Excellent information. The more unusual the attacker has to behave, the better. Logging on both the client and DNS servers is a must.
-
-
-
Cheers, was fun exploring the limitations. But for defenders, there is a lot of post-exploitation tooling out there to be caught so still a lot of value in running this kind of detection.
Kraj razgovora
Novi razgovor -
-
-
Brilliant stuff. As a blue teamer I thank you for working this out. It is always important to poke the holes early. It is a good lesson why matching host detection with passive network monitoring system is important. Now I need to go work on a Sigma rule to catch your method. lol
-
Thanks Ivan. Exactly, love it when BlueTeam build on offensive research to further defences, looking forward to seeing Sigma catching this in action :D
Kraj razgovora
Novi razgovor -
-
-
clean and clear!
that's why for defenders anything network related we should favor looking at it while trasnsiting in the cables (DNS Q&A via NIDS) -
Thanks, it was a fun one to look at, I think there is plenty more to research but hopefully a good starting point
Kraj razgovora
Novi razgovor -
-
-
Adam, as always enjoyed reading your work! I guess we can still use process monitor capturing PID causing DNS queries ...
-
Thanks :D TBF the SysMon DNS logging is still a brilliant tool, all an attacker needs to make is 1 mistake and you've got a good datapoint.
Kraj razgovora
Novi razgovor -
-
-
Great work, Adam!
-
Cheers mate
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.