Discover and read the best of Twitter Threads about #t1036

Most recents (1)

Profile picture
Wes Lambert
@therealwlambert
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link: docs.velociraptor.app/exchange/artif… Image
This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe': Image
Read 6 tweets

Related hashtags

#DFIR #velociraptor #T1036 #ArtifactsOfAutumn #Infosec

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!