merge ( processCreateDf, processAccessDf, left_on = 'ProcessGuid', right_on = 'SourceProcessGUID', how = 'inner' ) ) sessionReconnectDf = ( df ]. contains ( '.*dbghelp.*', regex = True )) ) ] ) firstJoinDf = ( pd. contains ( '.*dbgcore.*', regex = True )) | ( df. endswith ( 'lsass.exe', na = False )) & ( ( df. ProcessCreateDf = ( df ] = 'Microsoft-Windows-Sysmon/Operational' ) & ( df = 1 ) ] ) processAccessDf = ( df ] = 'Microsoft-Windows-Sysmon/Operational' ) & ( df = 10 ) & ( df. Registry Modification for Extended NetNTLM Downgrade Remote Interactive Task Manager LSASS Dump WMI Win32_Process Class and Create Method for Remote Execution Registry Modification to Enable Remote Desktop Conections Security Assertion Markup Language (SAML)ĭLL Process Injection via CreateRemoteThread and LoadLibraryĪctive Directory Object Access via Replication ServicesĪctive Directory Root Domain Modification for Replication Services Security Account Manager Remote Protocol (SAMRP) Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |