We will replace all the attack techniques of our incident with more advanced ones, which lead to the same result, but allow the attacker to bypass the detection rules developed and demonstrated in the previous article. Let us assume that the attacker is well aware of the standard audit capabilities of the Windows OS and free solutions such as Sysmon from the Sysinternals suite. In this article, we will increase the complexity of the incident demonstrated last time. However, the techniques applied in this incident are common in the criminal community and are used in all kinds of attacks, including targeted. The incident we looked at was quite simple and could have been detected by standard audit capabilities of the Windows operating system. In the second publication, we delved deeper and demonstrated Threat Hunting in action with an example of a potential incident and tested several hypotheses to detect various techniques used by attacker in this incident. In the first publication from the series of articles, we have explored the Threat Hunting approach, its difference from the classical approach to cybersecurity incident monitoring and the essential components for integrating this method. Hunting for advanced Tactics, Techniques and Procedures (TTPs) Introduction
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |