Offensive Tool Analysis

Hunting HackTools with Event IDs

This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.

Analysis of Switches

This page goes into deep detail about switches of specific hacktools and what they do. Useful for trying to figure out what exactly adversary commands were doing.

Hunting for Impacket

Good article on hunting for Impacket execution within your environment.

PreviousMISC NextInvestigating Specific Activity

Last updated 1 year ago