While it was a painstaking effort to reverse everything, how can one go about assessing the value and effectiveness of a preventative/detective control without event context? Without context, detection engineering, alert triage, and incident response are just shots in the dark.
-
-
Prikaži ovu nit
-
One of my favorite mitigations is non-MSFT binary auditing/enforcement (Microsoft-Windows-Security-Mitigations/KernelMode Event ID 11/12). If you expect a process to only ever load Windows-signed binaries, why not generate a log upon deviation? lsass.exe is a perfect candidate.pic.twitter.com/uhJQrMclr0
Prikaži ovu nit -
Last tweet in the thread. Check out the "Microsoft-Windows-Security-Mitigations/UserMode" section to get a more tangible sense of all the functionality that was ported over from EMET. Attackers, if you see PayloadRestrictions.dll loaded in your process context, tread lightly.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.