Mendeteksi dan Merespon Serangan Terhadap Microsoft Exchange

  • Hive Ransomware
  • Cuba Ransomware
  • Mustang Panda
  • HAFNIUM
  • Calypso
  • Tonto: the party begins
  • The “Opera” Cobalt Strike
  • Mikroceen
  • Iron Tiger
  • Naikon
  • Winnti Group
  • Websiic
  • LuckyMouse
  • Tick

Red Team Scenario

Red Team Tools

Mitre ATT&CK Mapping

Threat Hunting

Wazuh

(data.win.system.eventID: 11 and ("*\\inetpub\\wwwroot\\aspnet_client\\*" or "*HttpProxy\\owa\\auth\\*" or "*\\HttpProxy\\OAB\\*"))
(data.win.eventdata.parentImage:*\\w3wp.exe and data.win.eventdata.image:*\\cmd.exe)
(data.win.eventdata.image:*\\appcmd.exe and "*install module*")

Velociraptor

· https://gist.github.com/mgreen27/b1849239a5e3e5184f64afd46318c75c
c:\windows\system32\inetsrv\appcmd.exe uninstall module FastCgiModule_64bit

--

--

Red Teamer, Threat Hunter & Security Researcher. Contributors of Mitre ATT&CK Framework, PS Empire, LOLBins, Atomic Red Team and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahmat Nurfauzi

Rahmat Nurfauzi

Red Teamer, Threat Hunter & Security Researcher. Contributors of Mitre ATT&CK Framework, PS Empire, LOLBins, Atomic Red Team and more.