Twitter | Pretraživanje | |
SwiftOnSecurity 2. velj
My Sysmon config sees the shell/open reg key being written, if you want to alert on this. /cc
Reply Retweet Označi sa "sviđa mi se"
SwiftOnSecurity 2. velj
Odgovor korisniku/ci @SwiftOnSecurity
If you understand the leverage patterns in a system, attackers can develop new methods and you can still catch them, years ahead of time.
Reply Retweet Označi sa "sviđa mi se"
SwiftOnSecurity
<TargetObject name="T1042" condition="contains">\command\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command-->
Reply Retweet Označi sa "sviđa mi se" More
Daniel O'Connor 2. velj
Odgovor korisniku/ci @SwiftOnSecurity
What is the legitimate reason wsreset does that? (ie why don't they just update Windows so it doesn't)
Reply Retweet Označi sa "sviđa mi se"
SecurityJosh 3. velj
Odgovor korisniku/ci @SwiftOnSecurity
appears to result in this activity not being logged by Sysmon. Not sure if this is a bug with how Sysmon processes underscores? Sysmon V10.42 and schema version 4.23.
Reply Retweet Označi sa "sviđa mi se"
SecurityJosh 4. velj
Odgovor korisniku/ci @SwiftOnSecurity @markrussinovich
Hey , is this expected behaviour? Sysmon appears to ignore the underscore character in the exclude rule linked above, resulting in the event being excluded even though the rule doesn't match the target object value.
Reply Retweet Označi sa "sviđa mi se"