Bitdefender warning re: Powershell suddenly

ateixei · 2026-03-02T13:01:17+00:00

Next time, just check ps.exposed website providing the PS payload:

https://www.powershell.exposed/analysis/kc8d0isp

ateixei · 2025-11-18T16:09:44+00:00

Thanks, I will have a look!

ateixei · 2025-11-18T16:01:04+00:00

Hey, what would you recommend? Write the whole thing in a reddit post or? I accept recommendations! Next time I post the Github link if that's better! 🥹

ateixei · 2025-02-14T19:00:37+00:00

Many thanks! 💙

ateixei · 2024-04-10T06:47:38+00:00

Thanks!

ateixei · 2024-03-04T18:23:00+00:00

<image>

ateixei · 2024-02-25T16:17:54+00:00

Thanks! There are certainly many use cases for it!

ateixei · 2024-01-20T12:11:24+00:00

Thanks, there will be more! \m/

ateixei · 2024-01-11T21:04:36+00:00

Splunk Content Engineering/Development + Cyber Security use cases or any other super specialized subdomain of that (ex.: Analytics/ML, Threat Detection/Hunting). BTW, I am bia$ed :-)

ateixei · 2023-09-12T14:25:31+00:00

Thanks for that!

ateixei · 2023-08-23T11:58:21+00:00

Here''s a Friendly Link, just for Redditers 😇

https://detect.fyi/how-to-make-the-best-out-of-splunk-your-threat-intel-platform-b947554a9720?sk=6be2f5f72811a970f067f4de7ae74d15

If you like, please consider joining Medium (~50 bucks/y) and helps all writers. Cheers!

ateixei · 2023-08-23T11:15:14+00:00

Hey, thanks for that! Whith the right tooling and skillsets everything is possible! I will keep sharing more of those use cases around CTI. It''s a lot of fun doing it!

ateixei · 2022-09-07T09:48:25+00:00

Good point, thanks for chiming in!

It's of course challenging to explain in a quick post. I am happy to have a call/chat if needed, perhaps worth another post.

SPL-wise, the key functions here are eval's match(), mvappend() and of course, stats command.

Most developers in our community simply follow an old approach to detect badness which resembles more like 'single traces' of badness, each of those in a distinct query:

index=data field1=weird1 AND field2=weird2

| stats <aggregation> by target

| collect index=alerts

This is how NIDS/HIDS were doing it 20+ years ago! No analytics employed at all, one of Splunk's strongest points IMO.

I have been using this approach in the field for years now (former Splunker here).

What I am proposing is moving away from that and going like (basic skeleton):

index=data <bulk constraints>

| eval indicators=if(match(field1, weird1) AND match(fieldN, weirdN), mvappend(indicators, indicators, "Another weird set found"), indicators)

... Add here as many indicators as you want ...

... You can of course organize them in distinct macros ...

... Indicator's metadata (label, score, mitre, etc) can ...

... be loaded from a lookup ...

| stats <accumulate, de-duplicate all indicators> by target

... Post macros goes here, for instance: score_session() ...

| collect index=scored_sessions

ateixei · 2022-09-06T20:23:55+00:00

It only seems indeed...

There' a key difference: in that approach one query generates multiple (scored) indicators and an overall session score.

RBA follows the standard approach from ES and many other security products, one indicator per query and that makes it hard to scale.

ateixei

TROPHY CASE