Labs

SMS Alerting Via SmartResponse

Security analysts can't always dedicate their time to monitoring the security operations center (SOC), nor do they always check the alerts that they receive via email, due to various reasons. Also, some alerts are simply more important than other alerts—important enough that you want to know about them right away and be notified in the most effective way possible, even when out of the office and disconnected from email.

Read More

The State of Ransomware: How to Prepare for an Attack

Ransomware is currently one of the most widespread and highest-publicized threats on the Internet. Over the last few years, we’ve seen a marked increase in the use of ransomware tools like CryptoLocker, CryptoWall, TeslaCrypt and more recently Locky. Security experts predict 2016 will follow this trend as more cybercriminals begin offering ransomware-as-a-service options to their list of nefarious wares.

Read More

7 Significant Insights from the CyberEdge Cyberthreat Defense Report

The third installment of the Cyberthreat Defense Report provides an understanding and awareness of how IT security teams defend again threats. The report analyzes the current state of cyber security, including the perceptions and concerns of cyber security professionals. It reveals what the respondents believe are the next steps in defending themselves and ensuring they aren’t immortalized on the cover of The Wall Street Journal as the next high-profile breach victim.

Read More

Monitoring Digitally Signed PowerShell

The purpose of the Execution Policy is not to stop the user from running unapproved applications. Rather, it is a way to prevent an attacker from running scripts that the user hasn't approved. This is an important distinction, because the user who has access to PowerShell can run any commands they like at the interactive prompt. The Execution Policy is not designed to control this—that job is left to the Windows Account Model.

Read More

SANS "Find Evil" Digital Forensics Use Case for Windows

In 2014, SANS published a Digital Forensics poster called “Know Abnormal…Find Evil.” This resource delves into the differences between normal and abnormal behavior—and what you might look for or ignore in a digital forensics investigation. Using this reference guide—and other Windows knowledge—you can look for deviation from normal Windows behaviors in real time. This gives you quicker visibility into suspicious activities that try to hide within Windows.

Read More

Detecting Rogue Svchost Processes

Malware authors may attempt to hide their processes in plain sight by calling them the same name as common Windows processes. Very commonly, "svchost.exe" has been used for this purpose. It is difficult to catch this by simply looking at a system, because multiple instances of svchost.exe are expected to be running on a typical Windows System. By leveraging LogRhythm's built in parsing support, we can detect rogue svchost processes.

Read More

Agent SmartResponse Host Checking

How can you find out if a SmartResponse plug-in using PowerShell will run on a specific System Monitor Agent host? Also, with what user context will the SmartResponse plug-ins execute? Windows PowerShell execution policies let you determine the conditions under which PowerShell loads configuration files and runs scripts. We would like to find out what that setting is on a specific host that has a System Monitor Agent installed. Read more about execution policies.

Read More