Hacker News new | ask | show | jobs
by staticassertion 2513 days ago
Yeah, they could have moved processes before execing the shell. Detecting "Firefox + Shell" is quite easy and standard, even in existing SIEMs.

Detecting "arbitrary program + shell" is at least moderately more difficult.

It's the attacker's dilemma though. They only need to trip one alarm to trigger IR.
1 comments
notathing 2513 days ago
The biggest fail here was that 32 bit program warning, which probably alerted the employee.

Notice that they didn't actually have an alert for Firefox+Shell, they detected that later by inspecting the audit logs.

link
staticassertion 2513 days ago
> We detected the attacker at this stage, based on a number of behaviors (e.g. Firefox shouldn’t spawn a shell).

They explicitly state it was one of the behaviors they detected as suspicious.

link