İşletim Sistemi Kimlik Bilgilerinin Boşaltılması T1003 →
İşletim Sistemi Kimlik Bilgilerinin Boşaltılması: DCSync T1003.006 →
Erişim Jetonu Manipülasyonu T1134 →
Altın Bilet T1558.001 ve Gümüş Bilet T1558.002 →
Ele Geçirme Yürütme Akışı: DLL Arama Siparişinin Ele Geçirilmesi T1574.001 →
İşletim Sistemi Kimlik Bilgilerinin Boşaltılması T1003
Mimikatz
https://redcanary.com/threat-detection-report/threats/mimikatz/ →
https://redcanary.com/threat-detection-report/threats/mimikatz/
https://neil-fox.github.io/Mimikatz-usage-&-detection/ →
https://neil-fox.github.io/Mimikatz-usage-&-detection/
https://medium.com/@levurge/detecting-mimikatz-with-sysmon-f6a96669747e →
https://medium.com/@levurge/detecting-mimikatz-with-sysmon-f6a96669747e
İşletim Sistemi Kimlik Bilgilerinin Boşaltılması: DCSync T1003.006
https://www.alteredsecurity.com/post/a-primer-on-dcsync-attack-and-detection →
https://www.alteredsecurity.com/post/a-primer-on-dcsync-attack-and-detection
Powershell T1059.001
Potansiyel olarak şüpheli komutlar
https://gist.github.com/gfoss/2b39d680badd2cad9d82 →
https://gist.github.com/gfoss/2b39d680badd2cad9d82
Mandiant'ın Powershell günlüğe kaydetme kılavuzu
https://cloud.google.com/security/mandiant →
https://cloud.google.com/security/mandiant
Şifre Püskürtme T1110.003
Erişim Jetonu Manipülasyonu T1134
https://www.elastic.co/blog/how-attackers-abuse-access-token-manipulation →
https://www.elastic.co/blog/how-attackers-abuse-access-token-manipulation
Kerberoasting T1158.003
https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity →
https://www.hub.trimarcsecurity.com/post/trimarc-research-detecting-kerberoasting-activity
https://adsecurity.org/?p=3458 →
https://adsecurity.org/?p=3458
https://www.redsiege.com/blog/2020/10/detecting-kerberoasting/ → YAYINDAN KALDIRILDI
https://www.redsiege.com/blog/2020/10/detecting-kerberoasting/ YAYINDAN KALDIRILDI
Hash T1550.002'yi iletin
https://threathuntingreadings.com/passthehashwhatisandhowcanwedetectit/ → YAYINDAN KALDIRILDI
https://threathuntingreadings.com/passthehashwhatisandhowcanwedetectit/ YAYINDAN KALDIRILDI
Altın Bilet T1558.001 ve Gümüş Bilet T1558.002
https://adsecurity.org/?p=1515 →
https://adsecurity.org/?p=1515
Ortadaki Düşman T1557
NTLM geçişi
https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9?gi=35173cc2ed4a →
https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9?gi=35173cc2ed4a
Kerberos Aktarma saldırılarını algılama
https://posts.bluraven.io/detecting-kerberos-relaying-e6be66fa647c?gi=48dbb02eb475 →
https://posts.bluraven.io/detecting-kerberos-relaying-e6be66fa647c?gi=48dbb02eb475
Ele Geçirme Yürütme Akışı: DLL Arama Siparişinin Ele Geçirilmesi T1574.001
https://marcusedmondson.com/2021/02/28/windows-persistence-mechanics-dll-search-order-hijacking/ →
https://marcusedmondson.com/2021/02/28/windows-persistence-mechanics-dll-search-order-hijacking/
Yanal Hareket TA0008
Japonya CERT kılavuzu
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf →
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
CERT-AB kılavuzu
https://media.cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf → YAYINDAN KALDIRILDI
https://media.cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf YAYINDAN KALDIRILDI
Compass Security'nin GPO ayarlarına ilişkin kılavuzu
İleri Savunma Analisti kılavuzu
https://www.forwarddefense.com/media/attachments/2021/05/15/lateral-movement-analyst-reference.pdf →
https://www.forwarddefense.com/media/attachments/2021/05/15/lateral-movement-analyst-reference.pdf
Lares'ten Yanal Hareketin Düşüşü
https://www.lares.com/blog/the-lowdown-on-lateral-movement/ →