[Bro] Detecting remote powershell
James Lay
jlay at slave-tothe-box.net
Fri Mar 16 16:05:49 PDT 2018
Thanks Anthony...as luck would have it I'd already installed it on all
my sensors so I'll dig a little deeper into leveraging JA3 on the
detection side...thanks again.
James
On Fri, 2018-03-16 at 17:03 -0600, anthony kasza wrote:
> If you do some baselining in your environment, JA3 can be very
> successful at detecting Powershell.
>
> -AK
>
> On Mar 16, 2018 2:13 PM, "Seth Hall" <seth at corelight.com> wrote:
> >
> >
> > On 16 Mar 2018, at 13:46, James Lay wrote:
> >
> > > YAY
> >
> > Whew. Everytime I see stuff like that I start getting nervous.
> >
> > .Seth
> >
> > --
> > Seth Hall * Corelight, Inc * www.corelight.com
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180316/e45bdecf/attachment.html
More information about the Bro
mailing list