"an attack from injecting shellcode into memory to post - exploitation situational awareness and lateral movement. in most environments, powershell execution with the version delivered with windows 7 ( version 2. 0 ) leaves few artifacts of its usage behind making very appealing f…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
79%
"edge of your network, is crucial to find an attacker that has made it past upstream network - based solutions. almost all of our customers respond to this recommendation with a counter - question with something like : “ hey [ bhis tester ], we have thousands of endpoints. how can…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
75%
". microsoft also offers solutions and strategies to consolidate endpoint logs. for this post, we chose to use nxlog. the folks at nxlog. co offer a free ( community edition ) and an enterprise version. the community edition should be sufficient for most windows endpoint logging t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
67%
"> operational. by default, sysmon logging will create a fair amount of log noise. this is why a configuration file should be used at install time to filter events at the endpoint that are known to be good or alert on specifically known bad. this way, you ’ ll won ’ t be shipping …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
54%
"probably powershell script block logging and powershell module logging. module logging will record pipeline execution details in event id 4103 and has details on scripts and formatted data from the output. script block logging will record code as it is executed by the powershell …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
41%
"an attack from injecting shellcode into memory to post - exploitation situational awareness and lateral movement. in most environments, powershell execution with the version delivered with windows 7 ( version 2. 0 ) leaves few artifacts of its usage behind making very appealing f…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
40%
"> operational. by default, sysmon logging will create a fair amount of log noise. this is why a configuration file should be used at install time to filter events at the endpoint that are known to be good or alert on specifically known bad. this way, you ’ ll won ’ t be shipping …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
33%
"probably powershell script block logging and powershell module logging. module logging will record pipeline execution details in event id 4103 and has details on scripts and formatted data from the output. script block logging will record code as it is executed by the powershell …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Joff Thyer & Derek Banks // Editor’s Note: This is a more in-depth write-up based on the webcast which can be watched here. As penetration testers, we often find ourselves […]
