Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Image for post
Image for post
Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:

Image: The process that recorded to the clipboard.
Session:
Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc.
ClientInfo: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available.
Hashes: This determines the file name, same as the FileDelete event.
Archived: Status whether is was stored in the configured Archive directory. …


We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part three!

Image for post
Image for post

Today’s content:

  • Detecting suspicious code compilation.
  • Detecting the malicious use of Certutil.

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests if you have improvements which can benefit the community.

‘Bring-your-own-code’

Sometimes attackers get really creative in evading detection. Like, really creative. Regularly attackers try to run a pre-compiled executable on a target machine; fortunately this is highly-likely flagged by existing security controls. …


We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two. Cheers!

Image for post
Image for post

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

  • Detecting suspicious or unknown browser extensions
  • Detecting binaries with questionable code signing certificates connecting to the internet

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests (PR) if you have improvements which can benefit the community. We will make sure to cover your PRs in the blog following your PR. …

About

FalconForce | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon | Microsoft MVP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store