On October 1, 2025, Würth Group employees were targeted by a WhatsApp-based cyberattack. A few users fell for it and some devices got infected. The attack was promptly detected by our Cyber Defense Center, and was stopped before it could spread further. Investigating the threat more deeply, we discovered it was part of a wider…
Read MoreMy SANS Course in London – April 2025 Back in April, I had the opportunity to attend a SANS course in London. More precisely, SANS 504: Hacker Tools, Techniques, and Incident Handling. The course ran from April 7th to April 12th, and those six days were intense, exciting, and surprisingly fun in ways I didn’t…
Read MoreIntroduction In modern SOC environments, detection rules are the cornerstone of identifying malicious activity. However, the effectiveness of a rule depends not only on what it looks for but also on how precisely it defines suspicious behavior. Many analysts have experienced the pain of rules that are “noisy” – generating countless false positives (FPs) that…
Read MoreWelcome back for the second and last part of our journey into the jungle of Windows logs! In the first part we set out our goal – tracking admin authentications – and learned more about Windows, how authentication events are logged, and where can we focus to isolate the most accurate events. Today we’re going…
Read MoreIntroduction Windows environments rely heavily on authentication protocols like NTLM and Kerberos. While these protocols serve critical security purposes, they are also commonly abused during malicious activities. This article explains how to detect suspicious behaviors related to Domain Account Discovery and Credential Access, specifically focusing on Enumeration, Brute Force, and Password Spraying attempts via NTLM…
Read MoreIf you’ve ever worked with Windows authentication logs, you know they can be a chaotic mess. Even when you’re looking for something apparently simple and useful – like tracking admin logins – you quickly find yourself in a sea of redundant entries, some of them logged for no apparent reason, and poorly documented details. I’ve…
Read MoreStepping Deeper into the CTF World It seems that this year, I’m a step further into the world of Capture The Flag (CTF) competitions: not sure why but I don’t regret it. We’re only halfway through the year, and I’ve already participated in three events. Not a huge amount, but a noticeable jump considering that…
Read MoreThis article gives an overview and offers a practical tips to detecting some suspicious activities in Microsoft SQL Server, from configuring audit policies to leveraging Elastic for effective monitoring and threat detection. Introduction Microsoft SQL Server is one of the most widely used relational databases in the enterprise landscape, managing critical data and supporting essential…
Read MoreYes, you read that title right. Today I’m going to tell you about the time I went on a hunt to bring a velociraptor and a chainsaw into the Würth Phoenix Security Operations Center. I know that it might sound strange to many and few will believe it, but I’m sure that once you get…
Read MoreNowadays attacks evolve over time and threat actors are following different ways to reach the same objectives. This could represent a problem on the defensive side. How can you always be up-to-date and ready to detect, but then when a vulnerability is exploited be able to act in several ways depending on the threat actor?…
Read MoreIn this post, we’ll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example of integration between our SIEM and SATAYO, the CTI platform we use in our SOC….
Read MoreThe team behind the popular underground forum BlackForums has announced, on its Telegram channel, that it has formed a new pact with the BloodForge group. From this pact was born The Brotherhood, an organization that aims to provide a RaaS (Ransomware as a Service). The new BloodForge channel then presented the features and capabilities of…
Read MoreThe purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detection rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is an SQL-like query language developed by Elastic specifically for querying time series and event data stored…
Read MoreHave you already read this blog post Adding soar features to the soc part 1 vulnerability management? If not, you have to! It explains the SOAR features leveraged by the Würth Phoenix SOC and how we implement our Vulnerability Management process. In this article, I’ll take a step back, focusing on what happens before the…
Read MoreIn this article, we’re going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real case, we’ll see the study and analysis carried out to create a rule to monitor…
Read More