FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
<?xml version="1.0" encoding="UTF-8"?> | |
<opml version="1.0"> | |
<head> | |
<title>Olaf subscriptions in feedly Cloud</title> | |
</head> | |
<body> | |
<outline text="PublicFeeds" title="PublicFeeds"> | |
<outline type="rss" text="top scoring links : netsec" title="top scoring links : netsec" xmlUrl="http://www.reddit.com/r/netsec/top/.rss" htmlUrl="https://www.reddit.com/r/netsec/top/"/> | |
<outline type="rss" text="For [Blue|Purple] Teams in Cyber Defence" title="For [Blue|Purple] Teams in Cyber Defence" xmlUrl="https://www.reddit.com/r/blueteamsec.rss" htmlUrl="https://www.reddit.com/r/blueteamsec"/> |
# Paths that we've already excluded via AppLocker. | |
$exclusions = @() | |
# Paths to process. | |
$paths = @( | |
"C:\Windows" | |
) | |
# Setup log. | |
$log = "$PSScriptRoot\UserWritableLocations.log" |
<manifest schemaversion="4.31" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
<manifest schemaversion="4.30" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
<manifest schemaversion="4.22" binaryversion="9.20"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
<manifest schemaversion="4.21" binaryversion="9.10"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
# Required module > ImportExcel | |
# Install it like this > "Install-Module ImportExcel" | |
# | |
# Get the dataset from the ATT&CK matrix | |
# TODO: | |
# Diff online and offline, to only download on updates | |
# parameters for download, xlsx file and so on. | |
write-host "[+] Loading MITRE ATT&CK Data" -ForegroundColor Cyan | |
$dataset=Get-Content -Path enterprise-attack.json | ConvertFrom-Json | Select-Object -ExpandProperty objects | where type -eq "attack-pattern" |
<manifest schemaversion="4.2" binaryversion="8.00"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
<option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
function Get-InjectedThread | |
{ | |
<# | |
.SYNOPSIS | |
Looks for threads that were created as a result of code injection. | |
.DESCRIPTION | |