Sunday, June 11, 2023

Leave Only Footprints: When Prevention Fails

Here are links and EVTX files from my SANS Blue Team Summit keynote Leave Only Footprints: When Prevention Fails.

Here are a few Powershell commands to parse the logs (also check out DeepBlueCLI):
  • Any command referencing ADMIN$:
    • Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
  • Any command referencing both cmd.exe and wmiprvse.exe:
    • Get-WinEvent @{Path="metasploit-sysmon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
  • Create Remote Thread (Hashdump and process migration): 
    • Get-WinEvent @{Path="metasploit-sysmon.evtx";id=8} | fl


No comments: