Showing Posts About
Sysmon
-
Alfie Champion 
Riccardo Ancarani - 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #3
This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #4
This article explores lateral movement techniques using PsExec in Windows environments. It details detection strategies for identifying suspicious remote execution activities through Windows event logs and Sysmon telemetry. Key detection opportunities include monitoring service creation events, process creation logs, and named pipe interactions during remote command execution.
- Alfie Champion
- 8 Jul 2020
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5
This article explores lateral movement techniques using Windows Management Instrumentation (WMI) in cybersecurity attack detection. The lab demonstrates detection strategies for both native WMIC commands and Impacket's wmiexec tool. Key detection opportunities include analyzing process creation events, network traffic patterns, and examining parent-child process relationships during WMI-based lateral movement attacks.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #1
This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #2
This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.