[Bro] Detecting remote powershell

Neslog neslog at gmail.com
Fri Mar 9 13:28:25 PST 2018


We have had good success combining ja 3 TLS fingerprinting with server
certificate information to identify anomalous traffic.

On Feb 16, 2018 1:53 PM, "James Dickenson" <jdickenson at gmail.com> wrote:

>
>
> I don't believe I've seen any work in this regard for Bro, it would be
> great if someone invested the time to build something.  I do know that
> there is the Attack Detection team that have been submitting a lot of
> powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.
>
>
> -James D.
>
>
> On Wed, Feb 14, 2018 at 5:03 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Hey All,
>>
>> Topic really...has anyone put some work/sigs into detecting remote
>> powershell?  Figured I'd start here first...thank you.
>>
>> James
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180309/920bda4b/attachment.html 


More information about the Bro mailing list