“from the intrusion. nonetheless, chainsaw ’ s hunt mode rips through the windows defender wevtx. here, we ’ re given some more context on the defender alerts we saw in the huntress dashboard. now we can copy / paste the name of the executable and prepare to detonate chainsaw in s…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.002Pass the Hash
74%
“is the corresponding user name for this sid? - was the executable defender detected, attempting a service install, some kind of beacon or lateral movement relic? tracking down lateral movement now, we need a username and to see if there is any event id 4624 evidence of a machine …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021Remote Services
63%
“is the corresponding user name for this sid? - was the executable defender detected, attempting a service install, some kind of beacon or lateral movement relic? tracking down lateral movement now, we need a username and to see if there is any event id 4624 evidence of a machine …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078Valid Accounts
44%
“is the corresponding user name for this sid? - was the executable defender detected, attempting a service install, some kind of beacon or lateral movement relic? tracking down lateral movement now, we need a username and to see if there is any event id 4624 evidence of a machine …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021Remote Services
43%
“you to conduct security investigations with the same lethality, tenacity and accuracy that huntress strives for. lacking in most people — often — is confidence. we see it again and again, in and out of huntress. personnel have the capability but lack confidence in their execution…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
40%
“just showing off for the blog! after receiving an alert like this, our first moves will be to collect some choice default forensic telemetry on a windows machine : - the windows event logs ( wevtxs ) - prefetch and powershell history - nothing ended up being relevant in here, but…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
37%
“just showing off for the blog! after receiving an alert like this, our first moves will be to collect some choice default forensic telemetry on a windows machine : - the windows event logs ( wevtxs ) - prefetch and powershell history - nothing ended up being relevant in here, but…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1518.001Security Software Discovery
30%
“the methods behind a huntress managed antivirus investigation | huntress at huntress, we love to thread and share our investigative approaches to our interesting findings internally so other teams can see what we ’ re up to and learn a thing or two. in this blog, we ’ ll go on a …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In this blog, we’ll go on a short journey of how we dissected a vague Managed Antivirus alert and offer some ideas and methods for security analysts.