I read the following tweet by Florian Roth a couple of days ago:
People frequently ask me about process hollowing/doppelgänging, spectre/meltdown, skeleton keys & attack vectors involving liquid nitrogen.
Recently I replied:
Would you notice someone running “whoami” on one of your servers? https://t.co/Y4e8YaFdtt
— Florian Roth (@cyb3rops) January 27, 2018
I could not agree more with the reply from Florian. See below a list of resources that help tuning detection mechanisms for post exploitation activities.
- Windows enumeration commands
- Windows post exploitation resources
- Living off the land
- Windows commands abused by the attackers
- Post Exploitation using WMIC
- Post Exploitation in Windows using dir Command
- Post Exploitation on Windows PC
- Linux post exploitation
- Patterns of behaviour
Enjoy and happy hunting ;)