Roberto Rodriguez

# 10.A.1 Service Execution Procedure: Executed persistent service (javamtsup) on system startup Criteria: javamtsup.exe spawning from services.exe Sysmon ``` SELECT Message FROM apt29Host WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND EventID =...

Hey @hxnoyd , the DDM is still a work in progress so I agree with you that it needs to be added to it to cover analytics like the ones...

Procedure: Spawned interactive cmd.exe Criteria: cmd.exe spawning from the rcs.3aka3.doc​ process

Telemetry can show cmd.exe spawning from rcs.3aka3.doc​. This event can be correlated with a previous detection for masquerading. ``` SELECT Message FROM apt29Host WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND EventID =...

``` test = spark.sql( ''' SELECT Message FROM apt29Host a INNER JOIN ( SELECT ProcessGuid FROM apt29Host WHERE Channel = "Microsoft-Windows-Sysmon/Operational" AND EventID = 1 AND LOWER(ParentImage) RLIKE '.*\\‎|â€|‪|‫|‬|â€|‮.*' AND...

Hello @notonlybytes ! Thank you very much for the contribution! One question I had was if it was possible to integrate the template with the Win10 one. It looks like...

very interesting. I have not looked into that before and I believe it is TAXII doing some dedup on their end to be honest based on your examples. mmm. I...

Thank you so much for all the details! It also helps me to improve my troubleshooting skills 😉

Hello @csimpson4 ! Thank you for the feedback! When you do not have an output yet, it means that the application is still processing the question. Let me know if...

Hello @rubinatorz ! I took some time today (sorry for the delay. I have been super busy these past couple of weeks. I apologize for the late response) to test...