How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
Creating a baseline for servers is easy because they perform the same actions over and over again. So;
1. Create a baseline for network connections for those servers(process connection baseline can be bypassed)
2. Hunt for the anomalies
1. Create a baseline for network connections for those servers(process connection baseline can be bypassed)
2. Hunt for the anomalies
Baselining might be a bit difficult, but I don't think it requires too much time.
What if the software is installed on all computers(server/workstations)? 🤔
#Kaseya #KaseyaVSA
What if the software is installed on all computers(server/workstations)? 🤔
#Kaseya #KaseyaVSA
Here is a quick and dirty #MicrosoftDefender #KQL query that can be used as a starting point:👇
github.com/Cyb3r-Monk/Thr…
#Kaseya #KaseyaVSA #supplychainattack
github.com/Cyb3r-Monk/Thr…
#Kaseya #KaseyaVSA #supplychainattack
• • •
Missing some Tweet in this thread? You can try to
force a refresh
