ath0
Follow

: day 52 : Spent more time on CRTO, got through several sections. If something talks lsass, there's a Windows Event 4656 generated. These events don't make it into Windows Defender ATH. KQL that *might* help can be found here: infosec.exchange/@scottlink/10 (CS may not have like my KQL, so trying the link.) (Lsass does get started in the normal day-to-day of things, filter out it itself being the process, look for things trying to operate on it.)

· 1· 0· 1
ath0  

Since we see the previous post, theory CS doesn't like KQL seems to hold up.

0
Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.

Resources

Developers

What is CounterSocial?

Created by potrace 1.15, written by Peter Selinger 2001-2017

counter.social

More…