From c22912820e82ccc620154d3d77a26a23eabf453c Mon Sep 17 00:00:00 2001
From: pe3zx <pe3zx@users.noreply.github.com>
Date: Tue, 9 Jan 2018 13:35:23 +0700
Subject: [PATCH] Add sub-category and additional articles about DFIR

---
 files/dfir/detecting-apt28.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 files/dfir/detecting-apt28.md

diff --git a/files/dfir/detecting-apt28.md b/files/dfir/detecting-apt28.md
new file mode 100644
index 0000000..8e8a8ee
--- /dev/null
+++ b/files/dfir/detecting-apt28.md
@@ -0,0 +1,6 @@
+# Detecting APT 28
+
+- Using Event ID 4688 with Command Line logging enabled can trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal.
+- A DLL is used to infect the system using a batch file to load it which runs `RunDll32`.  Alerts on `RunDll32` using 4688 with Command Line logging could trigger on this behavior.
+- If using Windows Firewall logging, which does NOT require using the Windows Firewall, Detecting the IPs used to communicate to the C2 server with 5156 events.
+- Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key: `HKCU\Environment\UserInitMprLogonScrip`