Forensic detection of MITRE ATT&CK Techniques

Forensic Labs
May 3, 2018 · 7 min read

Initial Access

Persistence

Credential Access

Privilege Escalation

Lateral Movement

Command and Control

Defense Evasion

index=* EventCode=4688
| rex field=Process_Command_Line "-((?i)enc|encodedcommand|encode|en)\s\'?(?<base64_command>\w{20,1000}\=?\=?)\'?"
| decrypt field=base64_command atob()
emit('base64_decoded_command')
| stats count by base64_decoded_command

Discovery

Execution

Collection

Exfiltration

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade