It looks very interesting. So, was it your first false positive, a real intrusion, or something else?
Kurt On Wed, Jul 6, 2016 at 11:35 AM, Kennedy, Jim <[email protected]> wrote: > Disclaimer, BDS is owned by my son. > > https://www.binarydefense.com/vision/ > > Very small agent, maybe 40mb ram and <1 percent cpu as it runs. It sits on > every box...servers and desktops. It watches for typical attacker behavior, > connections to bad ips, exe drops, pass the hash, lateral movement between > boxes, event logs. It also builds little honeypots on all your boxes. Tons > of stuff it does. If it triggers it phones home to his SOC where it is > watched 24/7. They evaluate and then escalate to me. I believe it can also > be run completely on prem. > > It's very quiet so when it yells, I listen. So imagine it yelling at me last > night about a couple of odd outbound connections and then I find notepad.exe > running on all my servers. I was freaking out for a bit there. > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Wednesday, July 6, 2016 2:22 PM > To: ntsysadm > Subject: Re: [NTSysADM] Notepad suspended. > > link? My feeble attempts at search revealed entirely too much, none of it > seemingly relevant. > > Kurt > > On Wed, Jul 6, 2016 at 10:44 AM, Kennedy, Jim <[email protected]> > wrote: >> It's Vision, my on box IDS system. It fires it up for certain secret things. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Wednesday, July 6, 2016 1:12 PM >> To: ntsysadm >> Subject: Re: [NTSysADM] Notepad suspended. >> >> Not on my machines. >> >> Running notepad in my server admin context, it shows as running, not >> suspended. >> >> Kurt >> >> On Wed, Jul 6, 2016 at 5:35 AM, Kennedy, Jim >> <[email protected]> wrote: >>> I am seeing Notepad.exe showing up on 2012 R2 servers in task manager >>> as ‘suspended’. Even after a reboot and running as system. I have >>> not noticed that before. Is that the norm? >> >> > >
