Peekaboo we see GRU (part 2)
Now that Sysmon is installed, we will setup our development environment and get prepared for a future post when we will code a short program that sends a text when “unauthorized” windows files try to initiate network traffic. The basic example app is in python, the main app will be C#.
As mentioned in part 1, this image shows the route a postal worker (mailman) takes each day to deliver mail. If this delivery person was an “attacker”, this information would be used to catch him. Sysmon will provide similar data to catch our thief.
Why C#? Many organizations don’t allow python on user systems. C# will be a standard windows exe. Also, if your org has a way to sign binary files, that will allow you to follow security best practices.
The first step will be to create a Free Twilio account. We won’t go through every step for that. Images of the key steps are above and below. If you need more help, this GeeksforGeeks link is a good guide.
Python | Send SMS using Twilio — GeeksforGeeks
View of the Twilio console dashboard.
Choose your phone number. Note Twilio starts with a $15 credit.
Before we jump into C#, here is the python code you can use to quickly send a text message to your phone. Best to confirm everything is working before we jump into Visual Studio.
This python example is from here.. Python | Send SMS using Twilio — GeeksforGeeks
Now we are ready to create our C# project. Easier to show the next steps, skip these steps if you already have Visual Studio installed.
Download Visual Studio Community.
Select create a new project.
Select C# Console App (.NET Framework)
Select “Manage NuGet Packages”.
Install the System.Diagnostics.EventLog NuGet Package
Verify your installed Packages.
OK, that was a lot of work with no real coding yet. Next we will discuss how using DNS logs and a list of 538 million top domains the Solarwinds hack could have been discovered months earlier.