Many SIEM installations use sysinternals sysmon as one of many data sources. Mark Russinovich (Microsoft Azure CTO, co-creator of sysinternals) released a video explaining some of the new features of Sysmon 11, which was released on 28th April.
A new useful feature is archiving a file, just before it is deleted. Some attackers delete their tools after gathering information. In order to understand their tools or even search for MD5 or imphashes, the sysmon 11 archiving function can be helpful.
(Source: https://www.youtube.com/watch?v=_MUP4tgdM7s)
Splunk UseCase for attacks against FortiGate Firewall management interfaces
If you are using Splunk as your SIEM you can try to detect attacks against your FortiGate firewalls by using the following SPL query: index...
-
Mitres Att&ck framework writes about persistence TA0003 : " The adversary is trying to maintain their foothold. " There are m... -
You can either use the GUI of the FortiGate to list all certificates, or use the CLI. Either using the commands: Using the "get...
-
If you are running a Windows Server 2016, are using the integrated Windows Server Backup utility and you want to save the backup to a remote...
No comments:
Post a Comment