 |
Yet again, recent incidents have led to Events Ripper being updated. This time, it’s an updated plugin, and a new plugin.
appissue.pl – I updated this plugin based on Josh’s finding and Tweet; I can’t say that I’ve ever seen this event before, but when Josh mentioned it, I thought, hey, this is a great way to go about validating activity! Okay, so here’s a batch file, and we see commands run via EDR telemetry…but do they succeed?? We may assume that they do, but it’s a pretty straightforward process to validate these findings; in the incident that Josh reported, it turns out that the driver being loaded failed because it was blocked. Correlate that event with the other two events that Josh pointed out, and you’ve got pretty decent evidence indicating that while an infection was attempted and the driver was created within the file system, it’s not loading. This gives us some headspace for our investigation, and provides evidence we can report to regulatory oversight bodies, etc.
sec5381.pl – I created this plugin as a result of analysis conducted during a recent investigation into the use of credential theft tools. We’d seen the use of a number of credential theft tools…lazagne, mimikatz, VNCPassView, PasswordFox64, etc. Some of these triggered alerts, so I started by creating
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: