Penetration Testing Tools¶
Description of Use Case¶
The scoring for this use case was a clear victory for telemetry sources that provide deep, behavioral insight into process execution and memory. The highest-scoring logs were not generic event logs, but highly specific ones designed to catch the behaviors of adversary tools—such as credential dumping, process injection, and fileless execution—rather than just the tools themselves.
Techniques Evaluated¶
T1219 Remote Access Software
T1059.001 Command & Scripting Interpreter: PowerShell
T1059.003 Command & Scripting Interpreter: Windows Command Shell
T1105 Ingress Tool Transfer
T1106 Native API
T1071 Application Layer Protocol
T1027 Obfuscated Files or Information
T1036 Masquerading
Top Scoring Log Sources¶
Log Source |
Score |
|---|---|
EDR: Telemetry (All sources) |
27.6 |
EDR: Unusual Child Process |
26.7 |
Sysmon: EID 8: CreateRemoteThread |
25.9 |
Windows PowerShell: EID 4104: Script Block Logging |
25.8 |
Sysmon: EID 10: Process Access (LSASS) |
25.8 |
EDR: Credential Dumping |
25.8 |
EDR: Memory Scraping |
25.8 |
EDR: LSASS Access from non-standard process |
25.8 |
EDR: Suspicious Service Creation |
25.5 |
Sysmon: EID 25: Process Tampering |
25.4 |
Key Trends & Generalizations¶
Detect the Behavior, Not the Tool: The highest-scoring logs don’t look for mimikatz.exe. They look for the behavior of a process accessing LSASS memory. This behavioral approach is far more robust and resilient to attackers renaming or obfuscating their tools.
Fileless Attacks are the Norm: The high ranking of PowerShell Script Block Logging and process injection detectors (Sysmon EID 8) confirms that modern adversary tradecraft is heavily reliant on in-memory and script-based execution, bypassing traditional file-based antivirus.
Memory is the New Battlefield: The best telemetry sources for this use case are those that monitor memory interactions. Detecting credential dumping and code injection requires visibility beyond simple process start/stop events.
Evaluation of Log Source Types¶
Behavioral and memory-focused events were the clear winners. Logs that record specific malicious actions (accessing LSASS memory, creating a remote thread) far outscored generic process creation logs. Script block logging was also in the top tier, highlighting the importance of seeing script content.
Technology Comparison: EDR ≈ Sysmon >> Native Windows Logs > Network/Cloud
Scoring Data¶
The raw TC scores broken down by metric can be found here: Dual-Use Tools & Penetration Testing Frameworks