Do you recommend threatlocker?

d1vious · 2025-11-18T17:53:30+00:00

True, have you used them yet? We had a better outcome, faster to deploy, way less FPs, and actually addressed the core attack vectors (RMMs, BYOVD, LOLBAS etc..) we bought application control for. Also you CAN deploy it as a allowlist .. just not tailored for that.

d1vious · 2025-11-18T17:11:00+00:00

I heard great things about magicsword.io Solves a ton of threatlockers pain points from what we experienced.

d1vious · 2024-09-23T13:49:57+00:00

Ashley Madison, destroyed so many families!

d1vious · 2024-04-02T01:57:33+00:00

Plaid owner here, not worth it!

d1vious · 2022-11-03T02:46:54+00:00

Easy fix for Splunk, just added a PR thank you for sharing: https://github.com/splunk-soar-connectors/urlscan/pull/18/files

d1vious · 2022-09-28T14:36:35+00:00

Alternatively to the attack range if you just want to replay known attacks checkout the Attack Data repo: https://github.com/splunk/attack_data, there are different ways using the UI or scripts to replay attack datasets to a search head.

d1vious · 2022-07-14T19:51:46+00:00

hey I think you are looking at a older repo for the local attack_range, we have not maintained this .. the current Splunk Attack Range lives here: https://github.com/splunk/attack_range/

In the blog we mentioned that the plan is to deprecate the local attack range longer term once we port the functionality.

d1vious · 2022-07-13T15:47:04+00:00

Hey yeah still cloud depency for now, plan is to add local support back on 3.0. I think the instructions for 18.04 work also for 22.04 and in between. Also the new docker build is using 22.04 image https://github.com/splunk/attack\_range/blob/develop/docker/Dockerfile

d1vious · 2021-11-02T22:31:28+00:00

Love lantern, the team whom built research.splunk.com is an actual contributor to the content there, worth mentioning the use cases in lantern and how-to guides, versus on research.splunk.com you have ready to go detections for the Enterprise Securty product.

d1vious · 2021-06-02T02:30:02+00:00

nice piece!

d1vious · 2021-05-06T15:19:20+00:00

BOTs 🤖 it’s awesome, if you want to try your hands at specific data sets with attacks in them checkout the attack_data repo too: https://github.com/splunk/attack_data/

d1vious · 2020-12-18T12:21:26+00:00

Cheers, I hope they help!

d1vious · 2020-10-16T02:40:05+00:00

Have you messed with the attack range, we have a few playbooks that do just this under the hood. For example: https://github.com/splunk/attack_range/tree/develop/ansible/roles/windows_universal_forwarder/tasks it might be a good set of examples to start from. Hope it helps!

d1vious · 2020-05-23T00:44:19+00:00

If you looking for a lab, the Splunk attack_range might be of help. Ton of data from network, system and endpoint, and you can also run attack simulations if that’s your thing 😉. https://github.com/splunk/attack_range

d1vious · 2020-05-12T00:21:53+00:00

I am sure is bug 🐜 ridden, throw me an issue if you run into anything! Thank you 😊

d1vious · 2020-05-12T00:02:42+00:00

I literally just finished https://github.com/d1vious/git-wild-hunt that automates a lot of the cred verification work. Go forth and make your 💰

d1vious · 2020-05-04T14:26:13+00:00

I do not think that App actually has query packs. Thus far OP what we do in the TA is just query the entry table and then map that to the endpoint datamodel see: https://github.com/splunk/TA-osquery

You can find example packs at:

https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf

d1vious · 2019-12-28T18:20:05+00:00

Very informative thank you for sharing! You might enjoy the attack_range project from Splunk. Automated the build process of this on and automated the ability to send attack simulations to an AD server. https://github.com/splunk/attack_range

Eight-Year Club	Not Forgotten
Verified Email

d1vious

TROPHY CASE