Author | Lightnews

Haag @mhaggis.bsky.social · Sep 11

Hi

Haag @mhaggis.bsky.social · Aug 21

🚨 Still on your journey to mastering ASR rules?
Don’t sleep on ASRGEN 🛡️💥

⚡ Point. Click. Generate ASR rules.
🔍 Learn + test safely with built-in atomic simulations
📦 Export to Intune/GPO-ready formats
🎯 Built for defenders, by defenders

👀🔥
👉 asrgen.streamlit.app

📚 github.com/MHaggis/ASRGEN

GitHub - MHaggis/ASRGEN: ASR Configurator, Essentials and Atomic Testing

ASR Configurator, Essentials and Atomic Testing. Contribute to MHaggis/ASRGEN development by creating an account on GitHub.

github.com

Haag @mhaggis.bsky.social · Aug 20

🆕🐇 Just dropped a 1-hour rabbit hole dive into API playgrounds, mocks, & random nerdy finds 🤓

We started with ClickGrab, but then it turned into:

🐝 Beeceptor

🛠️ Mockbin

🧩 Zudoku

🔍 VirusTotal hunts

🤖 ChatGPT making OpenAPI bins & routes

Chaotic, nerdy, fun. Come hang out 👉 youtu.be/j7QE-6p9Y9Q

🚀 Fresh ClickGrab ✨ | Into the Rabbit Hole 🐇🌀

🔥 We started fresh with ClickGrab 🖱️✨ looking at some new stuff… but then the whole thing flipped upside down 🌀 and turned into a full-on rabbit hole deep dive 🕳️🐇 🔍 What we explored: 🐝…

youtu.be

Haag @mhaggis.bsky.social · Apr 29

Minted narwhal!

I am/was burnt sienna goose

1

Haag @mhaggis.bsky.social · Apr 14

🚨 New ASR rules are now GA:

❌ Block rebooting in Safe Mode
🕵️‍♂️ Block copied/impersonated system tools

ASRGEN had these since preview. 😎

Want to:

⚡ Quickly create Intune-ready ASR policies
🧪 Simulate and understand rule impacts

Check → asrgen.streamlit.app

Be proactive. Be precise.

ASRGEN

Access ASRGEN here on https://asrgen.streamlit.app/

asrgen.streamlit.app

1 2

Haag @mhaggis.bsky.social · Apr 14

💰 The hunt begins…

The first drops for PowerShell-Hunter: Season 2 are coming SOON.
New tools. Smarter hunting. Sexier telemetry.
This isn’t just DFIR—it’s an evolution.

⚔️ Hunt smarter. Hunt harder.
⭐ github.com/MHaggis/Powe...

2

Haag @mhaggis.bsky.social · Apr 10

🚨 PowerShell-Hunter Season 2 is coming 🚨

💥 More atomic tools
🧬 Smarter, faster log analysis
🤖 Machine learning meets lateral movement
😈 PowerShell so slick it should be illegal

You’re not ready—but you should be.
⭐ Star the repo or miss the magic:

GitHub - MHaggis/PowerShell-Hunter: PowerShell tools to help defenders hunt smarter, hunt harder.

PowerShell tools to help defenders hunt smarter, hunt harder. - MHaggis/PowerShell-Hunter

github.com

1 5

Haag @mhaggis.bsky.social · Mar 4

🎉 Exciting News: PCA Analyzer is now part of the PowerShell-Hunter suite! 🚀

Check it out on GitHub: github.com/MHaggis/PowerShell-Hunter 💻

📺

PCA Analyzer Demo: Uncover Hidden Windows Execution History | PowerShell-Hunter Toolkit

🔍 Discover the wealth of forensic evidence hiding in your Windows PCA logs!In this demonstration, I showcase the PCA Analyzer - a powerful forensic tool fro...

youtu.be

2

Haag @mhaggis.bsky.social · Feb 21

🎥 Want a deeper dive? Check out Atomics on a Friday, where we introduce SDDLMaker!
▶️ https://www.youtube.com/watch?v=uSYvHUVU8xY

🔄 RT/Reshare if you find this useful! 🚀

#WindowsSecurity #SDDL #Cybersecurity #Splunk #AtomicRedTeam

Atomics on a Tuesday || Introducing The SDDLMaker

🌟 🔬 In this EXTRAORDINARY episode of Atomics on a Tuesday 🎯, we venture deep into the mysterious realm of Windows Security Descriptor Definition Language ...

www.youtube.com

1

Haag @mhaggis.bsky.social · Feb 21

🛠️ Splunk Security Content:
🔗 https://research.splunk.com/stories/defense_evasion_or_unauthorized_access_via_sddl_tampering/

🧠 Mind Map:
🔗 https://github.com/MHaggis/SDDLMaker/tree/main/MindMap

🧵 (5/)

Analytics Story: Defense Evasion or Unauthorized Access Via SDDL Tampering

Date: 2024-12-06 ID: 8ccdd852-3878-4871-ae37-e5af5c67baf3 Author: Nasreddine Bencherchali, Michael Haag, Splunk Product: Splunk Enterprise Security Description This analytic story focuses on…

research.splunk.com

1 1

Haag @mhaggis.bsky.social · Feb 21

💡 Need to decode or generate SDDL? Try SDDLMaker 🔧
👉 https://thesddlmaker.streamlit.app/

📜 Read the full blog:
🔗 https://www.splunk.com/en_us/blog/security/windows-security-sddl-guide-access-control.html

🧵 (4/)

SDDL Parser

Welcome to , a handcrafted bespoke tool to revolutionize the way you build and analyze Windows Se...

thesddlmaker.streamlit.app

1 1

Haag @mhaggis.bsky.social · Feb 21

Top 3 Things You'll Learn:
1️⃣ How attackers exploit SDDL—event log tampering, service hardening, & more
2️⃣ How to decode SDDL strings & analyze permissions, DACLs, and ACEs
3️⃣ How to defend against SDDL abuse with detections & Atomic Red Team tests

🧵 (3/)

1 1

Haag @mhaggis.bsky.social · Feb 21

In our latest blog, we break down SDDL: 🔹 How it structures Windows security
🔹 How attackers—from LockBit to RomCom—manipulate it for privilege escalation & defense evasion
🔹 How to detect & defend 🛡️

🧵 (2/)

1 1

Haag @mhaggis.bsky.social · Feb 21

🔐 Windows Security and SDDL: What You Need to Know 🔐

Windows permissions misconfigurations are a goldmine for attackers. SDDL (Security Descriptor Definition Language) remains overlooked yet highly exploitable. 🚨

@nasbench.bsky.social and I break it down -->

🧵 (1/)

1 1 2

Haag @mhaggis.bsky.social · Jan 24

Tomorrow, join us for a legendary episode of Atomics on a Friday featuring Jonathan Johnson (@jsecurity101) as we dive deep into JonMon—the tool redefining Windows telemetry!

1

Haag @mhaggis.bsky.social · Jan 24

🎄 Twas the night before JonMon, and all through the net,
🔍 Defenders were stirring, their systems to vet.
🛠️ The telemetry was hung in EventViewer with care,
✨ In hopes that Jonny Johnson soon would be there.

📅 Friday, January 24th
⏰ 11 AM MST | 1 PM EST
📺

YouTube: youtube.com/watch?v=CqEhtg…

https://youtube.com/watch?v=CqEhtg…

1 1 5

Haag @mhaggis.bsky.social · Dec 13

a girl in a pink sweater is raising her arms in the air while a group of people are standing around her .

ALT: a girl in a pink sweater is raising her arms in the air while a group of people are standing around her .

media.tenor.com

Haag @mhaggis.bsky.social · Dec 13

I got you!

Haag @mhaggis.bsky.social · Dec 7

Down to the end of my last Christmas blend, what do you recommend this holiday season? I typically get Red Rooster or Atomic.

www.redroostercoffee.com/products/goo...

atomicroastery.com/products/mer...

Good Tidings - Holiday Sweet Coffee

With a delicious blast of candied fruit, Good Tidings warms up crisp mornings and brightens any breakfast! Sweet and syrupy with notes of orange ribbon candy, lilac, Amaretto, and Grand Marnier. Pair ...

www.redroostercoffee.com

1

Haag @mhaggis.bsky.social · Dec 2

Happy Monday

2

Haag @mhaggis.bsky.social · Nov 27

🔥 Tools for Testing:

➡️ Apache Builder: https://buff.ly/4fOt8F9
➡️ IIS Builder: https://buff.ly/4fLGySm

Empower your security team to hunt, detect, and patch gaps before attackers exploit them. 🛡️

Test, learn, and refine! #CyberSecurity #ThreatHunting #WebShellDetection

notes/utilities/ApachePHPBuild at master · MHaggis/notes

Full of public notes and Utilities. Contribute to MHaggis/notes development by creating an account on GitHub.

buff.ly

Haag @mhaggis.bsky.social · Nov 27

💻 How to Use:

1️⃣ Deploy your favorite tools (Sysmon, EDR, XDR, etc.)
2️⃣ Grab a webshell of choice, upload it, and start testing!
3️⃣Observe logs, alerts, and behaviors to identify gaps in your coverage.

notes/utilities/ApachePHPBuild at master · MHaggis/notes

Full of public notes and Utilities. Contribute to MHaggis/notes development by creating an account on GitHub.

buff.ly

1 2

Haag @mhaggis.bsky.social · Nov 27

🔍 Detection Opportunities:
Use these servers to validate analytic coverage for:

🗂️ File modifications (webshell uploads)
⚙️ Process executions (commands from shells)
🎯 Suspicious behaviors triggered by shells

notes/utilities/ApachePHPBuild at master · MHaggis/notes

Full of public notes and Utilities. Contribute to MHaggis/notes development by creating an account on GitHub.

buff.ly

1