Questions tagged [detection]
Detection is the act of discovering and/or determining the existence, presence, or fact of something.
254 questions
0
votes
1
answer
73
views
Standard format for malware behavioral rules
Is there a standard format for behavioral rules for detecting malware?
Yara is a standard format for static signatures, e.g., matching based on strings and byte sequences. I'm wondering if there is a ...
- 101k
2
votes
1
answer
292
views
Difference between PS Remoting and Winrs from a detection standpoint
From a detection standpoint, when pivoting inside a network what difference (if any) is there between establishing a remote connection between using Enter-PSSession -ComputerName PC1 vs winrs -r:PC1 ...
- 531
0
votes
1
answer
149
views
SACL for shadow copies
I'm researching the topic of detecting registry dump from disk shadow copies and realize that I don't see any specific events in the Windows and Sysmon logs.
I tried a simple copy with the command:
...
- 11
1
vote
1
answer
273
views
Understanding XDR Detection Methods
I'm interested in security and redteaming in particular, and as I'm learning about the subject I'm trying to find out what kind of things a blue team EDR/XDR solution will look for as part of its ...
- 11
0
votes
1
answer
142
views
Any (opensource) tool that we can use to detect if our computers has been installed applications that have proxies services
Read something like this on reddit "someone can also be a regular user who does not read terms and conditions of apps that they install. Some apps might include code that will enable them to run ...
- 173
1
vote
0
answers
135
views
Kusto to Osquery translator?
Osquery is a great open standard for collecting data from endpoints, using SQL syntax.
Kusto is a new Microsoft language for collecting data from Windows endpoints, using syntax which is almost--but ...
- 3,331
0
votes
0
answers
149
views
Windows 10 Cybersecurity on Stand-Alone Computer
I have been asked to investigate what capabilities exist within Windows 10 where the environment for this system is isolated. I believe it would not be able to benefit from an enterprise security ...
- 255
3
votes
3
answers
1k
views
How can I have my process detect if antivirus injected a module or DLL to it?
I am writing an installer process (.exe). My installer deploys different components. It will add registry entries, copy files, copy files over the network, remote execute, remote PowerShell, local ...
- 133
2
votes
0
answers
1k
views
SVCHOST Executed without any arguements [closed]
Our SIEM has a Sigma rule that alerts when svchost is launched without any arguments. The logs are from a domain controller which unfortunately I don't have access to to verify. I will be reaching ...
- 21
0
votes
4
answers
273
views
Mouse moving while unattended, how can I check for intrusions
A few hours ago, I spotted my unattended mouse moving and seeming to click on tabs. I promptly rebooted my system and removed Teamviewer (it's the only remote connection app that I have installed), ...
- 101
1
vote
0
answers
167
views
watch-video.net malware and preventing these types of infections at the network level [closed]
How does a computer get infected with watch-video.net malware, and why aren't popular tools like windows defender or malwarebytes able to detect and remove it? Is there a practical way to prevent ...
- 225
55
votes
6
answers
21k
views
If malware does not run in a VM why not make everything a VM?
There is a lot of malware that can detect whether it is running inside a VM or sandboxed environment and if such environment is detected it can conceal it self and not execute. So why not make ...
- 1,157
0
votes
1
answer
397
views
How does one detect and deter golden SAML attacks?
How does one defend, detect and deter golden SAML attacks?
- 1,073
0
votes
1
answer
2k
views
Is it safe to use an executable if only unknown antiviruses detected something?
Recently I downloaded Open Shell application and checked it via VirusTotal.
Most famous antiviruses like Bitdefender, Nrothon, Kaspersky found nothing.
But some of antiviruses thing there are some bad ...
- 225
1
vote
1
answer
231
views
Is it possible to ensure detection and logging of all attempts to copy data out of a system?
I am cross-posting this question from Serverfault, because I am in doubt where it fits best.
Say I have a server set up for processing sensitive data. The few authorised users of the system are ...
- 111
0
votes
1
answer
262
views
Insider threats vs. insider attacks
I understand that a threat is a possible security violation that might exploit the vulnerability of a system, and a attack is an action on a system that harms the organisation in some way. Therefore, ...
- 1
0
votes
2
answers
203
views
How can I determine if a malware sample is morphic? (polymorphic, metamorphic, etc)
I want to do a malware test that specifically uses recent morphic malware samples (polymorphic, metamorphic, etc). There are a couple of good sources I can pull samples from, but I need to know if ...
- 1
2
votes
1
answer
218
views
Deciding between MDR solutions offering endpoint agents with or without an additional network appliance?
There are a number of different Managed Security Service Providers (MSSPs) offering managed detection and response services. They tend to use what is called an endpoint agent, while only some use a ...
- 21
0
votes
0
answers
514
views
What are the main differences between a covert timing channel and a covert storage channel?
I am trying to find the differences between a covert timing channel and a covert storage channel in terms of detectability, performance, features, and any other advantages and disadvantages.
Is ...
- 13
2
votes
1
answer
2k
views
Can an ISP redirecting DNS traffic be detected by the end user?
If an ISP wants to gather profiles on users, or block certain websites, they can fairly easily redirect outgoing UDP traffic to port 53 to their own DNS servers.
How could this be detected by the end ...
- 21.7k
2
votes
1
answer
222
views
How can I as middleman verify whether a phishing site is valid if the scam listens only on the referrer link and blocks any other access methods?
How can I as a trusted user of a middleman company (such as PhishTank) verify whether a phishing site is valid if the scam listens only on a unique referrer link(randomly created) and is blocking any ...
- 431
0
votes
1
answer
1k
views
Yara condition count operator with wildcard [closed]
I have a yara rule that looks for multiple strings in a file and fires if the count is greater than 3. But how would I change the condition statement to only fire if greater than 3 but less than 5?
...
- 143
1
vote
0
answers
277
views
Snort rules to detect metasploit's trojan [duplicate]
I'm currently working on Snort and I'm trying to detect meterpreter sessions in reverse TCP or HTTPS, a Trojan ...
Does anyone know snort rules in order to detect this? Despite my research, I found ...
- 11
0
votes
1
answer
388
views
What are the heuristic detection techniques most often used in modern AVs? [closed]
Whenever I read books or academic papers and the subject of heuristic malware detection is brought up they always say the same thing: "it can be either static or dynamic", "it may use emulation", "may ...
- 15
0
votes
2
answers
2k
views
Can my father's smartphone be compromised?
My father told me that he allowed the installation of apps from unknown sources when he was asked to do it to go further with something (he said that he doesn't remember when or what he was doing).
...
- 778