Most security tools rely on default detections, making them ineffective against stealthy attackers. Lares helps SOC teams develop custom detection rules tailored to their unique threat landscape.
How Custom Detection Engineering Works
- Step 1: Identify security gaps in SIEM, EDR, and log sources.
- Step 2: Develop custom Sigma, YARA, and Splunk SPL rules.
- Step 3: Deploy detection rules and validate effectiveness.
Real-World Example: Bypassing EDR and Creating Custom Detections
- Scenario: An attacker uses rundll32.exe to execute malware (LOLBIN abuse).
- Detection Rule: Custom Sigma rule to detect unusual child process execution:
Table of Common Custom Detection Needs
Attack Type | Default Detection Issues | Custom Rule Example |
PowerShell Obfuscation | AV may whitelist it | Sigma rule to detect Base64-encoded commands |
Lateral Movement | SIEM logs failed logins | Correlate failed logins across multiple hosts |
C2 Communication | DNS tunneling bypasses IDS | Detect high-frequency DNS lookups to rare domains |
🔗 Improve your SOC with Lares’ Purple Teaming: Purple Team Methodology
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements
