a good #dfir remainder (CLR Usage Logs) of Lateral Movement via WinRM using .NET script to execute stuff on a target host (opsec wise won't harm to add this to cleanup routine after execution if any)
similar to the EVTX-ATT&CK repo, working on a execution logs dataset (JSON) for basic and common macOS TTPs repo, 36 examples so far, once I reach 50 examples will set it to public.
similar to the EVTX-ATT&CK repo, working on a execution logs dataset (JSON) for basic and common macOS TTPs repo, 36 examples so far, once I reach 50 examples will set it to public.
often detections based on file or registry modif/creation (passive) have smaller coverage in time (catch something at moment t) for an attack technique compared to those using process or network telemetry (active) (1/2)
they can be complementary (need them both), but the triage for alerts coming from passive ones often require grab the changed file on disk (not always an option) ... if u have to make one choice I personally go with active one. (2/2)
#EQL to hunt and detect potential command and control activity with Internet Explorer via COM (correlating process creation with child network connection), example of malware using this technique gozi|ursnig
github.com/elastic/detection…