Here are links and EVTX files from my SANS Blue Team Summit keynote Leave Only Footprints: When Prevention Fails.
- Here are my slides
- Here are the EVTX files
- Sysmon
- The Rise of C2 Frameworks
- Most Popular C2 Frameworks – May 2023
- Busting the Ghost in the Logs - Randy Pargman & Jean-Francois Maes
- Tracking Malware with Import Hashing
- Impacket
- Hydra
- Metasploit
- Sliver
- Enabling logging of failed logons on Windows
Here are a few Powershell commands to parse the logs (also check out DeepBlueCLI):
- Any command referencing ADMIN$:
- Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
- Any command referencing both cmd.exe and wmiprvse.exe:
- Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
- Create Remote Thread (Hashdump and process migration):
- Get-WinEvent @{Path="metasploit-sysmon.evtx";id=8} | fl
No comments:
Post a Comment