Peekaboo we see GRU

Dec 28, 2020

3 min read

Peekaboo we see GRU (part 2)

Now that Sysmon is installed, we will setup our development environment and get prepared for a future post when we will code a short program that sends a text when “unauthorized” windows files try to initiate network traffic. The basic example app is in python, the main app will be C#.

As mentioned in part 1, this image shows the route a postal worker (mailman) takes each day to deliver mail. If this delivery person was an “attacker”, this information would be used to catch him. Sysmon will provide similar data to catch our thief.

Verify you are human

Why C#? Many organizations don’t allow python on user systems. C# will be a standard windows exe. Also, if your org has a way to sign binary files, that will allow you to follow security best practices.

The first step will be to create a Free Twilio account. We won’t go through every step for that. Images of the key steps are above and below. If you need more help, this GeeksforGeeks link is a good guide.

Python | Send SMS using Twilio — GeeksforGeeks

View of the Twilio console dashboard.

Choose your phone number

Choose your phone number. Note Twilio starts with a $15 credit.

Before we jump into C#, here is the python code you can use to quickly send a text message to your phone. Best to confirm everything is working before we jump into Visual Studio.

Python | Send SMS using Twilio — GeeksforGeeks

This python example is from here.. Python | Send SMS using Twilio — GeeksforGeeks

Now we are ready to create our C# project. Easier to show the next steps, skip these steps if you already have Visual Studio installed.

Download Visual Studio Community

Download Visual Studio Community.

Choose these options
Select .NET desktop development
Create a new project

Select create a new project.

Select C# Console App (.NET Framework)

Select C# Console App (.NET Framework)

Install required NuGet Package.

Select “Manage NuGet Packages”.

Install System.Diagnostics.EventLog

Install the System.Diagnostics.EventLog NuGet Package

Click OK to install
Installed packages

Verify your installed Packages.

OK, that was a lot of work with no real coding yet. Next we will discuss how using DNS logs and a list of 538 million top domains the Solarwinds hack could have been discovered months earlier.