Wednesday, August 02, 2023
Events Ripper Updates
I uploaded several new updates to Events Ripper plugins in the repo recently...
defender.pl - added a check for event ID 2050 records, indicating that Defender uploaded a sample (as opposed to event ID 2051 records, indicating that a file could not be sent). The plugin now displays the file path and name, as well as the hash.
filter.pl - added a check for event ID 5152 records, indicating that WFP blocked a packet. The plugin displays the source IP address of the packet, but not the direction (usually inbound), ports, or destination IP address (will likely be the endpoint itself, or broadcast). When looking at this output, keep the endpoint IP address in mind...you may see connection attempts from other subnets, or from public IP addresses.
scm.pl - added a check for Service Control Manager/7031 service crash events. I did not add event ID 7039 events; well, actually, I did, but found that there was a lot of noise, and if you're creating a timeline and using Events Ripper as it was intended, you'll get a pivot point from the new capability.
Posted by H. Carvey at 5:03 PM