Common exploit kits Cobalt Strike and Metasploit each provide PsExec-style capabilities. Similar functionality is available using things like PowerShell Remoting in newer versions of Windows, however PsExec’s versatility and ease of use make it a favorite for attackers. The tool is a lightweight, standalone utility that can provide interactive access to the programs it runs remotely. PsExec is a system administration utility that can execute programs on remote Windows hosts².
Crafty defenders can apply the detection logic presented in these posts to their tools in order to identify potentially malicious activity in different environments. While the DetectionLab environment might not generate the exact same events as, for example, popular enterprise EDR products, it will produce the same kind of events. In order to present these techniques using a standard nomenclature and accessible toolset, Praetorian will present examples using DetectionLab¹.
Windows system indicators of attack full#
Some defenders might have access to full packet captures and robust endpoint telemetry, others might collect only a subset of events from a few sources. Praetorian’s goal is for this series to serve as a handy reference for defenders looking to answer the question: How do I detect _?Ī note on tools: There are many options when it comes to network defense tooling. Each post will briefly describe a technique, when and how it might be used, potential indicators generated, and ways to detect or hunt for those indicators. The series is geared toward network defenders wanting to understand, identify, and protect against these attacks.
This post is the first in a threat hunting series profiling detection points for common cyber threat actor attack techniques.
0 kommentar(er)
