Blog: Purpleteam

PsExec. I thought we were friends…

A couple of weeks ago we were talking a lot about monitoring and the wonderful world of Windows with a few delegates at BruCON. A valid point was raised regarding the monitoring of PsExec (and in general, service creation events) and false alarms. We recently wrote a blog detailing certain detection metrics that could be… Read More

What the Heck PsExec!

We were talking internally about the infamous PsExec during a recent delivery of our Defending Enterprises training when we stumbled across this tweet from BlackMatter23. Service creation and related events can be caught using existing methods, but having an accurate correlation between service creation and deletion events would allow even more activities to be reliability… Read More

Using Kibana and Packetbeat to map DNS queries

Overview: In this short post we’re going to show one visual method of mapping, and potentially identifying malicious DNS traffic within a network. We’re not going to walk through the configuration of Elastic, beats agents or Kibana and there is an assumption that UDP 53 traffic is being logged by Packetbeat on the endpoint(s). Visualisations:… Read More

An intro into abusing and identifying WMI Event Subscriptions for persistence

Overview: Windows Management Instrumentation (WMI) Event Subscriptions are one of many ways to establish persistence on a network. The technique, IDT1084 on Mitre ATT&CK, can be fairly discreet and has been used by APT29 to establish backdoors. We’re not going to dig into too much detail about WMI Event Subscriptions themselves, as some good material… Read More