LogRhythm Labs

Microsoft Office Building

A Guide to Detecting Microsoft Exchange Zero-Day Exploits

TL;DR First and foremost, apply patches to the Exchange infrastructure. Assume compromise. It’s been reported that the attackers launched a massive compromise attack against 60,000+ Exchange Servers before patches became available, and many other attackers are actively looking for exploited…

Read More

Dissecting the Golden SAML Attack Used by Attackers Exploiting the SUNBURST Backdoor

Read More
Windows keyboard

Windows Certificate Export: Detections Inspired by the SolarWinds Compromise

TL/DR Methods to detect when a certificate is exported from a Windows system are discussed in detail below using the audit log “Certificate Services Lifecycle Notifications” and collecting the log messages with “MS Windows Event Logging XML – Generic” log…

Read More
Telecommunications cellular antenna

Telecommunication Security Use Cases

Attacks made against telcos and internet service providers (ISPs) have steadily risen. Distributed denial of service (DDoS) attackers launched an 11-day attack against a Chinese telco in 2017 — breaking the DDoS record that year. That same year, Kaspersky Lab…

Read More
Man talking over the phone with AirPods on

How to Detect and Respond to SS7 Attacks — OT Telco Use Cases

In the telecom environment, using Signaling System No.7 (SS7) protocol is very crucial, especially in 2G networks. If you’re wondering how SS7 works, SS7 protocol is an international telecommunications standard used to set up public switched telephone network (PSTN) and…

Read More
Computer keyboard

How to Detect and Search for SolarWinds IOCs in LogRhythm

LogRhythm Labs has gathered up the indicators of compromise (IOCs) from CISA, Volexity, and FireEye associated with the recent SolarWinds supply chain attack and made them available in a GitHub repository for your convenience. Feel free to download and import…

Read More
Three Steps to Translate Threat Reports into Actionable Items Using MITRE ATT&CK®

Threat Hunting Framework: Three Steps to Translate Threat Reports into Actionable Steps

Thanks to Sally Vincent and Dan Kaiser from the LogRhythm Labs team for developing the process and guiding content described in this post. Threat research can be an invaluable asset to security teams when attempting to formulate a proactive stance…

Read More
Photo of target

How to Detect Exploits of FireEye Red Team Tools in Your Environment

What The FireEye Breach Means for Security Operations Teams On December 8, 2020, FireEye announced that they had been “attacked by a highly sophisticated threat actor” and that they “found that the attacker targeted and accessed certain Red Team assessment…

Read More
LogRhythm MITRE ATT&CK Module Updates

LogRhythm MITRE ATT&CK Knowledge Base (KB) Module 2.0

Major Update to the LogRhythm MITRE ATT&CK KB Module When LogRhythm originally developed and launched the MITRE ATT&CK Knowledge Base (KB) Module, we worked under MITRE ATT&CK’s version 6.  MITRE is constantly developing the ATT&CK framework, and many changes have…

Read More
6 Cybersecurity Predictions for 2021

6 Cybersecurity Predictions for 2021

Over the past few weeks, we’ve been reviewing our previous cybersecurity predictions (click here for part 1 and here for part 2 if you missed it). But now, it’s time to look to the future. After a team discussion, we…

Read More