Awesome-Mirrors/my-infosec-awesome
1
0
Fork 0
mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-06-29 23:21:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add sub-category and additional articles about DFIR

Browse Source
This commit is contained in:
pe3zx 2018-01-09 13:35:23 +07:00
parent 17eac273a9
commit c22912820e
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
files/dfir/detecting-apt28.md Normal file
View File

@ -0,0 +1,6 @@
# Detecting APT 28
- Using Event ID 4688 with Command Line logging enabled can trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal.
- A DLL is used to infect the system using a batch file to load it which runs `RunDll32`. Alerts on `RunDll32` using 4688 with Command Line logging could trigger on this behavior.
- If using Windows Firewall logging, which does NOT require using the Windows Firewall, Detecting the IPs used to communicate to the C2 server with 5156 events.
- Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key: `HKCU\Environment\UserInitMprLogonScrip`