mirror of
https://github.com/pe3zx/my-infosec-awesome.git
synced 2024-12-24 23:29:37 -05:00
Add sub-category and additional articles about DFIR
This commit is contained in:
parent
17eac273a9
commit
c22912820e
6
files/dfir/detecting-apt28.md
Normal file
6
files/dfir/detecting-apt28.md
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# Detecting APT 28
|
||||||
|
|
||||||
|
- Using Event ID 4688 with Command Line logging enabled can trigger on Word calling cscript, wscript, and PowerShell as this is NOT normal.
|
||||||
|
- A DLL is used to infect the system using a batch file to load it which runs `RunDll32`. Alerts on `RunDll32` using 4688 with Command Line logging could trigger on this behavior.
|
||||||
|
- If using Windows Firewall logging, which does NOT require using the Windows Firewall, Detecting the IPs used to communicate to the C2 server with 5156 events.
|
||||||
|
- Monitoring changes to well known AutoRun registry locations could detect this behavior using a 4657 event. An Autoruns scanner like LOG-MD can also discover these malicious changes. This payload used the following key: `HKCU\Environment\UserInitMprLogonScrip`
|
Loading…
Reference in New Issue
Block a user