Detection Use Cases - Book Reference
Remote Admin Tool Use
PSExec Use
PTFM: Remote Admin tools - pg. 16 (Requires WinEventLogs)
PTFM: PSExec Use pg. 55 (Requires Registry Changes)
WMI use
PTFM: Remote Admin tools - pg. 16 (Requires Command Line Auditing)
Phishing Detection
Zeek Detection Rule
PTFM: Spearphishing - pg. 17 , 83 (Requires Zeek)
Persistence Detection
Unwanted executables and DLLs
Disallow specific .exe
PTFM: Disallow specific executable - pg. 23 (Requires Registry Changes)
Unsigned DLLs
PTFM: Unsigned DLL - pg. 23 (Requires Running CLI Query)
New Scheduled tasks
PTFM: Scheduled Tasks - pg. 27 (Requires Powershell Query)
PTFM: Scheduled Tasks - pg. 90 (Requires cron.dAudit)
Web Shell Detection
PTFM: Webshell Detection - pg. 30 (Requires Procmon.exe, and Process Baseline)
.bashrc and .bash_profile changes
PTFM: Bash changes- pg. 90 (Requires Bash File Audit)
PrivEsc Detection
UAC Bypas
PTFM: UAC Bypass via Event Viewer - pg. 34 (Requires Registry Changes)
PTFM: UAC Bypass via fodhelper.exe - pg. 34 (Requires Registry Changes)
Poorly configed Cron Jobs
PTFM: Poorly configured Cron Jobs - pg. 96
Mimikatz Use
Operator Handbook: Detect Mimikatz - pg.207
Defense Evasion Detection
Detect Alternate Data Streams
PTFM: Detect Alternate Data Streams - pg. 37 (Requires Powershell Query)
Detect Rootkits
PTFM: Detect Rootkits - pg. 37(Requires Memory Dump Tool)
Output of Windows Security Scan
Output of gmer.exe
Output of chkrootkit
Output of ClamAV
Output of rkhunter
Output of Lynis
Endpoint Enumeration/Harvesting Detection
Host Enumeration Detection
PTFM: Windows Host Enumeration Detection Script - pg. 48
PTFM: Linux Host Enumeration Detection Script - pg. 107
Detect LSASS dumping
PTFM: Detect lsass dumping with sysmon - pg. 43 (Requires Sysmon)
Lateral movement Detection
Pass-the-Hash
PTFM: Pass-the-hash detection with WinEventLogs - pg. 54 (Requires WinEventLogs)
PTFM: Pass-the-hash detection with Sysmon- pg. 55 (Requires Sysmon)
PSExec Use
PTFM: Remote Admin tools - pg. 16 (Requires WinEventLogs)
PTFM: PSExec Use pg. 55 (Requires Registry Changes)
C2 Detection
Use of Hard Coded IP addresses
PTFM: Hard coded IP use pg. 65 (Requires Memory dump)
Cloud
AWS
Cloudtrail Monitoring
Operator Handbook: AWS_Defend- pg. 20
Last updated