Detection Quiz!💡
Look at the process creation events depicted below:
1. Can you recognise the technique?
2. Map it to the @MITREattack
3. Which tool was most likely used?
4. Detection ideas?
The 1st question is a key to answer for the rest☝️
3. Find the 1st answer. Then combine things together and use google😉
1. I'd say this is the hardest detectable technique among these "class" of techniques.
4. Bonus question: Unfortunately we can't use Sysmon for detection here, it misses one important field.
Name this field and ask @markrussinovich to add it😉
Received awesome answers from @Cyb3rSn0rlax, great work man👏
Please, don't google a lot, use my Quizzes to train your analyst/detection mindset.
1. Look at the Integrity levels - what's happening here?
Are you conducting SOC analysts interview? - you can use my quizzes, but be sure your candidate haven't seen them in twitter😉 And not allow them to use google - look how your candidates are thinking and reasoning.
I've already received the correct answers for the most questions. Who can provide *all* correct answers?
@singe will you try?) You were great on the last Quiz
Please, don't google a lot. Look at the events, read the docs, analyse events, use MITRE.
Open Windows Internals🙈😆
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Thanks to everyone for participating in the 5th detection Quiz!
I'd like to mention @Cyb3rSn0rlax@Antonlovesdnb and @atn1ght1 - great answers folks👏
I'm starting posting answers. If you want to participate, don't look at the answers and go straight to the tweet below:
1. Looking at the events sequence we see that "Medium" IL Powershell.exe spawns "Medium" IL Wusa.exe, then we see consent.exe and "High" IL Wusa start. Finally the most strange event appears - "Medium" powershell starts "High" cmd.exe🤔 What's happening here?
I've recently consulted one company about #NTLM-family protocols. They had various monitoring & hardening questions.
So, I decided to post some of their questions with the answers: 1. LM protocol is old and weak - how can we monitor its usage?
1. In general, you can monitor it using "Package Name" field of 4624/4625 events. But, keep in mind that LM is disabled by default starting with Win7/WS2008R2.
So, if you still have some old machines using it, LM is definitely not the biggest problem for you😵
2. Can we block NTLM protocols on our Firewall?
No. NTLM-family don't have default transport protocol, so there is no default associated ports with these protocols. Most common transports are SMB, HTTP and SMTP.
Other mechanisms exist for disabling them, see below.
I see the Quiz is not easy for many, so let's look at particular events together and learn a little bit.
Let's try to think like an analysts! 1. "Medim" IL powershell.exe spawns "Medium" IL Wusa.exe, UAC is enabled on machine, so this is an expected behaviour:
1.1 As we know, Wusa.exe has "autoElevate" = TRUE in its manifest, that means it will be automatically elevated by UAC without consent prompt (except "AlwaysNotify" mode). So, svchost.exe spawns consent.exe:
1.2 The next part is very interesting. You say - powershell.exe spawns "High" IL wusa.exe. Of course it's not! The real parent of wusa is "System" IL svchost.exe which then replaces the parent process with powershell.exe (as initiator). Look at the event below: