Tools

How to Build a Miniature Network Monitor Device

LogRhythm’s Network Monitor is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution. To demonstrate how to easily deploy NetMon we decided to show you how to build a miniature device.

DPA-Powered Dashboards

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

PowerShell Command Line Logging

PowerShell is one of the best post-exploitation tools out there—simply because it’s already built in to every modern Windows system. And like the name states, it’s extremely powerful. PowerShell can be used to gather data, steal system information, dump credentials, pivot between systems, create backdoors and much more. The problem is that, by default, Windows only logs that PowerShell was launched. No additional details about what exactly happened are preserved. The only thing we can tell is that PowerShell called additional programs and possibly opened up a few network sessions. However, there is a way to gather additional details on PowerShell sessions and the command line in general. How to Gather PowerShell Details Often, the ideal way to tackle this ...