security @elastic

Joined January 2013
12 new traces added to the macOS-ATT&CK repo :) github.com/sbousseaden/macOS…
1
46
161
a good #dfir remainder (CLR Usage Logs) of Lateral Movement via WinRM using .NET script to execute stuff on a target host (opsec wise won't harm to add this to cleanup routine after execution if any)
1
30
106
1st time I come across this new? "feature" which may have a good potential for abuse
5
8
37
github.com/sbousseaden/macOS… set to public, pls feel free to contribute, some few examples:
similar to the EVTX-ATT&CK repo, working on a execution logs dataset (JSON) for basic and common macOS TTPs repo, 36 examples so far, once I reach 50 examples will set it to public.
1
44
119
similar to the EVTX-ATT&CK repo, working on a execution logs dataset (JSON) for basic and common macOS TTPs repo, 36 examples so far, once I reach 50 examples will set it to public.
1
44
178
leaving my laptop unattended for few mins :D
2
1
31
often detections based on file or registry modif/creation (passive) have smaller coverage in time (catch something at moment t) for an attack technique compared to those using process or network telemetry (active) (1/2)
2
2
10
they can be complementary (need them both), but the triage for alerts coming from passive ones often require grab the changed file on disk (not always an option) ... if u have to make one choice I personally go with active one. (2/2)
0
0
9
#EQL to hunt and detect potential command and control activity with Internet Explorer via COM (correlating process creation with child network connection), example of malware using this technique gozi|ursnig github.com/elastic/detection…
2
19
52