tag:blogger.com,1999:blog-9518042.post6679903038330942714..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: HowTo: Track Lateral MovementUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-76144189532042078792015-05-29T06:33:42.015-05:002015-05-29T06:33:42.015-05:00I'm not sure audit settings are the way to go,...I'm not sure audit settings are the way to go, really. Instead, if there were one thing that I'd implement, it would be either Sysmon, or Carbon Black.<br /><br />Interestingly enough, either one has uses beyond security/IR... H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-78396453651615307252015-05-28T19:52:21.053-05:002015-05-28T19:52:21.053-05:00Great Post. I do have one follow up question. Is ...Great Post. I do have one follow up question. Is there a list that contains which windows audit settings should be enabled to provide the best IR information post incident?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-24229838984030806272013-07-16T11:35:18.867-05:002013-07-16T11:35:18.867-05:00Jason,
You may be right...but this misconception ...Jason,<br /><br />You may be right...but this misconception may be due to what information is conveyed and shared with respect to those threat actors, particularly to those identified as victims.<br /><br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27503879007083384072013-07-16T11:26:02.121-05:002013-07-16T11:26:02.121-05:00Harlan,
Thanks for another excellent post.
I beli...Harlan, <br />Thanks for another excellent post.<br />I believe that there is a huge misconception that the current threat actors use malware for everything they do. It is more common than not to see the use of built in O/S tools for many of the actions taken by these attackers.<br /><br />Again, thanks for the excellent post, I think more IR folks would benefit by reading it.Jason Lawrence, CISSP, CISA, GCFA, CEHhttps://www.blogger.com/profile/08519239132805130943noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43469550306141914072013-07-10T13:46:49.513-05:002013-07-10T13:46:49.513-05:00Thanks for your comment.
I also found it interest...Thanks for your comment.<br /><br /><i>I also found it interesting there wasn't really a mention of malware...</i><br /><br />I am familiar with Richard's blog post that you linked to, and the title of the post was specific to "lateral movement"...it wasn't really about malware.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-55392515686702909262013-07-10T13:38:24.128-05:002013-07-10T13:38:24.128-05:00I like how you separated System A artifacts from S...I like how you separated System A artifacts from System B. I also found it interesting there wasn't really a mention of malware, which reminds me of this:<br /><br />https://www.mandiant.com/blog/malware-compromise/<br /><br />Malware is used so often that myself, and probably others, assume lateral movement can be identified by finding all the malware. Thanks for showing where to look by appropriately focusing on access.Anonymousnoreply@blogger.com