SnapAttack

Columbia, MD, USA
2021
  |  By Tim Nary
In the early days of cybersecurity, implementing a Security Information and Event Management (SIEM) system was akin to constructing a house from scratch. The SIEM was a blank slate, and transforming raw data into actionable insights was a long and arduous journey. It began with the daunting task of ingesting data from various disparate sources and formats. From there, security teams had to craft detections — rules designed to identify malicious or suspicious activity.
  |  By Tim Nary
The cybersecurity landscape is rapidly evolving, and nowhere is this more evident than in the Security Information and Event Management (SIEM) market. This period of transformation, marked by strategic mergers and high-stakes buyouts, signals not only a race for market dominance, but also the potential for profound changes in how cybersecurity solutions will operate in the future.
  |  By SnapAttack
SnapAttack unveils a Security Information and Event Management (SIEM) migration capability leveraging autonomous validation and detection translation.
  |  By SnapAttack
In a typical security operations center (SOC), the threat detection and response teams have one key objective: identify and stop the bad guys. To do so, they invest in the best tools, recruit the best team members, and work tirelessly to stay ahead of any potential security incidents that might be on the horizon.
  |  By SnapAttack
Welcome back. This is part two of our blog series covering the Impacket example tools. Impacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols such as IP, TCP, UDP, ICMP, and even higher-level protocols like SMB, MSRPC, NetBIOS, and others.
  |  By SnapAttack
Impacket is a collection of Python classes focused on providing tools to understand and manipulate low-level network protocols. This capability enables you to craft or decode packets of a wide variety of protocols such as IP, TCP, UDP, ICMP, and even higher-level protocols like SMB, MSRPC, NetBIOS, and others.
  |  By SnapAttack
Threat hunting is a massive commitment of time, resources, team members, and technology. Any investment that impactful would normally be one that was carefully measured to ensure it was driving sufficient value for the team. The thing is, there’s no established benchmark of “success” in threat hunting.
  |  By SnapAttack
Ask any security leader and they’ll tell you actionable threat intelligence is the cornerstone of a successful, threat-informed security operations center (SOC). However, to be of any real value to the team, threat intelligence needs to be relevant, timely, and supportive of next steps for the teams that utilize it.
  |  By Trenton Tait
CVE-2023-46214 is identified as a Remote Code Execution (RCE) vulnerability within Splunk Enterprise, as reported in the Splunk security advisory SVD-2023-1104 on November 16, 2023. Successful exploitation of this vulnerability would give an attacker code execution on the target server. This can lead to exfiltration of sensitive information, persistence, lateral movement, destruction or impairment of the server, or many other malicious activities.
  |  By SnapAttack
SOC leaders who got their start in security 10 or 20 years ago have witnessed an incredible evolution of cyber attacks. Those who have failed to keep up find themselves operating in an unrecognizable sea of advanced adversaries. All kinds of organizations across every industry are struggling to maintain their pace on the rapid timeline that threat actors have set for them.
  |  By SnapAttack
On November 12, 2024, a joint cybersecurity advisory was released by agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom. This advisory highlights the **top routinely exploited vulnerabilities of 2023**, offering insights into persistent threats and the measures organizations can take to protect themselves.
  |  By SnapAttack
In 2022, Microsoft began blocking macros originating from the internet in Office, pushing both pentesters and threat actors to explore new methods for initial access. Fast forward to October 2024, and APT29 is leveraging one of those methods—Rogue RDP—discovered as a workaround back in 2022. In this video, we dive into a recent spearphishing campaign uncovered by the Ukrainian CERT, where attackers used Rogue RDP to gain initial access to targets. This video will provide you practical detection opportunities that can be used to hunt for this activity in your environment.
  |  By SnapAttack
FIN7 is dead… right? In this week’s Threat SnapShot we breakdown a SentinelOne report on the group FIN7. We focus on detection strategies for their latest tools, covering three main tools: Powertrash (an obfuscated PowerShell script for payload loading), a batch script for persistence, and AU Kill (an antivirus neutralizer). For each tool, we explain its function and offer specific detection methods.
  |  By SnapAttack
Our CTO, Fred Frey, met with Teddy Powers from Google Cloud Security at the Google Massachusetts Ave Office to discuss the topic: "Turning Novel Threats into Detections Easily with SnapAttack." Discover how SnapAttack can integrate with Mandiant's threat intelligence, security validation, and Google Chronicle to enhance detection and create actionable workflows for your organization.
  |  By SnapAttack
Have you ever read a threat report and thought, “These tools could definitely be superhero names”? Well, you’re not alone! In this video, we dive into the recent APT41 campaign and explore the detection opportunities that arise from it. From tools like BlueBeam, AntSword, DustPan, and PineGrove, we break down how these were used in APT41’s latest operations and how you can detect them in your environment.
  |  By SnapAttack
Discover how to detect the GrimResource attack, a novel code execution technique leveraging Microsoft Management Console (MMC) files. This threat snapshot video breaks down Elastic Security Labs' research on this stealthy initial access vector that evades common defenses. Key points covered: Learn practical steps to protect your systems against this emerging threat. *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*
  |  By SnapAttack
You've probably heard of Microsoft's new Recall feature by now. It's a info stealer's dream come true. There has been a lot of information release about how this new feature is a security nightmare and how it works. But today we are going to dig in and discover how to actually detect abuse of this new feature.
  |  By SnapAttack
Welcome to this week's episode of SnapAttack Threat Snapshot! In this video, we'll dive into CVE-2024-32002, a critical remote code execution (RCE) vulnerability in Git that leverages symlink handling in repositories with submodules. This vulnerability can be exploited through a simple git clone command, potentially allowing attackers to execute arbitrary code on the victim's machine. *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*
  |  By SnapAttack
In this episode, we dive into CVE-2024-30051, a critical out-of-bounds write vulnerability in the Desktop Window Manager. This bug, similar to CVE-2023-36033, allows attackers to escalate privileges to SYSTEM by exploiting a heap overflow in dwmcore.dll. CVE-2024-30051 has been actively exploited to deploy malware like Qakbot, as identified by Kaspersky. This video covers the process of hunting down a sample, executing it in a sandbox environment, and creating effective detections using logs from the exploit’s activity.
  |  By SnapAttack
Since 2021, ransomware groups have set their sights on VMware ESXi hypervisors, with the SEXi variant, emerging in 2024, being the most recent threat. The Babuk Locker was one of the first to target ESXi, and its leaked source code enabled other strains like ESXiArgs, BlackBasta, and Clop to develop customized variants terminating VMs and encrypting data on ESXi servers. While employing similar tactics like exploiting vulnerabilities and encrypting VM files, these ESXi-focused ransomware exhibit patterns that provide detection opportunities across the board. By analyzing past attacks, we can better prepare for future threats targeting our virtualization environments. Join the SnapAttack community to access in-depth detection content covered in this video and stay ahead of evolving ransomware targeting ESXi.

SnapAttack helps Threat Detection teams identify threat-intel driven detection objectives, assess detection coverage gaps, and rapidly fill coverage gaps using a repository of 10,000+ pre-written SIEM & EDR correlation rules and threat hunt queries.

Remove barriers to proactive threat management:

  • Accelerate Threat Hunting: Get the tools, the context, and the workflow to quickly and easily threat hunt with precision.
  • Simplify Detection Engineering: Deploy rapid detection coverage for the threats that matter most.
  • Modernize Threat Intelligence: Understand the threat landscape through your organization’s unique context, then mobilize with relevant behavioral detection content.
  • Streamline SIEM Migration: Get up to speed on your new tool faster with expanded, validated MITRE ATT&CKTM coverage of your detection blindspots.

Your single line of sight from intelligence-led threat hunting to threat-informed detection.