Often the first point of infection is not the attackers targeted machine. If the attacker wants to cause greater damage they will try to propagate through the environment to the machine of a System Admin, or maybe even the CEO.
Here you will want to ask the questions such as “Are there any irregular uses of PsExec?” and “Are there any unusual remote connections?” This is crucial to avoid the exfiltration of important files and documents such as company projections and financial statements.
Register for the third and final part of our three part online threat hunting event series with Cybereason Researcher, Sanat Chugh, to learn how to control the damage once an attacker has propagated through your environment.
Researcher | Cybereason