Let me tell you a story. I'd been in helpdesk for a year. I ran autoruns, I looked at logs, just to spend time and learn stuff. Then...
-
-
Replying to @SwiftOnSecurity
I notice something weird. Domain Admin is logging into the PCs pretty regularly. Wasn't sure. I asked network team, they brushed me off.
5 replies 11 retweets 128 likes -
Replying to @SwiftOnSecurity
These logins come from random domain controllers. Is this a status check? Is something running? Nobody can tell me what it is. Nobody cares.
3 replies 5 retweets 118 likes -
Replying to @SwiftOnSecurity
Setup a bait PC in a cube, start Process Monitor, exclude the normal stuff, and leave it for a few days. Cross-reference logins to the log.
1 reply 4 retweets 125 likes -
Replying to @SwiftOnSecurity
Something called 2.exe was being dropped on the system, run, (other stuff I don't remember) and immediately exited. How do I get that file?
2 replies 4 retweets 114 likes -
Replying to @SwiftOnSecurity
So made a batch file that forever looped copying c:\windows\2.exe to c:\temp, to try to grab it. I leave the PC for a day or so. I come back
5 replies 4 retweets 123 likes -
Replying to @SwiftOnSecurity
I have it! I have 2.exe. Nothing detects it as a virus. What the heck is it? I get our support contract info from my boss, contact Symantec.
3 replies 3 retweets 123 likes -
Replying to @SwiftOnSecurity
A few days later, a weird IE bug we'd been having goes away. And we get tons of antivirus notification of "Trojan.Clampi.D" (or something).
2 replies 6 retweets 134 likes -
Replying to @SwiftOnSecurity
I followed up on the case with Symantec over the phone, and the tech let slip they had seen like 10k or 100k detections of what I submitted.
4 replies 5 retweets 164 likes -
Replying to @SwiftOnSecurity
Moral of the story is: Be curious. Learn how it works. Learn what's normal. More importantly, learn what's not normal and figure it out.
14 replies 88 retweets 463 likes
this is a good story
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.