[Bro] Detecting remote powershell
neslog at gmail.com
Fri Mar 9 13:28:25 PST 2018
We have had good success combining ja 3 TLS fingerprinting with server
certificate information to identify anomalous traffic.
On Feb 16, 2018 1:53 PM, "James Dickenson" <jdickenson at gmail.com> wrote:
> I don't believe I've seen any work in this regard for Bro, it would be
> great if someone invested the time to build something. I do know that
> there is the Attack Detection team that have been submitting a lot of
> powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.
> -James D.
> On Wed, Feb 14, 2018 at 5:03 AM, James Lay <jlay at slave-tothe-box.net>
>> Hey All,
>> Topic really...has anyone put some work/sigs into detecting remote
>> powershell? Figured I'd start here first...thank you.
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro