Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Read MoreDetects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Read MoreDetects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
Read MoreDetects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
Read MoreDetects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Read MoreDetects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
Read More