Session 2 Resources

2 Mar 2021

Great interaction again on today's session - thanks for joining in! I loved having a proper look at how code can be executed on your network and devices, and what Sophos EDR can do to help you threat hunt. We'll see more of that power in the remaining sessions.

Here's a few of the resources that Ashek mentioned and used - let me know in the comments below if you want anything further.

Generic Search query: https://community.sophos.com/intercept-x-endpoint/i/anomalies/generic-search
Cyberchef: https://gchq.github.io/CyberChef/
And also, here's a great SANS poster with lots of stuff to hunt for: https://share.ialab.dsu.edu/CRRC/Incident%20Response/Supplementary%20Material/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

See you all again tomorrow!

Parents

Ray McKolay over 3 years ago

A little late to the game but in reviewing session 2, Running code on remote systems, I've been trying to find the query that Ashek ran named "generic process journal search". He stated it is available on the edr query forum but I can't locate it. Could you point me in the direction of that specific query please? I've looked at all 11 pages of the edr query forum and can't locate it.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Ray McKolay over 3 years ago

A little late to the game but in reviewing session 2, Running code on remote systems, I've been trying to find the query that Ashek ran named "generic process journal search". He stated it is available on the edr query forum but I can't locate it. Could you point me in the direction of that specific query please? I've looked at all 11 pages of the edr query forum and can't locate it.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

Ray McKolay over 3 years ago in reply to Ray McKolay

disregard, I was looking for the verbatim version he had shown. I followed the link and used the one on the forum.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel