cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Orbital Query Corner - Update

1504
Views
15
Helpful
2
Comments
brmcmaho
Cisco Employee

"What is this 'Orbital Query Corner' thing", you ask?  It's the name of an occasional series of articles, each discussing one particular point or use case for the Orbital advanced search feature that is available in Cisco Secure Endpoint starting at the Advantage level.

The idea behind this series is that, while Orbital is a tremendously powerful tool, it may seem like a daunting thing to get to know, especially if you don't happen to be a guru-level expert in both SQL-style queries and Windows internals.  These documents are intended to explore ways to use the power of Orbital in small bite-sized pieces; sometimes the topic will be driven by current events, and sometimes the theme will be a bit more general, but always kept short and informal.

To make it a bit easier to keep track of things, this blog post summarizes the Orbital Query Corner articles to date.

Date Posted Title/Link Theme/Content Summary
July 15 2020 Why does $malware keep coming back? Searching for scheduled tasks, a common attack persistence technique
July 30 2020 Hunting WMI based backdoor mechanisms Another threat hunt, this time for WMI event filters
August 14 2020 Hunting RATs Looking for signs of Remote Access Trojan (RAT) activity
December 17 2020 Responding to the SolarWinds Orion Compromise How to search for vulnerable software versions
July 16 2021 Two Views of PrintNightmare Checking for vulnerable services and verifying mitigations
July 27 2021 Checking Windows ACLs for CVE-2021-36934 Checking file ACLs and VSS to verify Microsoft's recommended mitigations
August 23 2021 Orbiting the Cloud(s) Querying metadata for instances running in AWS and Azure
2 Comments
Ken Stieers
Advocate

Hey Brian, 

Please keep up the great work, especially with things like the recent MS vulnerabilities.  Tremendously useful!

 

Thanks!


Ken

 

emirolyu
Cisco Employee

Agree with the previous comment, please keep up the great work, Brian & team.