Part 2: From Threat Intel to Alert – Deploying Sigma Rules in an Elastic SOC

This final installment provides the practical, step-by-step guide on how to integrate Sigma into an Elastic Security Operations Center (SOC) workflow, using a relevant and recent threat, Rhysida Ransomware, as a concrete example.

The first part of this series established Sigma as the universal language of threat detection, designed to overcome vendor lock-in. Now, it’s time to put that theory into practice.

This guide focuses on implementing a complete Detection as Code (DaC) workflow within an Elastic Security environment, transforming raw threat intelligence into functional, high-fidelity alerts using the power of Sigma.

1. The Elastic Integration Workflow: Bridging Schema Gaps

The fundamental challenge in deploying any detection rule is ensuring the query fields match your ingested data. For Elastic, this means aligning the Sigma rule’s expected fields with the Elastic Common Schema (ECS).

The Four-Step Implementation Process

  1. Identify the TTP: Pinpoint the specific adversary action (e.g., a PsExec execution).
  2. Write the Generic Sigma Rule (YAML): Define the core logic using generic log sources.
  3. Translate to KQL: Use the Sigma converter tool to generate the native Kibana Query Language (KQL).
  4. Deploy and Validate: Configure the KQL as an Elastic Security Detection Rule in Kibana.

2. Case Study: Detecting Rhysida Ransomware Activity

To demonstrate Sigma’s agility, we are using the Rhysida Ransomware group as our case study. According to recent threat reports, Rhysida frequently relies on legitimate, but abused, system tools for lateral movement.

We will focus on two critical, actionable TTPs mentioned in the Barracuda report:

  • TTP 1 (Lateral Movement): Use of PsExec to execute the ransomware binary remotely. (MITRE ATT&CK: T1570).
  • TTP 2 (Impact): Creation of files with the distinctive .rhysida file extension. (MITRE ATT&CK: T1486).

3. Practical Implementation: PsExec Detection via Sigma

Our goal is to write a rule that detects the specific process creation events associated with PsExec deploying a payload—a common precursor to encryption.

Step 3A: The Sigma Rule (YAML)

This generic Sigma rule defines the logic to detect the creation of the PSEXESVC.exe service, a key artifact of PsExec remote execution:

YAML

title: Rhysida PsExec Remote Payload Execution
logsource:
  product: windows
  category: process_creation
  service: sysmon # Assumes Sysmon or similar EDR data collection
detection:
  selection:
    # PsExec's key artifact is the creation of the PSEXESVC service
    ParentImage|endswith: '\services.exe'
    Image|endswith: '\PSEXESVC.exe'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1570 # Lateral Tool Transfer

Step 3B: Translation to KQL

When the above YAML is fed into a Sigma converter tool (configured for the elasticsearch-kibana backend), the output is the required KQL:

Code snippet

(process.parent.executable: "services.exe" AND process.executable: "PSEXESVC.exe")

Note: The converter automatically maps ParentImage and Image to the correct ECS fields (process.parent.executable and process.executable) based on the logsource definition.

Step 3C: Deployment in Elastic Security

Once you have the KQL, deployment is straightforward:

  1. Navigate to the Kibana Security Detection Engine.
  2. Click “Create new rule” and select “Custom query”.
  3. Paste the generated KQL into the query box.
  4. Set the Index Pattern to match your endpoint data (e.g., logs-endpoint.events-*).
  5. Configure the Risk Score and Severity (matching the Sigma rule’s level: high).

4. Advanced Rule: Detecting File Artifacts (The Kill Switch)

A crucial companion rule detects the final impact—the creation of the encrypted files. This rule is often considered “critical” because it signals active impact.

Rhysida File Extension Sigma Rule

YAML

title: Rhysida Ransomware File Extension Impact
logsource:
  product: windows
  category: file_event # Requires File System Monitoring
detection:
  selection:
    # Detects the creation or modification of files with the unique ransom extension
    TargetFilename|endswith: '.rhysida'
  condition: selection
level: critical
tags:
  - attack.impact
  - attack.t1486 # Data Encrypted for Impact

The corresponding KQL would be: (file.path: "*.rhysida") (assuming proper ECS mapping for file paths).

Conclusion: Achieving Detection Agility

By leveraging Sigma, your SOC is no longer beholden to vendor syntax. You can consume high-fidelity threat intelligence—like the TTPs used by Rhysida—and transform it into production-ready detection rules in your Elastic environment with unprecedented speed. This agility not only closes detection gaps faster but transforms your engineering team from query translators into strategic threat hunters.

Did you miss Part 1? Go back and read “Sigma – The Universal Language of Threat Detection,” where we cover the history, structure, and strategic benefits of this essential detection format.

Part 1: Sigma – The Universal Language of Threat Detection (History, Reasons, and Benefits)

The modern Security Operations Center (SOC) is fighting a never-ending battle, not just against adversaries, but against complexity itself. Every time a new piece of security infrastructure—from an Endpoint Detection and Response (EDR) agent to a Cloud Access Security Broker (CASB)—is added, your detection engineering team incurs more “Detection Debt.” Why? Because each tool speaks a different proprietary language.

When high-fidelity threat intelligence (TTPs from groups like Rhysida) drops, your analysts face the same grueling task: manually translating the logic into KQL for Elastic, SPL for Splunk, or AQL for QRadar. This fragmentation leads to dangerously slow deployment cycles, massive overhead, and unacceptable security gaps.

Sigma is the revolutionary answer to this chaos. It offers a single, open-source, and human-readable format that abstracts the core logic of a threat away from the underlying log management system. By learning Sigma, security engineers gain the power to “Write Once, Detect Everywhere,” transforming complex threat intelligence into actionable, multi-platform detection rules in minutes.

In this first part of our series, we’ll dive into the history and architecture of this essential technology, exploring why Sigma isn’t just a useful tool—it’s the universal language required to build a future-proof, unified defense.

1. The Tower of Babel Problem in Detection Engineering Babel

Start with the chaotic reality of multi-vendor security stacks. Every Security Information and Event Management (SIEM) system (Splunk, QRadar, Sentinel, Elastic) requires a different proprietary query language (SPL, AQL, KQL, etc.).

The Consequences

  • Slow Threat Intelligence Adoption: Security teams waste time manually translating Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) into dozens of query formats.
  • Vendor Lock-in: It is prohibitively expensive and time-consuming to migrate detection logic when changing SIEM platforms.
  • Fragmented Knowledge: Community-shared detections are often tied to one vendor, limiting collaboration.

2. The Birth of Sigma: A Generic Solution

Introduce Sigma (created by Florian Roth and Thomas Patzke) as the solution—often called the “SIEM equivalent of Snort/YARA.”

  • The Concept: Sigma is a generic, open-source signature format that describes log events in a structured, vendor-agnostic YAML format.
  • How it Works (High-Level): A Sigma Rule (YAML) is created once, and then a translation tool (the Sigma converter) automatically generates the native query for the target SIEM.
  • Core Benefit: Allows analysts to focus on logic, not syntax.

3. Deconstructing the Anatomy of a Sigma Rule with Code

Sigma rules are written in YAML for human readability. Understanding the key fields is vital for successful translation:

  • Metadata: title, id, description, author, tags (crucial for MITRE ATT&CK mapping).
  • Log Source: product, category, service. This defines the expected data source, which the converter uses for field mapping (e.g., to the Elastic Common Schema, ECS).
  • Detection: The logical core, using selection (the conditions to look for) and condition (how those conditions are combined).
  • Level: Severity rating.

Example Snippet: Detecting Suspicious PowerShell Activity

This annotated YAML demonstrates a simple rule designed to detect a common execution method—using PowerShell to download and run a script from the command line:

YAML

title: PowerShell Download Cradle
id: 9a0b8c7d-e2f1-4321-b123-e45f6g7h8i9j
description: Detects command lines that execute remote scripts via PowerShell's WebClient.
author: Planned Link Security Team
date: 2025/11/21
logsource:
  product: windows 
  category: process_creation # Process execution logs (Sysmon, EDR)
detection:
  selection:
    # A common string pattern used by attackers to download files
    CommandLine|contains: 
      - 'Net.WebClient'
      - 'DownloadString'
      - 'DownloadFile'
      - 'Invoke-Expression' 
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001 # PowerShell Execution

4. Strategic Benefits for the Modern SOC

  • Future-Proofing: Rules are abstracted from the underlying technology, making future SIEM migrations painless.
  • Open Source Intelligence: Allows the SOC to leverage a massive, high-quality repository of community-driven detections maintained by security researchers globally.
  • Detection as Code (DaC) Accelerator: Sigma rules can be managed in a Git repository, making them the perfect input for a CI/CD pipeline that automatically updates detection rules across production environments.
  • Focus on Logic, Not Syntax: Analysts spend time on security logic and threat modeling, rather than on debugging niche query syntax for different platforms.

Conclusion: Mastering the Universal Language

We’ve established that Sigma is more than just a configuration format; it’s a foundational solution to the core fragmentation problem plaguing the modern SOC. By abstracting detection logic away from vendor-specific query languages, Sigma empowers your team to prioritize threat logic over query syntax, enabling rapid adoption of threat intelligence and securing your environment against future platform changes.

If you are currently wrestling with maintaining detection parity across multiple tools or struggling to translate the latest MITRE ATT&CK guidance into action, adopting Sigma is the critical first step toward building a truly unified and agile defense.

In Part 2 of this series, we will move from theory to action: “From Threat Intel to Alert – Deploying Sigma Rules in an Elastic SOC.” We’ll walk through the practical steps of using the Sigma converter to create live Kibana Query Language (KQL) rules and demonstrate how to detect specific techniques used by the Rhysida Ransomware group, instantly validating your new, universal detection capability.

Is Your Phone Plotting Against You? A Deeper Dive Into the 2025 Mobile Threat Report

Let’s face it, our smartphones are our co-pilots for modern life. They navigate our commutes, manage our finances, and hold our most precious memories (and about 80-100 apps in a digital junk drawer we barely touch). But while we’re busy filtering photos and winning Wordle, are these devices keeping our secrets safe?

The security gurus at Zimperium have released their 2025 Global Mobile Threat Report, and it’s a real page-turner for anyone with a phone. Before you start eyeing that old Nokia in your drawer, let’s unpack the juicy details without the panic attack.

“Mishing”: The Scammers Have Your Number

The days of only worrying about suspicious emails are over. Attackers have gone mobile-first, and their new favourite hangout is your text message inbox. This trend is called “mishing” (mobile-targeted phishing), and it now accounts for roughly a third of all threats found by Zimperium’s zLabs.

The main culprit is “smishing” (SMS phishing), which has shot up by 22% and makes up a whopping 69.3% of all mishing attacks. It’s those urgent texts about a package from USPS or a problem with your Facebook account—brands attackers love to impersonate because they know we trust them. Even more sneaky is the rise of PDF phishing, which now accounts for over 28% of mishing. Why? Because we’re used to trusting PDFs, and they’re great at hiding malicious links from basic security scans.

The Takeaway: Treat unexpected texts like an uninvited guest at a party. Be polite, but don’t click on any links they offer you. That “urgent” notification can almost always wait.

The Risky Business of Sideloaded Apps

Sideloading is the tech term for installing apps from outside the official Google Play or Apple App Stores. It’s the digital equivalent of buying a designer watch from a guy in a trench coat—it might look the part, but who knows what’s ticking inside.

These unvetted apps are found on a surprising 23.5% of business-connected devices. The risk is that they can be legitimate apps repackaged with nasty code designed to steal your data. And this isn’t just an Android problem anymore. Thanks to new regulations, sideloading is now a growing concern for iOS users, too. In fact, sideloaded apps are a top-three risk on both platforms.

The Takeaway: Sticking to the official app stores is like staying on the well-lit path. That free, “unlocked” version of a paid app from a random website could end up costing you a lot more in the long run.

Your Work Apps Are Gossipy International Travellers

Ever wonder where your data goes? According to the report, your work apps are more well-travelled than you might think. While many connect back to the U.S., they’re also pinging servers across the globe in countries like Germany, India, Ireland, and China.

More concerning is that 23% of work apps communicate with risky or embargoed countries. Many also handle your data insecurely. In the Finance category, for example, nearly 18% of Android apps have insecure communication practices, making them vulnerable to data interception. This is often because the app fails to verify that it’s talking to a legitimate server, basically leaving the door open for eavesdroppers.

The Takeaway: Your data is going on a world tour whether you like it or not. This is a reminder for businesses to vet the apps their employees use, because you’re only as secure as the tools you rely on.

The Tech Zombies: When Good Phones Go Bad

We all know someone clinging to an ancient phone. While their dedication is admirable, these devices are a major security liability. The report highlights that a massive 25.3% of devices are too old to be upgraded, meaning they can’t get critical security patches.

Breaking it down, at any given time, 61.2% of Android devices and 49.2% of iOS devices are running an outdated operating system. These phones are the zombies of the tech world—still functioning, but without the modern defenses to fight off new threats.

The Takeaway: Those system update notifications are your friend! They’re not just trying to annoy you; they’re delivering the latest security armor for your device.

So, What Can You Actually Do?

Don’t throw your phone in a river. Just be a little more street-smart with it. The report suggests:

  • Be a Text Detective: Don’t trust urgent requests out of the blue. Verify them through an official website or app instead of clicking a link.
  • Practice Safe Apps: Stick to official app stores and understand that even legitimate apps need continuous vetting to catch risky changes.
  • Embrace the Update: Always install OS and app updates. It’s the single easiest way to protect yourself from known threats.

Your phone isn’t out to get you, but staying informed is your best defense. Now go forth and scroll safely!

Stay Classy, UNC6384: PRC-Nexus Espionage Campaign Targets Diplomats

UNC6384 Anchorman Retro Cybersecurity Poster

Executive Summary

In March 2025, Google’s Threat Intelligence Group (GTIG) documented a complex espionage operation attributed to the PRC-nexus actor UNC6384, overlapping historically with tradecraft seen in TEMP.Hex / Mustang Panda. The campaign hijacks captive-portal flows to redirect victims to a fake “Adobe plugin update” site, delivering a signed downloader (STATICPLUGIN) that ultimately DLL-sideloads CANONSTAGER and deploys SOGU.SEC (PlugX) in memory over encrypted HTTPS C2. Targets included diplomats in Southeast Asia.

MITRE ATT&CK Mapping

  • Initial Access: Adversary-in-the-Middle (AitM) via captive-portal hijack — T1557; Drive-by Compromise — T1189.
  • Execution: User Execution (fake plugin update) — T1204.002; Signed Binary Proxy Execution / DLL sideload — T1218.011.
  • Defense Evasion: Subvert Trust Controls (code signing) — T1553.002; Obfuscated/Encrypted files — T1027; In-memory/reflective loading — T1620.
  • Command & Control: Web protocols (HTTPS) — T1071.001; Encrypted channel — T1573.

Campaign Flow (March 2025)

The UNC6384 intrusion chain layers infrastructure hijacks, signed loaders, DLL sideloading, and memory-only payloads to minimize detection opportunities.

1) Initial Redirect – Captive Portal Hijack (T1557, T1189)

  • Chrome’s captive-portal check to http://www.gstatic.com/generate_204 is intercepted; traffic is AitM-redirected to attacker-controlled web content.
  • Likely achieved through compromise of edge infrastructure.

2) Fake Plugin Delivery – User Execution (T1204.002)

  • Victims see a legitimate-looking “Adobe plugin update” page served over valid Let’s Encrypt TLS to appear authentic.
  • Clicking the prompt retrieves a signed first-stage executable tracked as STATICPLUGIN.

3) Stage-1 Loader – STATICPLUGIN (T1553.002, T1106)

  • Code-signed by Chengdu Nuoxin Times Technology Co., Ltd. (GlobalSign), abused to gain trust and bypass controls.
  • Uses Windows installer/COM flow to fetch an MSI disguised as 20250509.bmp, then triggers the next stage via indirect API execution.

4) Stage-2 Sideload – CANONSTAGER (T1218.011)

  • MSI drops a Canon IJ Printer executable & DLL pair; DLL sideload (cnmpaui.dll) injects attacker code under a legitimate host process.

5) Final Payload – PlugX / SOGU.SEC (T1027, T1620)

  • The payload is decrypted and run entirely in memory (reflective load), avoiding file-based IOC exposure.

6) C2 & Persistence (T1071.001, T1573)

  • HTTPS beacons to attacker infrastructure.
  • Persistence via registry artifacts and mutexes with modular tasking typical of PlugX families.

IOC Highlights (selected)

Domains / URLs
mediareleaseupdates[.]com
https[:]//mediareleaseupdates[.]com/AdobePlugins.html
https[:]//mediareleaseupdates[.]com/style3.js
https[:]//mediareleaseupdates[.]com/AdobePlugins.exe
https[:]//mediareleaseupdates[.]com/20250509.bmp

Example hashes (SHA-256)
AdobePlugins.exe    65c42a7e...027ec124
20250509.bmp (MSI)  32998665...f3349916
cnmpaui.dll         e787f64a...b1e4011

TLS Certificate
CN=mediareleaseupdates[.]com; issued by Let’s Encrypt

Comparison with Other Write-ups

Source What it adds
Google GTIG Full intrusion chain, IOCs, YARA signatures, infection flow diagrams.
SecurityWeek (PlugX takedown) Law-enforcement remediation context: C2 access and self-delete at scale.

Operation Self-Delete: When Law Enforcement Flips the Script

In January 2025, U.S. and French authorities (with Sekoia.io) neutralized a Mustang Panda PlugX variant by obtaining court-approved access to a C2 server and pushing the malware’s built-in self-delete command to more than 4,200 infected U.S. systems. The routine removed files, killed processes, and cleaned persistence keys, demonstrating how defender access to adversary infrastructure can enable direct remediation at scale.

  • C2 intel is power: If you own the C2, you can dictate the malware’s behaviour (including self-removal).
  • Know the code: “Self-delete” features can be strategically leveraged in takedowns.
  • Lawful authority: Multi-month warrants enabled a phased, measured cleanup with ISP notifications.

Defender Takeaways

  • Watch captive-portal flows: Unusual redirects from gstatic.com should trigger alerts.
  • Don’t trust the seal: Validate signed binaries beyond “is signed?”
  • Hunt for sideload paths: Canon IJ Printer & similar vendor executables are frequent sideload targets.
  • Memory-first detection: Telemetry to surface reflective loads and API-hash obfuscation.
  • Plan for disruption: Track C2; where lawful, coordinate response to compel implants to remove themselves.

Conclusion

UNC6384’s “deception in depth” shows the continued maturation of PRC-nexus espionage tradecraft: infrastructure hijacks, trust subversion via code signing, and memory-resident payloads. Yet the PlugX self-delete operation underlines that defenders aren’t just reacting—given the right intelligence and authorities, they can co-opt adversary capabilities for large-scale remediation. In the immortal words of Ron Burgundy: “Stay classy, UNC6384.”

Sources

Arkime Network Analysis & Packet Capture tool (basic functionality overview)

In a previous blog I walked through the download and installation of Arkime onto an Ubuntu VM, if you haven’t covered that subject you should go back and complete that blog first. To follow this demo you should have your Elasticsearch database configured, initialised and connected to the arkime sensor, with the sensor listening on the local interface you configured during installation. If your Elasticsearch is running correctly you should be able to browse to it https://localhost:9200 , logging in with the credentials configured during setup, to check it’s status.

Screenshot of the Arkime interface displaying the Elasticsearch cluster information in JSON format, including details such as cluster name, version number, and compatibility versions.

You should also be able to browse to the Arkime UI at http://localhost:8005 and log in with the admin credentials configured previously. At the default ‘session‘ screen you will see captured network traffic for the period that the sensor has been live. The time window can be adjusted manually or by selecting a predefined timeframe, such as ‘last hour’ in this example. Basic DTG, source/destination IP and Port information, packets, protocls can all be viewed from the session view.

Screenshot of Arkime session view displaying network traffic data including source and destination IPs, ports, and packet information.

The histogram can be adjusted here depending on your prefence, to show sessions (in grey as above), packets/bytes/data bytes (blue and red). There is a world map available to plot the geolocation of any public IP addresses that are captured (in this demo I am only capturing internal traffic).

A histogram display showing network traffic session data, including start and stop times, source/destination IPs, packet counts, and a world map for geolocation, with options for customizing views and intervals.

By clickin the blue + on the left of each row, these can be expanded to show greater detail with the option to download PCAP.

Detailed view of a captured network session showing start and stop times, source and destination IP addresses, packet counts, and HTTP request information.

The link tab opens another window to display the complete session information. The session id is displayed in the search window.

Screenshot of the Arkime UI displaying session details including timestamps, source and destination IP addresses, protocol information, packet counts, and an option to download PCAP.

Session Profile Information (SPI) view. Here you the traffic can be grouped and analysed by protocol/traffic type with session counts for each specific grouping.

A user interface displaying network traffic statistics over a timeline with options to filter and view data by protocol types such as UDP, TCP, and ICMP, along with expandable categories for network activities.

By expanding the general grouping and selecting ‘Load All’ we can get a list and count of all source and estination IPs broken down by protocol.

Dashboard view showing filtered network session data with a histogram and detailed entries including destination and source IP addresses, protocols, and captured traffic information.

SPI Graph view allows you to compare different connection attributes in the same historgram view. Here I have selected 2 different SRC IPs to compare to the full traffic capture.

Graph view showing network traffic over time, with separate lines for sessions and bytes for two source IPs, including a world map for geolocation.

Connections view gives you a visual representaion of you network including Src/Dst IP addresses, link weight, detailed node information (by hovering over each node), nodes can be manoeuvred into position, fixed and the graph can be exported as a PNG format.

Network connections visual representation with source and destination IP addresses, query options for traffic analysis, and node information.

In this we have confirmed the functionality of our Arkime sensor and elasticsearch backend, and walked through the main views session, SPI, SPI Graph and Connections. In future blogs I will cover searching and search syntax, the hunt function, uploading PCAP files for analysis and more indepth analysis of captured traffic.

N8N automation tool (installation and configuration using docker in Linux) 

In today’s fast-paced automation landscape, n8n has emerged as a powerful, open-source workflow automation tool that empowers engineers to streamline processes with ease. In this blog I will demonstrate building the application using docker on a linux virtual machine.

As in previous blogs I will be using a fresh install of Ubuntu 24.04.2 LTS that can be download from HERE. I then follow the Docker guide on how to istall all the relevant docker packages.

Firstly set up the Docker apt repository, starting with adding the docker GPG key.

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
Terminal window showing commands to update package list and install necessary certificates for Docker on Ubuntu.

Next add the docker repo to the apt resourses list.

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
Terminal command for adding Docker repository to Ubuntu.

Next downloand and install all the necessary docker components.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Terminal command line displaying the installation of Docker components on Ubuntu.

Next create a docker volume to store you n8n data.

docker volume create n8n_data
Terminal displaying the command 'sudo docker volume create n8n_data' followed by confirmation of the created volume.

Use the following command to  download the most recent n8n image, creates your container, and exposes the container on port 5678.

docker run -it --rm --name n8n -p 5678:5678 -v n8n_data:/home/node/.n8n docker.n8n.io/n8nio/n8n

If this runs without issue you will be able to browse to the n8n log in screen at http://localhost:5678

Login setup page for n8n workflow automation tool, featuring fields for email, first name, last name, and password.

Add an email address, names and a password and that’s enough to set up a demo account.

A customization form for the n8n automation tool, featuring dropdowns for company description, user role, automation goals, target audience, company size, and source of information about n8n.

Add some details into the customisation window.

Screenshot of the n8n workflow automation platform dashboard, displaying options to start a new workflow or test a ready-to-go AI Agent example.

After these small, easy steps you’ll be greated with the n8n default dashboard, ready to create you’re first workflow. In the following blogs we will look into developing some simple automations to make systems administration and security tasks more efficient.

China-Backed “PurpleHaze” Attacks on SentinelOne and the IT Supply Chain

Introduction

In early June 2025, DarkReading and SentinelLabs revealed that China-backed APT groups—specifically APT15 and UNC5174—targeted SentinelOne and its IT logistics partners in a cyber-espionage campaign dubbed PurpleHaze. The attackers performed broad reconnaissance and attempted supply chain intrusions using ShadowPad malware across more than 70 global organizations. Elastic Security can help identify and mitigate these behaviors with aligned detection rules and threat intelligence.

What Is the PurpleHaze Attack — and Why It Matters?

PurpleHaze refers to a coordinated activity stream rooted in China-aligned APT15 and UNC5174. Tactics include:

  • October 2024: Remote reconnaissance of SentinelOne’s internet-facing infrastructure.
  • Early 2025: Supply chain compromise attempt utilizing ShadowPad through a third-party hardware logistics provider.
  • Broader campaign against 70+ sectors—including government, media, manufacturing—ongoing from July 2024 to March 2025.

SentinelLabs confirmed no compromise occurred at SentinelOne but acknowledged the persistent threat posture and strategic targeting of cybersecurity vendors.

Core Elastic Detection Rules

Elastic Security offers both prebuilt and custom rules that help detect key phases of the PurpleHaze campaign—such as reconnaissance, credential abuse, and malware deployment. Below are the most relevant detection rules aligned to this threat:

1. Potential Network Sweep Detected

  • Rule ID: 781f8746-2180-4691-890c-4c96d11ca91d
  • Filename: discovery_potential_network_sweep_detected.toml
  • Description: Flags when a single source attempts connections to multiple internal hosts or ports, often indicative of scanning and enumeration behavior.
  • Link: Potential Network Sweep Detected

2. Potential SYN-Based Port Scan Detected

  • Rule ID: bbaa96b9-f36c-4898-ace2-581acb00a409
  • Filename: discovery_potential_syn_port_scan_detected.toml
  • Description: Detects port scanning via SYN packets, which may precede exploit attempts or service discovery across your perimeter.
  • Link: Potential SYN-Based Port Scan Detected

3. Suspicious Vendor or Partner Account Anomaly

  • Rule ID: vendor_access_behavior_anomaly
  • Filename: detection_vendor_behavior_deviation.toml
  • Description: Flags anomalies such as unusual login times, geolocations, or access patterns for known third-party/vendor accounts—relevant to detecting supply chain pivot attempts.
  • Example KQL:
event.dataset : "o365.audit" AND
user.name : ("vendor1@yourdomain.com", "logistics-partner@yourdomain.com") AND
source.ip : * AND
NOT source.ip : ("known.trusted.ip.1", "known.trusted.ip.2")

4. ShadowPad Execution and C2 Callback

  • Rule ID: shadowpad_initial_execution_c2
  • Filename: detection_shadowpad_c2_traffic_and_execution.toml
  • Description: Detects suspicious DLL sideloading, ShadowPad payload execution, or outbound connections to known C2 infrastructure.
  • Link: Search Elastic’s Detection Rules GitHub

5. PowerShell-Based Malware Delivery

  • Rule ID: 7d3cfcd7-d4b1-41dc-a7e3-fad60ef52e87
  • Filename: execution_potential_powershell_hacktool_script_by_author.toml
  • Description: Detects PowerShell scripts that use Invoke-WebRequest, download-and-execute payloads, or leverage encoded commands—common in early-stage malware delivery.
  • Link: View Rule

How to Create Custom Rules

  • Correlate patterns in network reconnaissance across environments (e.g., repeated port 443 probes to external-facing endpoints).
  • Flag anomalous use of third-party credentials accessing internal APIs or asset platforms.
  • Watch for PowerShell-based download-and-execute chains pointing to ShadowPad’s staging domains.

Example KQL Query

process.name : "powershell.exe" AND
process.args : "*Invoke-WebRequest*ShadowPad*" AND
network.direction : "outbound"

Response and Hardening Tips

  • Segment and monitor third-party access zones, especially for logistics or hardware environments.
  • Proactively hunt on PowerShell execution chains linked to ShadowPad or reconnaissance payloads.
  • Validate no unexpected exposures exist on internet-facing assets.
  • Engage with vendors on supply-chain hardening—enforce MFA, just-in-time access, and cert-bound API hygiene.

MITRE ATT&CK Framework Mapping

  • T1595: Active Scanning, combined with network reconnaissance.
  • T1195.002: Supply Chain Compromise – Third-party services.
  • T1105: Ingress Tool Transfer – deploying ShadowPad.
  • T1059.001: PowerShell execution during exploit stages.

Why Should We Care?

The PurpleHaze campaign highlights that cybersecurity vendors—and their broader ecosystem—are now strategic targets.

  • China‑backed APT15 and UNC5174 employ reconnaissance and supply chain abuse to position for espionage.
  • Compromising vendors or logistics providers offers adversaries visibility into defense architectures and potential pivot points.
  • Tools like ShadowPad and ORB network implants are persistent threats even when ultimate entry is blocked.

Bottom line: Elastic-based detection of reconnaissance, third-party access misuse, and post-compromise scripts should be a top priority in your security telemetry—especially in an era where even defenders can become primary targets.

Detecting Microsoft 365 Phishing and Direct Send Abuse with Elastic

Elastic’s public detection rules offer valuable resources for defending against phishing, spoofing, and other email-based threats in Microsoft 365. While no specific rule targets Direct Send abuse out-of-the-box, Elastic’s detection engine is flexible enough to help you build powerful detections using existing rules, log data, and custom logic.

What Is Direct Send — and Why It’s a Risk?

Direct Send allows devices and applications to send email to Microsoft 365 recipients without authentication, using your organization’s domain. While useful for internal devices like printers and scanners, it’s also commonly abused by attackers to:

  • Send spoofed messages that bypass SPF checks.
  • Exploit misconfigured smart hosts or open relay settings.
  • Impersonate internal users without authentication.
  • Launch phishing or business email compromise (BEC) campaigns.

Why it matters: Monitoring and detecting this activity is essential because it bypasses standard email authentication protections like SPF, DKIM, and DMARC.

Core Elastic Detection Rules for Microsoft 365 Threats

Elastic Security includes several prebuilt rules that are highly relevant for identifying phishing, spoofing, and Direct Send abuse in Microsoft 365 environments.

1. Microsoft 365 User Restricted from Sending Email

Rule ID: bf40d000-189f-4c19-84a9-d6b04065a19a
Filename: monitoring_o365_user_restricted_from_sending_email.toml
Description: Detects when a user is restricted from sending email—commonly seen after abnormal activity such as sending bulk phishing messages.
View Rule

2. Microsoft 365 Exchange Anti-Phish Rule Modification

Rule ID: e9001ee6-2d00-4d2f-849e-b8b1fb05234c
Filename: Defense_evasion_microsoft_365_exchange_anti_phish_rule_modified.toml
Description: Triggers when anti-phishing policies are modified or disabled, often indicating pre-phishing setup by an attacker.
View Rule

3. Agent Spoofing – Multiple Hosts Using Same Agent

Rule ID: 8c7e9a83-83c4-49df-9f4f-2b230fbe1263
Filename: agent_spoofing_multiple_hosts_using_same_agent.toml
Description: Detects multiple machines reporting the same agent ID—possibly indicating spoofing, tampering, or relaying.
View Rule

4. O365 Email Reported by User as Malware or Phish

Rule ID: 5930658c-2107-4afc-91af-e0e55b7f7184
Filename: o365_email_reported_by_user_as_malware_or_phish.toml
Description: Relies on user reporting to highlight malicious emails, which can then be correlated with Direct Send characteristics (e.g., invalid SPF or spoofed sender).
View rule

5. Potential PowerShell HackTool Script by Author

Rule ID: 7d3cfcd7-d4b1-41dc-a7e3-fad60ef52e87

Filename: execution_potential_powershell_hacktool_script_by_author.toml

Description: Detects PowerShell-based hack tools—useful when correlating automated email sending from scripts or attacker toolkits.
View rule

How to Create Custom Rules for Direct Send Detection

If you’re using Direct Send or want to catch abuse of your smart host/email relay, consider these custom detection strategies:

  • Monitor Received headers for external IPs spoofing internal domains.
  • Alert on SPF/DKIM/DMARC failures for emails claiming to come from your own domain.
  • Flag PowerShell-based or non-standard user agents in email logs.
  • Detect suspicious behaviors:
    • Sender equals recipient.
    • Unusual geolocation or IP.
    • Unexpected attachments or formats.

Example KQL Rule Snippets

kql

event.dataset : "o365.audit" AND
email.sender.domain : "yourdomain.com" AND
NOT source.ip : ("your.known.ip.1", "your.known.ip.2")

kql

email.sender.address == email.recipient.address AND
user_agent : "PowerShell"

These custom queries can help detect signs of spoofing, automation abuse, or misused relay systems.

Going Beyond Detection: Response and Hardening Tips

Detection is only one piece of the puzzle. Here’s how to bolster your defenses:

  • Review and restrict Direct Send configurations — only allow trusted IPs to relay.
  • Use Authenticated SMTP or Graph API where possible.
  • Enforce SPF/DKIM/DMARC policies with “reject” or “quarantine.”
  • Enable Microsoft 365 user-reporting integration for phishing.
  • Correlate alerts using Elastic Case Management or SOAR platforms.

Summary Table: Key Rules and Detection Approaches

Detection TypeDescriptionRef
Microsoft 365 User Restricted from Sending EmailDetects suspicious bulk sending behaviorLink
Exchange Anti-Phish Rule ModificationIndicates pre-attack policy tamperingLink
Agent Spoofing – Same Agent on Multiple HostsPossible automation/spoofing activityLink
O365 Email Reported as Phish by UserUser-driven alert on malicious contentLink
PowerShell HackTool Activity DetectedDetects malicious scripting attempts in delivery vectorsLink

MITRE ATT&CK Alignment

The detection techniques outlined in this blog align closely with several tactics and techniques from the MITRE ATT&CK framework, particularly within the Enterprise matrix. For example, phishing and Direct Send abuse relate to Initial Access (T1566.001 – Phishing: Spearphishing Attachment) and Defense Evasion (T1110 – Brute Force / T1556 – Modify Authentication Process). Modifying anti-phishing rules or using spoofed agent IDs also touches on Persistence and Privilege Escalation techniques. Mapping your Elastic detection rules to MITRE ATT&CK helps ensure threat coverage, facilitates adversary emulation exercises, and supports structured threat hunting workflows.

Why Should We Care?

Direct Send abuse isn’t theoretical — it’s happening right now. Threat actors actively leverage misconfigured smart hosts and relay permissions in Microsoft 365 to send spoofed emails that bypass authentication checks like SPF, DKIM, and DMARC. These messages appear to come from internal domains, making them incredibly effective in phishing, business email compromise (BEC), and ransomware delivery.

How It’s Being Exploited
  • Initial foothold: Attackers use Direct Send to distribute phishing lures with malicious links or attachments, often as part of broader Initial Access operations.
  • Lateral movement & persistence: Once credentials are harvested, adversaries modify anti-phishing policies, disable rules, or inject spoofed traffic for command and control.
  • Automation abuse: Scripted tools — often leveraging PowerShell or open-source mailers — automate delivery of messages at scale, blending into normal traffic.
Threat Actor Examples
  • FIN7 and other financially motivated groups have used spoofed internal emails in BEC scams to defraud organizations of millions.
  • APT29 (Cozy Bear) and similar espionage-focused actors have employed email delivery tactics (including relays and Direct Send-style infrastructure) to phish targets while avoiding perimeter defenses.
  • Ransomware affiliates, including those aligned with Conti, LockBit, and BlackCat, have used spoofed executive emails to trick internal users into launching payloads or sharing credentials.

Bottom Line

Without monitoring and detection around Direct Send behaviors, organizations leave a blind spot open in their Microsoft 365 infrastructure. By aligning Elastic detection rules with MITRE ATT&CK and focusing on both known tactics and behavioral anomalies, security teams can close this gap — before attackers exploit it.

Stop Chasing Ghosts in Your SIEM: Let GEKO Hunt Threats for You

Let’s be honest, being a security analyst can sometimes feel like you’re a ghost hunter in a digital haunted house. You’re chasing faint signals, trying to figure out if that weird network traffic is a real threat or just the house settling. You spend hours writing detection rules, but are they actually protecting you from the monsters that matter? Or are you just setting up elaborate tripwires for digital squirrels?

What if you could automatically connect the dots between the scary stories from threat intel and the digital traps you’ve set in your SIEM? What if you could get a clear, data-driven report card on how well you’re doing?

Well, stop wishing and say hello to GEKO 🦎, your new automated threat-hunting buddy. GEKO 🦎 is an open-source tool that bridges the chasm between your threat intelligence in OpenCTI and your detection rules in Elasticsearch. It’s like having a translator who speaks both “spooky threat actor” and “nerdy detection engineer.”

So, What’s the Big Deal?

At its core, GEKO 🦎 does something beautifully simple but incredibly powerful:

  1. It reads your threat intel homework: GEKO 🦎 logs into your OpenCTI instance and asks, “Who are the baddest of the bad guys we’re worried about right now?” It then diligently notes down all their favorite tools and techniques (their TTPs).
  2. It checks your alarm system: Next, GEKO 🦎 heads over to your Elasticsearch cluster and asks, “Okay, what alarms do we have set up?” It takes a full inventory of all your enabled detection rules.
  3. It plays matchmaker: This is where the magic happens. GEKO 🦎 compares the threat actors’ TTPs with your detection rules and figures out where you’re covered and, more importantly, where you’re exposed.
  4. It gives you a report card: Finally, GEKO 🦎 generates a slick markdown report that shows you exactly how your defenses stack up against the threats you care about. No more guesswork!

The result? You can stop wasting time writing rules for threats you’re not even facing and start focusing on the real monsters under the bed.

New Superpower Unlocked: The Sigma Rule Turbo-Button! 🚀

Getting your threat intelligence platform populated can be a slog. But what if you could inject hundreds of high-quality detection rules into OpenCTI in a matter of seconds?

Enter importsigma.py, GEKO’s secret weapon.

If you haven’t heard of Sigma, think of it as the universal language for detection rules. It’s a generic format that can be translated into queries for almost any SIEM, including Elasticsearch.

The importsigma.py script is a little bit of command-line magic. It does two amazing things:

  1. It bulk-imports Sigma rules directly into your OpenCTI instance, instantly creating a library of detection logic.
  2. It automatically maps the rules to MITRE ATT&CK techniques! The script reads the tags in each Sigma rule (like attack.t1059.001) and intelligently links the rule to the correct TTP in OpenCTI.

This means you can go from an empty OpenCTI instance to a rich, interconnected web of threat intelligence and detection logic before your coffee gets cold. This isn’t just a time-saver; it’s a game-changer.

Getting Your Hands Dirty with GEKO 🦎: The “I Have Nothing” Edition 💻

Never dabbled with Elastic or OpenCTI before? No problemo! GEKO’s docker-compose.yml is your one-way ticket to a full-blown threat intelligence and SIEM lab.

Step 1-5: The Setup, head to GEKO 🦎 and follow the steps.

… (You’ve got your lab running, but it’s empty and sad.)

Step 6: Add the MITRE connector to import Intrusion Sets, Attack Patterns and more direct from MITRE ATT&CK.

Step 7: The Turbo-Button!

Now, before you do anything else, let’s feed your brand new OpenCTI instance. Grab a folder of Sigma rules (the official Sigma repo on GitHub is a great place to start) and run the importer:

python src/importsigma.py

Watch in awe as your OpenCTI graph comes to life. Now that you have a solid foundation of detection logic mapped to TTPs, you can start enabling the corresponding rules in Kibana and run your first GEKO 🦎 report with meaningful data from day one!

The “I’m a Pro” Edition: Integrating with Your Existing Stack 🚀

Already have a bustling metropolis of an Elastic and OpenCTI setup? You’re in luck! GEKO 🦎 is designed to slide right in.

Grab the src folder and install the dependencies.

Supercharge your Intel: Use the importsigma.py script to fill any content gaps in your OpenCTI instance. You might discover hundreds of relevant detection ideas you hadn’t considered.

Configure your .env file with your credentials.

Let ‘er rip! Run python src/main.py and get ready for some serious insights.

Suggested Use Cases: From Zero to Hero 🦸

So, now that you have this awesome tool, what can you do with it?

Rapidly Baseline Your Detections: Just stood up a new SIEM? Use the Sigma importer to load up on community-vetted detections, then run GEKO 🦎 to get an instant baseline of your security posture against the entire MITRE ATT&CK framework.

Prioritize Like a Boss: Your boss just came back from a conference and is freaking out about the latest APT group. Instead of panicking, you can run GEKO 🦎, see your coverage against that specific group, and confidently say, “We’re covered,” or “I’ve identified the gaps and I’m already working on it.”

Justify Your Existence: The GEKO 🦎report is your new best friend. It’s a tangible, data-driven way to show the value of your detection engineering efforts. You can even track your coverage over time to show improvement.

Purple Teaming on a Budget: Use the GEKO 🦎 report to identify your weak spots, then challenge your team to write detection rules for the gaps. It’s a great way to level up your team’s skills and improve your defenses at the same time.

Go Forth and Hunt! 🏹

GEKO is more than just a tool; it’s a new way of thinking about detection engineering. It’s about being proactive, data-driven, and, most importantly, effective. So, what are you waiting for? Go give GEKO 🦎 a spin and start hunting those digital ghosts like a pro! And hey, since it’s open source, if you have a great idea to make it even better, don’t be shy—contribute!

CarPlay or CarPrey? Hackers Find a Fast Lane Into Modern Vehicles

Introduction

In recent months, researchers from Oligo Security have uncovered a set of vulnerabilities dubbed AirBorne that impact Apple’s AirPlay protocol and, by extension, wireless CarPlay. While Apple has released patches, the reality is that many car manufacturers in the UK have not yet rolled those fixes into their infotainment systems. This leaves millions of vehicles potentially exposed to distraction, surveillance, and remote code execution — all without the driver clicking a thing.

The Vulnerabilities (AirBorne)

  • CVE-2025-24132: A stack buffer overflow in Apple’s AirPlay SDK that allows zero-click remote code execution.
  • CVE-2025-24252 & related bugs: Use-after-free flaws enabling code execution or privilege escalation.
  • Attack surface: Wireless CarPlay connections, which use Bluetooth for initial pairing and WiFi (AirPlay) for data streams.
  • Weak defaults: Many systems use “Just Works” Bluetooth pairing or default WiFi passwords, lowering the bar for attackers.

An attacker within range could hijack the infotainment system, push arbitrary audio/video content, eavesdrop through the microphone, or track driver location.

Campaign Flow – How an Attack Works

  1. Proximity: The attacker comes within Bluetooth/WiFi range of a vulnerable car.
  2. Initial foothold: Exploits weak pairing (“Just Works”) or default WiFi credentials to connect.
  3. Exploit delivery: Crafts malicious traffic to trigger CVE-2025-24132 or related flaws in the AirPlay stack.
  4. Payload execution: Gains remote code execution on the infotainment head unit.
  5. Impact: Push distracting media, capture microphone data, or pivot into connected systems.

This flow mirrors traditional lateral movement in enterprise networks — but with the driver’s attention and safety at stake.

Who’s Affected in the UK?

Any car that supports wireless Apple CarPlay and hasn’t yet received the patched SDKs may be vulnerable. Examples include:

  • BMW (newer models with iDrive 7+)
  • Audi (A3, A4, and above with wireless CarPlay)
  • Alfa Romeo (Tonale)
  • Aston Martin (DB12, DBX)
  • SEAT Leon (higher trims with wireless CarPlay)

Cars with only wired CarPlay or no CarPlay at all are significantly less exposed.

Mitigations

  • Firmware updates: Check your car’s infotainment system for updates. Look for Apple AirPlay SDK versions: Audio SDK 2.7.1, Video SDK 3.6.0.126, CarPlay Plug-in R18.1.
  • Disable wireless CarPlay if not needed.
  • Strengthen pairing: Use PIN-based Bluetooth pairing where possible; disable discoverability.
  • Change defaults: Update WiFi credentials from factory settings.
  • Manufacturer pressure: Carmakers must accelerate integration of patched SDKs and push OTA updates.

Why Should We Care?

Infotainment systems are no longer isolated. They’re gateways into the driver’s environment, personal devices, and potentially connected car functions. The AirBorne vulnerabilities show how a weakness in consumer streaming protocols like AirPlay can create high-impact risks when embedded in vehicles.

For UK drivers, this isn’t a theoretical issue — many popular car models are already shipping with wireless CarPlay and, according to Oligo, no major manufacturer has yet confirmed rolling out patched versions. Until they do, attackers have a wide open lane.