Some extra process execution/command lines to monitor for hands on adversary situational awareness/recon. tasklist ver ipconfig systeminfo netstat whoami nbtstat set qprocess nslookup net type dir echo dsquery quser
-
-
Prikaži ovu nit
-
More for Lateral Movement -> Evidence remove. mstsc net runas netsh wmiprvse (children) wsmprovhost (children) psexesvc (children) winrm winrs win shadow esentutl vssadmin del wevtutil taskkill klist ftp Hopefully that list helps as a start. For more: https://lolbas-project.github.io/#
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
is this supposed to be “execute in order”? why is /poweshell/, just /poweshell/ an >essential process line
-
I don't understand the question here. I believe it's lost some context as secfarmer has a private account and I cannot see that response.
- Još 4 druga odgovora
Novi razgovor -
-
-
Focus on the arguments or executable path anomalies. Like exe from appdata or temp. The exec name is easily obfuscated by reading the original exe into memory or copying into another name and running from another location.
-
^ this also. Using the original file name if you can get it is useful. This is just a starting point which helps detect the vast majority of initial malware dropping/executions in the wild today. Even though something can be obfuscated, malware samples show this isn't occurring.
- Još 1 odgovor
Novi razgovor -
-
-
Honestly, unless you're doing this of an insanely tight budget, you should consider investing in an EDR solution to manage this for you. For a lot of orgs, these type of detections are more valuable that network based detections, but they are also very hard to keep up to date
-
Absolutely, a lot of SMEs and even large businesses still struggle with endpoint detection. I'm all for investing in a good EDR.
Kraj razgovora
Novi razgovor -
-
-
This needs to be significantly tightened up. Otherwise this type of monitoring will generate a great deal of false positives due to normal system activity or IT administration.
-
Of course, false positives are a virtue as these are all legitimate binaries which are used by the OS. This is a list of binaries which can be used as a starting point for monitoring. You can then build context around them based on ppid, what happened around that time, etc.
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.