˜† ๐—–๐—ผ๐—บ๐—ฝ๐—ฎ๐—ฟ๐—ถ๐˜€๐—ผ๐—ป ๐Ÿ”ฅ

Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.

๐—ง๐—ฟ๐—ฎ๐—ป๐˜€๐—ฝ๐—ฎ๐—ฟ๐—ฒ๐—ป๐—ฐ๐˜† like this helps move the whole industry forward.

Results:ย www.edr-telemetry.com/windows
You can now quickly reference a specific rule in discussions, share the rule with others, or download the rules you are filtering through the UI.

Check it out: detectionstream.com

Next up:

โ€ข ๐—š๐—ฎ๐—บ๐—ถ๐—ณ๐—ถ๐—ฒ๐—ฑ ๐—ฆ๐—ถ๐—ด๐—บ๐—ฎ ๐—ง๐—ฟ๐—ฎ๐—ถ๐—ป๐—ถ๐—ป๐—ด (interactive learning)
โ€ข ๐—ฆ๐—ถ๐—ด๐—บ๐—ฎ ๐—”๐˜๐˜๐—ฎ๐—ฐ๐—ธ ๐—ฃ๐—ฎ๐˜๐—ต ๐—ฉ๐—ถ๐˜€๐˜‚๐—ฎ๐—น๐—ถ๐˜‡๐—ฎ๐˜๐—ถ๐—ผ๐—ป (detection flow mapping)
4. AI rule is generated ๐ฎ๐ฌ๐ข๐ง๐  s๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐ฉ๐ซ๐จ๐ฆ๐ฉ๐ญ๐ฌ that I personally curated for creating high-quality rules and ๐๐Ž๐“ AI slop.
5. AI generation will remain free at my own expense. ๐„๐ง๐ฃ๐จ๐ฒ!

... continue ๐Ÿ‘‡
๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—ฆ๐˜๐—ฟ๐—ฒ๐—ฎ๐—บ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ: Two highly requested features just went live ๐Ÿš€

1. ๐——๐—ฒ๐—ฒ๐—ฝ ๐—Ÿ๐—ถ๐—ป๐—ธ๐˜€: share specific rules via hashtag#rule_id or full YAML
2. ๐——๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐—ฅ๐˜‚๐—น๐—ฒ๐˜€: export all rules matching your filters (gzip)
3. ๐—”๐—ฑ๐—ฑ๐—ฒ๐—ฑ "๐˜Š๐˜ณ๐˜ฆ๐˜ข๐˜ต๐˜ฆ ๐˜ณ๐˜ถ๐˜ญ๐˜ฆ๐˜ด ๐˜ธ๐˜ช๐˜ต๐˜ฉ ๐˜ˆ๐˜" functionality for both ๐—ฌ๐—ฎ๐—ฟ๐—ฎ and ๐—ก๐—ผ๐˜ƒ๐—ฎ frameworks ... continue๐Ÿ‘‡
They ate Portlandโ€™s national guard.
If this helped you, consider buying me one here: buymeacoffee.com/kostas.t . Every bit keeps the lights on.

โ€ข Check it out here:ย detectionstream.com
โ€ข Get your OpenRouter Key by registering here: openrouter.ai
Although this is a free service for the community, there is a material cost to me. Because servers donโ€™t run on coffee alone (like I do), If this helped you, consider buying me one here: buymeacoffee.com/kostas.t .Every bit helps to keep the lights on, and please add a note to say how it helped you!
Kostas is EDR Telemetry & Comparison Projects, DFIR Labs, DetectionStream + more
Hey, Iโ€™m Kostas. I spend a lot of time building tools, creating training, and sharing infosec tips. If any of thatโ€™s helped you, a coffee and a nice message go a long way. ๐Ÿ™
buymeacoffee.com


๐—ฆ๐—ถ๐—ด๐—บ๐—ฎ ๐—ฃ๐—น๐—ฎ๐˜†๐—ด๐—ฟ๐—ผ๐˜‚๐—ป๐—ฑ โžก๏ธ create or tweak a detection rule, load your JSON logs, and see detections fire. Perfect for understanding how Sigma works in practice.

๐—ก๐—ผ๐˜ƒ๐—ฎ ๐—ฃ๐—น๐—ฎ๐˜†๐—ด๐—ฟ๐—ผ๐˜‚๐—ป๐—ฑ โžก๏ธ build AI-native detections, validate with prompts, and test adversarial scenarios. A new way to think about monitoring LLMs.
I built this tool for myself. Shared a preview here a few days agoโ€ฆ and wow. Didnโ€™t expect such a strong response. Thanks everyone who reached out ๐Ÿ™

Because of that energy, I pushed harder and:
โžก๏ธ Polished the Sigma experience, now with Nova integrated
โžก๏ธ Built two playgrounds for hands-on learning
Feel free to comment below ๐Ÿ‘‡

** The AI generation is happening on the client-side. You simply bring your own OpenRouter key, and you are responsible for billing etc.
**I have special prompts for minimizing AI-generated garbage/slop output.