Update defense_evasion_unusual_ads_file_creation.toml (#2522)
This commit is contained in:
Nic
@@ -33,7 +33,7 @@ Attackers can abuse these alternate data streams to hide malicious files, string
|
|||||||
#### Possible investigation steps
|
#### Possible investigation steps
|
||||||
|
|
||||||
- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:
|
- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:
|
||||||
- `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname`
|
- `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`
|
||||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
|
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
|
||||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||||
|
|||||||
Reference in New Issue
Block a user