10-07-2023 02:36 PM
Hello dear Community,
as you know a very common attack is loading code directly to memory. This happens sometimes through a LNK File or Office Macros.
In my case I want to hunt for LNK Files, which were doubleclicked and a cmd or powershell was started. As I queried my test process (LNK --> powershell --> cmd = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c cmd.exe), there is no indicator, that the powershell was started through a link file.
What am I missing in my plan to hunt for these? Has someone a ready to hunt query?
BR
Rob
10-10-2023 03:37 AM
Hello Rob,
Thank you for writing to live community!
My I know, whether you have tested or reproduced the scenario or is they any activity in your environment to hunt with the given command?
Regards.
10-12-2023 01:21 PM
Hello @aspatil,
I try to hunt these, because as you know, this is an common attack scenario where the adversaries want to load their skripts direct into memory.
I just want to know, if there is a possibility to hunt for these ones.
BR
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
