eduardomcm
commented
2 years ago https://github.com/eduardomcm/VelociraptorCompetition/blob/main/Windows.Registry.AteraNetworks.yaml This one is simple and helps. Another one would be a simple log parser
Closed mgreen27 closed 2 years ago
eduardomcm
commented
2 years ago https://github.com/eduardomcm/VelociraptorCompetition/blob/main/Windows.Registry.AteraNetworks.yaml This one is simple and helps. Another one would be a simple log parser
mgreen27
commented
2 years ago @eduardomcm thank you! Another good one is probably yara the MFT for Atera (Windows.Forensics.FilenameSearch). I dont imagine that to be too common but need to test it.
mgreen27
commented
2 years ago @eduardomcm just modded your artefact to return config nicely
Also lots of hits in MFT hunting on the string "Atera" that hang around for a while after removal. I couldn't find any interesting logs in my default install and messing around. The platform seems lax in logging. Do you have any examples you can share?
eduardomcm
commented
2 years ago Thanks for the update, looking nice :)
Unfortunately I don't have any examples to share.
In my experience logging is very limited, like you said, and as far as remember the logs are in C:/Program Files (x86)/ATERA Networks/AteraAgent/*
mgreen27
commented
2 years ago Added - https://docs.velociraptor.app/exchange/artifacts/pages/ateranetworks/ closing this issue
Seen several engagements with AteraAgent. Look into a series of artifacts.