|
@SwiftOnSecurity | |||||
|
<TargetObject name="T1042" condition="contains">\command\</TargetObject> <!--Windows: Sensitive sub-key under file associations and CLSID that map to launch command--> pic.twitter.com/Lbne87ph84
|
||||||
|
||||||
|
SwiftOnSecurity
@SwiftOnSecurity
|
2. velj |
|
My Sysmon config sees the shell/open reg key being written, if you want to alert on this. /cc @cyb3rops twitter.com/teamcymru/stat…
|
||
|
|
||
|
SwiftOnSecurity
@SwiftOnSecurity
|
2. velj |
|
If you understand the leverage patterns in a system, attackers can develop new methods and you can still catch them, years ahead of time.
|
||
|
|
||
|
Daniel O'Connor
@DanielOCnr
|
2. velj |
|
What is the legitimate reason wsreset does that? (ie why don't they just update Windows so it doesn't)
|
||
|
|
||
|
SecurityJosh
@SecurityJosh
|
3. velj |
|
github.com/SwiftOnSecurit… appears to result in this activity not being logged by Sysmon.
Not sure if this is a bug with how Sysmon processes underscores?
Sysmon V10.42 and schema version 4.23.
|
||
|
|
||
|
SecurityJosh
@SecurityJosh
|
4. velj |
|
Hey @markrussinovich, is this expected behaviour?
Sysmon appears to ignore the underscore character in the exclude rule linked above, resulting in the event being excluded even though the rule doesn't match the target object value.
|
||
|
|
||