Detection Use Cases - Book Reference

  • Remote Admin Tool Use

    • PSExec Use

      • PTFM: Remote Admin tools - pg. 16 (Requires WinEventLogs)

      • PTFM: PSExec Use pg. 55 (Requires Registry Changes)

    • WMI use

      • PTFM: Remote Admin tools - pg. 16 (Requires Command Line Auditing)

  • Phishing Detection

    • Zeek Detection Rule

      • PTFM: Spearphishing - pg. 17 , 83 (Requires Zeek)

  • Persistence Detection

    • Unwanted executables and DLLs

      • Disallow specific .exe

        • PTFM: Disallow specific executable - pg. 23 (Requires Registry Changes)

      • Unsigned DLLs

        • PTFM: Unsigned DLL - pg. 23 (Requires Running CLI Query)

    • New Scheduled tasks

      • PTFM: Scheduled Tasks - pg. 27 (Requires Powershell Query)

      • PTFM: Scheduled Tasks - pg. 90 (Requires cron.dAudit)

    • Web Shell Detection

      • PTFM: Webshell Detection - pg. 30 (Requires Procmon.exe, and Process Baseline)

    • .bashrc and .bash_profile changes

      • PTFM: Bash changes- pg. 90 (Requires Bash File Audit)

  • PrivEsc Detection

    • UAC Bypas

      • PTFM: UAC Bypass via Event Viewer - pg. 34 (Requires Registry Changes)

      • PTFM: UAC Bypass via fodhelper.exe - pg. 34 (Requires Registry Changes)

    • Poorly configed Cron Jobs

      • PTFM: Poorly configured Cron Jobs - pg. 96

    • Mimikatz Use

      • Operator Handbook: Detect Mimikatz - pg.207

  • Defense Evasion Detection

    • Detect Alternate Data Streams

      • PTFM: Detect Alternate Data Streams - pg. 37 (Requires Powershell Query)

    • Detect Rootkits

      • PTFM: Detect Rootkits - pg. 37(Requires Memory Dump Tool)

      • Output of Windows Security Scan

      • Output of gmer.exe

      • Output of chkrootkit

      • Output of ClamAV

      • Output of rkhunter

      • Output of Lynis

  • Endpoint Enumeration/Harvesting Detection

    • Host Enumeration Detection

      • PTFM: Windows Host Enumeration Detection Script - pg. 48

      • PTFM: Linux Host Enumeration Detection Script - pg. 107

    • Detect LSASS dumping

      • PTFM: Detect lsass dumping with sysmon - pg. 43 (Requires Sysmon)

  • Lateral movement Detection

    • Pass-the-Hash

      • PTFM: Pass-the-hash detection with WinEventLogs - pg. 54 (Requires WinEventLogs)

      • PTFM: Pass-the-hash detection with Sysmon- pg. 55 (Requires Sysmon)

    • PSExec Use

      • PTFM: Remote Admin tools - pg. 16 (Requires WinEventLogs)

      • PTFM: PSExec Use pg. 55 (Requires Registry Changes)

  • C2 Detection

    • Use of Hard Coded IP addresses

      • PTFM: Hard coded IP use pg. 65 (Requires Memory dump)

  • Cloud

    • AWS

      • Cloudtrail Monitoring

        • Operator Handbook: AWS_Defend- pg. 20

PreviousUser Behavior monitoringNextWindows Event ID logging list

Last updated