In this video, we explore how analysts can identify artifacts left behind by attackers using CrackMapExec or NetExec. We dive into the tool's source code to understand how unique artifacts and their patterns are generated, and write detection rules to identify these traces.
This is exactly the kind of thing that David Bianco refers to with host artifacts and tool-specific detections in his Pyramid of Pain!
Enjoy!
00:00 - Introduction
1:15 - Lab Setup
3:22 - Running NetExec
5:44 - Looking Under the Hood
8:37 - NetExcec Source Code
11:20 - Using Sysmon to Log Artifacts
15:00 - Pattern Matching
16:33 - Avoiding Detection?
17:10 - Conclusion
