Good news ! Hackbusters community is waiting for you !  https://discuss.hackbusters.com
KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We are expanding it and have launched a new exciting online community! The forum is divided into four main topics or categories: Social Engineering, Ransomware, Phishing and Security Awareness Training. You are invited to be one of the first to join us at: https://discuss.hackbusters.com.

SilkETW: Because Free Telemetry is...Free!

Fireeye-2-color-square

In the following example, we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with this command:

SilkETW.exe -t kernel -kk ImageLoad -ot file -p
C:\Users\b33f\Desktop\mimikatz.json

With data in hand it is easy to sort, grep and filter for the properties we are interested in (Figure 2).


Figure 2:PowerShell event filtering

Yara Integration

SilkETW has a number of command line flags that allow the user to restrict the events that are captured. These include the event name, the process ID, the process name, and the opcode. To further enhance this capability, Yara support is included to filter or tag trace events. While Yara has immediate defensive connotations, the reader is reminded that Yara rules are equally useful to augment research capabilities.

In the following contrived example we will use a Yara rule to detect Seatbelt execution in memory through Cobalt Strike's ...(continued)

View All Trending Stories