Hi
11.09.2025 13:09
π 0
π 0
π¬ 0
π 0
Hi
π¨ Still on your journey to mastering ASR rules?
Donβt sleep on ASRGEN π‘οΈπ₯
β‘ Point. Click. Generate ASR rules.
π Learn + test safely with built-in atomic simulations
π¦ Export to Intune/GPO-ready formats
π― Built for defenders, by defenders
ππ₯
π asrgen.streamlit.app
π github.com/MHaggis/ASRGEN
ππ Just dropped a 1-hour rabbit hole dive into API playgrounds, mocks, & random nerdy finds π€
We started with ClickGrab, but then it turned into:
π Beeceptor
π οΈ Mockbin
𧩠Zudoku
π VirusTotal hunts
π€ ChatGPT making OpenAPI bins & routes
Chaotic, nerdy, fun. Come hang out π youtu.be/j7QE-6p9Y9Q
Minted narwhal!
I am/was burnt sienna goose
π¨ New ASR rules are now GA:
β Block rebooting in Safe Mode
π΅οΈββοΈ Block copied/impersonated system tools
ASRGEN had these since preview. π
Want to:
β‘ Quickly create Intune-ready ASR policies
π§ͺ Simulate and understand rule impacts
Check β asrgen.streamlit.app
Be proactive. Be precise.
π° The hunt beginsβ¦
The first drops for PowerShell-Hunter: Season 2 are coming SOON.
New tools. Smarter hunting. Sexier telemetry.
This isnβt just DFIRβitβs an evolution.
βοΈ Hunt smarter. Hunt harder.
β github.com/MHaggis/Powe...
π¨ PowerShell-Hunter Season 2 is coming π¨
π₯ More atomic tools
𧬠Smarter, faster log analysis
π€ Machine learning meets lateral movement
π PowerShell so slick it should be illegal
Youβre not readyβbut you should be.
β Star the repo or miss the magic:
π Exciting News: PCA Analyzer is now part of the PowerShell-Hunter suite! π
Check it out on GitHub: github.com/MHaggis/PowerShell-Hunter π»
πΊ
π₯ Want a deeper dive? Check out Atomics on a Friday, where we introduce SDDLMaker!
βΆοΈ https://www.youtube.com/watch?v=uSYvHUVU8xY
π RT/Reshare if you find this useful! π
#WindowsSecurity #SDDL #Cybersecurity #Splunk #AtomicRedTeam
π οΈ Splunk Security Content:
π https://research.splunk.com/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering/
π§ Mind Map:
π https://github.com/MHaggis/SDDLMaker/tree/main/MindMap
𧡠(5/)
π‘ Need to decode or generate SDDL? Try SDDLMaker π§
π https://thesddlmaker.streamlit.app/
π Read the full blog:
π https://www.splunk.com/en_us/blog/security/windows-security-sddl-guide-access-control.html
𧡠(4/)
Top 3 Things You'll Learn:
1οΈβ£ How attackers exploit SDDLβevent log tampering, service hardening, & more
2οΈβ£ How to decode SDDL strings & analyze permissions, DACLs, and ACEs
3οΈβ£ How to defend against SDDL abuse with detections & Atomic Red Team tests
𧡠(3/)
In our latest blog, we break down SDDL: πΉ How it structures Windows security
πΉ How attackersβfrom LockBit to RomComβmanipulate it for privilege escalation & defense evasion
πΉ How to detect & defend π‘οΈ
𧡠(2/)
π Windows Security and SDDL: What You Need to Know π
Windows permissions misconfigurations are a goldmine for attackers. SDDL (Security Descriptor Definition Language) remains overlooked yet highly exploitable. π¨
@nasbench.bsky.social and I break it down -->
𧡠(1/)
Tomorrow, join us for a legendary episode of Atomics on a Friday featuring Jonathan Johnson (@jsecurity101) as we dive deep into JonMonβthe tool redefining Windows telemetry!
π Twas the night before JonMon, and all through the net,
π Defenders were stirring, their systems to vet.
π οΈ The telemetry was hung in EventViewer with care,
β¨ In hopes that Jonny Johnson soon would be there.
π
Friday, January 24th
β° 11 AM MST | 1 PM EST
πΊ
YouTube: youtube.com/watch?v=CqEhtgβ¦
I got you!
Down to the end of my last Christmas blend, what do you recommend this holiday season? I typically get Red Rooster or Atomic.
www.redroostercoffee.com/products/goo...
atomicroastery.com/products/mer...
Happy Monday
π₯ Tools for Testing:
β‘οΈ Apache Builder: https://buff.ly/4fOt8F9
β‘οΈ IIS Builder: https://buff.ly/4fLGySm
Empower your security team to hunt, detect, and patch gaps before attackers exploit them. π‘οΈ
Test, learn, and refine! #CyberSecurity #ThreatHunting #WebShellDetection
π» How to Use:
1οΈβ£ Deploy your favorite tools (Sysmon, EDR, XDR, etc.)
2οΈβ£ Grab a webshell of choice, upload it, and start testing!
3οΈβ£Observe logs, alerts, and behaviors to identify gaps in your coverage.
π Detection Opportunities:
Use these servers to validate analytic coverage for:
ποΈ File modifications (webshell uploads)
βοΈ Process executions (commands from shells)
π― Suspicious behaviors triggered by shells
π‘ Webshell Testing for Defenders π‘
Having automated tools to spin up web servers isnβt just convenientβitβs a game-changer for defenders. Here's why:
π¨ Unlocking the Secrets of Braodo Stealer! π¨
Dive into our latest blog where the Splunk Threat Research Team dissects the elusive Python malware and its sneaky obfuscated loader! ππβ¨
π Cracking the code of Braodo Stealer's obfuscation
"Things that get built on a Monday... π€
"'Haag do you have a easy way to build a Apache|NGINX|IIS server to easy simulate webshells?'
Hold my coffee... β
β’ 5-min Apache+PHP setup π
β’ Drop-in webshell support π―
See you Tuesday! π
βοΈ Blast from the past Atomics on a Friday βοΈ
Attackers are weaponizing IIS modules for persistence, post-exploitation, and data theft.
Check out the blog + AOAF for more π₯:
https://buff.ly/40UUWAI
Donβt waitβwatch to strengthen your defenses:
π Living off GitHub: The Stargazers Ghost Network!π
π₯ I somehow missed this, but WOWβwhat a fascinating deep dive into a DaaS operation! π Fully automated, primed for quick Ops, and makes you wonder about the ones we havenβt uncovered yet. π
https://buff.ly/3LCYEIP π¨
