ION28
commented
4 years ago also look for services with high entropy names (like the ones msf generates)
Closed ION28 closed 4 years ago
ION28
commented
4 years ago also look for services with high entropy names (like the ones msf generates)
ION28
commented
4 years ago ION28
commented
4 years ago Other additions here (after below, we can close):
source for below: https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 Windows Event ID 7045/4697 — Service Creation Service Name: “mimikatz driver (mimidrv)” Service File Name: *\mimidrv.sys Service Type: kernel mode driver (0x1) Service Start Type: auto start (2)
Sysmon Event ID 11 — File Creation TargetFilename: *\mimidrv.sys
Sysmon Event ID 6 — Driver Loaded ImageLoaded: *\mimidrv.sys SignatureStatus: Expired
ION28
commented
4 years ago Scan service binary paths with yara
https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html
https://github.com/Neo23x0/sigma/blob/master/rules/windows/other/win_tool_psexec.yml