Як зіпсувати EventViewer

Все нове – це добре забуте старе.

Створення ключа реєстру HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt ламає Event Viewer.

Очевидно, це можуть використовувати зловмисники. Не забудьте поставити на моніторинг.

Action Plan до CM 2024

0. Перш за все – зібрати логи за допомогою hayabusa з усіх контролерів домену та робочих станцій (Важливо це зробити відразу, щоб не насмітити в логи іншими інструментами) – команда:

1. Зібрати для доменів звіт PingCastle

2. Включити PowerShell Logging

3. Включити поглиблений аудит

4. Перевірити можливість оновлення операційних систем (та оновити ОС)

Читати далі

The Art of Windows Persistence

Оригінал статті

In the realm of Windows persistence, key findings reveal a diverse and sophisticated array of techniques used by attackers to maintain access to systems. These methods range from simple manipulations like startup folder and registry autorun entries to more complex strategies involving service modification, DLL hijacking, and exploitation of Windows Management Instrumentation (WMI) and Component Object Model (COM) interfaces. The use of such techniques highlights the dual-use nature of many Windows features, originally designed for system management and convenience but repurposed for malicious activities. This diversity in methods underscores the importance of comprehensive security measures, including regular system audits and advanced threat detection, to effectively counteract and mitigate these persistent threats.

Читати далі

Monitoring Active Directory for Signs of Compromise

Оригінал статті

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the “Current Windows Event ID” column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The “Legacy Windows Event ID” column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The “Potential Criticality” column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the “Event Summary” column provides a brief description of the event.

Читати далі