Jump to content

jdashn

Members
  • Content count

    72
  • Joined

  • Last visited

Profile Information

  • Location
    USA

Recent Profile Visitors

888 profile views
  1. Not a malware writer, just a powershell guy, but.. the line you reference $pw = new-object System.IO.StreamWriter($p) is just writing information (Actually one of the faster, if not fastest ways to write to a file in PS), the $p = New-Object System.IO.Pipes.NamedPipeServerStream($pn,"InOut",100, "Byte", "None", 1024, 1024, $ps) line, and the others referencing System.IO.Pipes refer to making a pipe connection to another system which would be concerning. Doubt it's immediately helpful, but may assist when looking at other PS scripts for malicious intent. Jdashn
  2. I'm not sure why it would not be that a simple undetected keylogger was run, credentials gained (thats the data they're looking to pilfer usually), and those creds used to disable eset and infect the computer with ransomware, instead of a brute force attempt on RDP. I understand that most of the bad actors seen by ESET come in via RDP, but if the keylogger is never detected one might reasonably assume the PW was brute-forced. Especially if the common wisdom/training aligns to suggest that it was RDP Brute-force? I would guess a bad actor who can get creds (either via rdp bruteforce, or keylogger or another exploit) will use them to whatever 'best effect' they can. If the company has CC#s to steal and the badguy can sell them they'll do that, if they can't find anything quickly i'd imagine they'd throw on some ransomware and move on to the next target. I would imagine most who are 'hacked' (keylogger, exploit, rdp bruteforce) aren't so much targeted for the data they have, as much as they are targeted for the low hanging fruit they are (they ran a keylogging script, they have rdp available over internet, other exploit). Then again, it's totally just a guess, and i'd hate to (in a situation of a breach especially) suggest that I know what caused this particular issue, but i would also think it's important to have all of the possibilities laid out.
  3. Could it have been a keystroke logger not detected, and not an RDP brute force that was the cause of the breach? I know there have been discussions in the past about how certain processes that can be used to create a keylogger are not blocked?
  4. @MichalJ I had thought I had seen a post stating that the next version of ERA was planned to be fully cloud based. This will not work for our org. due to the issues I had mentioned, as long as ESET does not plan on ONLY offering ERA in the cloud then we've got no concerns. Thanks! Jdashn
  5. Description: ERA Accessible without internet access. Detail: Would like to ensure that the newest versions of ERA will still allow a locally installed product that would not become unusable if internet access were lost. If our internet provider were having issues i would still like to be able to manage ESET products within our local network, receive threat notices, manage connected devices, etc.
×