It was my first false positive on a new feature. We are beta testers. False positives are a fact of life though. Lateral movement with admin accounts are common from my techs as they move around and fix stuff, but it is tuned pretty well. They have to be fast to trigger it. But you can't ignore them because if the bad guy gets one that is what is going to happen. Pass the hash is pretty much part of Windows, so a few of those pop up now and again. 9 out of 10 I can look at and close in a split second. Others require a little more looking into but nothing hard or time consuming. Just got back from almost 2 weeks vacation, closed all of them in a few minutes.
Most of them are exe drops into user profiles, I just glance at them and say a quiet thanks to Applocker. Usually the students trying to install games. If it's something malicious I look into how they got to it in the first place. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Wednesday, July 6, 2016 4:13 PM To: ntsysadm Subject: Re: [NTSysADM] Notepad suspended. It looks very interesting. So, was it your first false positive, a real intrusion, or something else? Kurt On Wed, Jul 6, 2016 at 11:35 AM, Kennedy, Jim <[email protected]> wrote: > Disclaimer, BDS is owned by my son. > > https://www.binarydefense.com/vision/ > > Very small agent, maybe 40mb ram and <1 percent cpu as it runs. It sits on > every box...servers and desktops. It watches for typical attacker behavior, > connections to bad ips, exe drops, pass the hash, lateral movement between > boxes, event logs. It also builds little honeypots on all your boxes. Tons > of stuff it does. If it triggers it phones home to his SOC where it is > watched 24/7. They evaluate and then escalate to me. I believe it can also > be run completely on prem. > > It's very quiet so when it yells, I listen. So imagine it yelling at me last > night about a couple of odd outbound connections and then I find notepad.exe > running on all my servers. I was freaking out for a bit there. > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Wednesday, July 6, 2016 2:22 PM > To: ntsysadm > Subject: Re: [NTSysADM] Notepad suspended. > > link? My feeble attempts at search revealed entirely too much, none of it > seemingly relevant. > > Kurt > > On Wed, Jul 6, 2016 at 10:44 AM, Kennedy, Jim <[email protected]> > wrote: >> It's Vision, my on box IDS system. It fires it up for certain secret things. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Wednesday, July 6, 2016 1:12 PM >> To: ntsysadm >> Subject: Re: [NTSysADM] Notepad suspended. >> >> Not on my machines. >> >> Running notepad in my server admin context, it shows as running, not >> suspended. >> >> Kurt >> >> On Wed, Jul 6, 2016 at 5:35 AM, Kennedy, Jim >> <[email protected]> wrote: >>> I am seeing Notepad.exe showing up on 2012 R2 servers in task >>> manager as ‘suspended’. Even after a reboot and running as system. >>> I have not noticed that before. Is that the norm? >> >> > >
