From FakeCaptcha to Infostealer: Easy prevention steps for FakeCaptcha technique

 Posted on May 27, 2025  |  3 minutes  |  581 words  |  cibermanchego

This article written in collaboration with my colleague and friend Iago From FakeCaptcha to Infostealer What is the fake captcha attack vector? For the last few weeks we have seen a high incidence among our customers of an attack vector known as FakeCaptcha or Clickfix. It’s currently on the top lists of most active malware families. This technique is mainly used by infostealers like Lumma and delivered via malvertising campaigns and redirectors. [Read More]
ATT&CK  soc 

Improve your detections with the ATT&CK Framework: Ransomware Edition

 Posted on July 21, 2022  |  5 minutes  |  896 words  |  cibermanchego

Read the first part of my ATT&CK series Read the second part of my ATT&CK series Read the third part of my ATT&CK series Ransomware Today, instead of working based on a supposed activity sector of my company, as I did in my last entry, I’m going to work on the most famous and common threat. Ransomware continues to be the main threat for most companies of all sizes and across all sectors, as multiple reports from CTI companies demonstrate for the last few years. [Read More]
ATT&CK  CTID  soc 

Improve your detections with the ATT&CK Framework Part 3

 Posted on July 7, 2022  |  4 minutes  |  781 words  |  cibermanchego

See part 1 of this series here See part 2 of this series here Prioritizing new detections Today we continue our journey to improve our network detections. The next step is incorporating real-world threat data. Last time, we got an ATT&CK navigator layer where we identified which TTPs we have visibility but no detections. You can see the results with this JSON layer. This is just an example, not based in reality, although I’ve seen similar scenarios in real life :). [Read More]
ATT&CK  CTID  soc 

Improve your detections with the ATT&CK Framework Part 2

 Posted on April 26, 2022  |  6 minutes  |  1100 words  |  cibermanchego

See part 1 of this series here Visibility Last time we left with our data sources mapped to ATT&CK framework and already can see where we might be missing attacks to our network. Now let’s go a step further and get visibility scored based in our data sources plus our knowledge of the network. For that, we start the docker container for DeTTECT: docker start -i dettect Then we use the data sources file we generated in the first part - you can use my example file from here - to generate the techniques administration file with this command: [Read More]
att&ck  soc 

Improve your detections with the ATT&CK framework

 Posted on January 31, 2022  |  9 minutes  |  1723 words  |  Cibermanchego

I also want to use the ATT&CK Framework If you want to improve the detections and the effectiveness of your SOC against attacks targeting your organization, the hottest thing right now is the ATT&CK framework and Threat informed defense. However, if you don’t have the resources to hire external consultants to setup this for you, it can be overwhelming for small organizations to get onboard the ATT&CK ship. I’m going to try and ease the process for you, the only prerequisite is that you know your organization, your own network and what you are logging right now. [Read More]
att&ck  soc