I uploaded a couple of new updates to Events Ripper plugins in the repo recently…
defender.pl – added a check for event ID 2050 records, indicating that Defender uploaded a sample (as opposed to event ID 2051 records, indicating that a file could not be sent). The plugin now displays the file path and name, as well as the hash.
filter.pl – added a check for event ID 5152 records, indicating that WFP blocked a packet. The plugin displays the source IP address of the packet, but not the direction (usually inbound), ports, or destination IP address (will likely be the endpoint itself, or broadcast). When looking at this output, keep the endpoint IP address in mind…you may see connection attempts from other subnets, or from public IP addresses.
This article has been indexed from Windows Incident Response
Read the original article: