I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different…
Category: Windows Incident Response
Artifact Tracking: Workstation Names
Very often in cybersecurity, we share some level of indicators of compromise (IOCs), such as IP addresses, domain names, or file names or hashes. There are other indicators associated with many compromises or breaches that can add a great deal…
Analysis Process
Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?” This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book…
Rundown
I ran across a fascinating post from Cyber Sundae DFIR recently that talked about the Capability Access Manager, and how with Windows 11 it includes database of applications that have accessed devices such as the mic or camera, going beyond just…
Exploiting LNK Metadata
Anyone who’s followed me for a bit knows that I’m a huge proponent of metadata, and in particular, exploiting metadata in LNK files that threat actors create, use as lures, and send to their targets. I read an article not…
Shell Items
I ran across a Cyber5W article recently titled, Windows Shell Item Analysis. I’m always very interested in not only understanding parsing of various data sources from Windows systems, but also learning a little something about how others view the topic. …
RegRipper Educational Materials
A recent LinkedIn thread led to a question regarding RegRipper educational materials, as seen in figure 1; specifically, are there any. Figure 1: LinkedIn request There are two books that address the use of RegRipper; Windows Registry Forensics, and Investigating…
What is “Events Ripper”?
I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…
What is “Events Ripper”?
I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…
The Myth of “Fileless” Malware
Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…
The Myth of “Fileless” Malware
Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…
Threat Actors Dropping Multiple Ransomware Variants
I ran across an interesting LinkedIn post recently, “interesting” in the sense that it addressed something I hadn’t seen a great deal of reporting on; that is, ransomware threat actors dropping multiple RaaS variants within a single compromised organization. Now,…
A Look At Threat Intel Through The Lens Of Kimsuky
Rapid7 recently shared a fascinating post regarding the Kimsuky threat actor group making changes in their playbooks, specifically in their apparent shift to the use of .chm/”compiled HTML Help” files. In the post, the team does a great job of…
Uptycs Cybersecurity Standup
I was listening to a couple of fascinating interviews on the Uptycs Cybersecurity Standup podcast recently, and I have to tell you, there were some pretty insightful comments from the speakers. < div>The first one I listened to was Becky…
Investigative Scenario, 2024-03-12
Investigative Scenario Chris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right). First off, you can find the scenario posted on X/Twitter, and here on LinkedIn. Now,…
PCAParse
I was doing some research recently regarding what’s new to Windows 11, and ran across an interesting artifact, which seems to be referred to as “PCA”. I found a couple of interesting references regarding this artifact, such as this one…
A Look At Threat Intel, Through The Lens Of The r77 Rootkit
It’s been almost a year, but this Elastic Security write-up on the r77 rootkit popped up on my radar recently, so I thought it would be useful to do a walk-through of how someone with my background would mine open…
Lists of Images
There’re a lot of discussions out there on social media regarding how to get started or improve yourself or set yourself apart in cybersecurity, and lot of the advice centers around doing things yourself; setting up a home lab, using…
EDRSilencer
There’s been a good bit of discussion in the cybersecurity community regarding “EDR bypasses”, and most of these discussions have been centered around technical means a threat actor can use to “bypass” EDR. Many of these discussions do not seem…
Human Behavior In Digital Forensics, pt III
So far, parts I and II of this series have been published, and at this point, there’s something that we really haven’t talked about. That is, the “So, what?”. Who cares? What are the benefits of understanding human behavior rendered…
Human Behavior In Digital Forensics, pt II
One the heels of my first post on this topic, I wanted to follow up with some additional case studies that might demonstrate how digital forensics can provide insight into human activity and behavior, as part of an investigation. Targeted…
Human Behavior In Digital Forensics
I I’ve always been a fan of books or shows where someone follow clues and develops an overall picture to lead them to their end goal. I’ve always like the “hot on the trail” mysteries, particularly when the clues are…
2023 Wrap-up
Another trip around the sun is in the books. Looking back over the year, I thought I’d tie a bow on some of the things I’d done, and share a bit about what to expect in the coming year. In…
Round Up
MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I’m always interested in things like this because it’s possible that the author will provide clear observables so that folks can…
…and the question is…
I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response… If you’ve followed me for any amount of time, particularly recently, you’ll know that I’ve put some effort forth in…
Roll-up
One of the things I love about the industry is that it’s like fashion…given enough time, the style that came and went comes back around again. Much like the fashion industry, we see things time and again…just wait. A good…
Roll-up
I don’t like checklists in #DFIR. Rather, I don’t like how checklists are used in #DFIR. Too often, they’re used as a replacement for learning and knowledge, and looked at as, “…if I do just this, I’m good…”. Nothing could…
Investigating Time Stomping
Some analysts may be familiar with the topic of time stomping, particularly as it applies to the NTFS file system, and is explained in great detail by Lina Lau in her blog. If you’re not familiar with the topic, give…
The State of Windows Digital Analysis, pt II
On the heels of my previous blog post on this topic, I read a report that, in a lot of ways, really highlighted some of the issues I mentioned in that earlier post. The recent IDC report from Binalyze is…
The State of Windows Digital Analysis
Something that I’ve seen and been concerned about for some time now is the state of digital analysis, particularly when it comes to Windows systems. From open reporting to corporate blog posts and webinars, it’s been pretty clear that there…
The State of Windows Digital Analysis
Something that I’ve seen and been concerned about for some time now is the state of digital analysis, particularly when it comes to Windows systems. From open reporting to corporate blog posts and webinars, it’s been pretty clear that there…
Book Review: Effective Threat Investigation for SOC Analysts
I recently had an opportunity to review the book, Effective Threat Investigation for SOC Analysts, by Mostafa Yahia. Before I start off with my review of this book, I wanted to share a little bit about my background and perspective.…
The Next Step: Integrating Yara with RegRipper, pt II
Okay, so we’ve integrated Yara into the RegRipper workflow, and created “YARR”…now what? The capability is great…at least, I think so. The next step (in the vein of the series) is really leveraging it by creating rules that allow analysts…
Yet Another Glitch In The Matrix
It’s about that time again, isn’t it? It’s been a while since we’ve had a significant (or, depending upon your perspective, radical) shift in the cyber crime eco-system, so maybe we’re due. What am I referring to? Back in 2019,…
Integrating Yara with RegRipper
A lot of writing and training within DFIR about the Registry refers to it as a database where configuration settings and information is maintained. There’s really a great deal of value in that, and there is also so much more…
The Next Step: Expanding RegRipper
I thought I’d continue The Next Step series of blog posts with something a little different. This “The Next Step” blog post is about taking a tool such as RegRipper to “the next step”, which is something I started doing…
Ransomware Attack Timeline
The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…
Ransomware Attack Timeline
The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…
Events Ripper Updates
I uploaded a couple of new updates to Events Ripper plugins in the repo recently… defender.pl – added a check for event ID 2050 records, indicating that Defender uploaded a sample (as opposed to event ID 2051 records, indicating that…
Thoughts on Tool Features, pt II
My previous post on this topic addressed an apparent dichotomy (admittedly, based on a limited aperture) of thought between vendors and users when it comes to features being added to commercial forensic suites. This was the result of a road I’d…
Thoughts on Tool Features
Not long ago, some exchanges and conversations led me to do something I’d never done before…post a poll on LinkedIn. These conversations had to do with whether or not analysts and practitioners within the industry felt there was adequate value…
The Next Step: VHD Files and Metadata
Keeping with the theme from my previous blog post of building on what others have done and written about, and of assembling the pieces that are already available to build on a foundation built by others, I found something interesting…
The Next Step
A lot of times, we’ll run across something or read something really very profound and valuable, something that opens our eyes and makes us go, “oh, wow”, and impacts us enough that it changes the way we do things. I…
Events Ripper Update
Something I really, really like about tools like RegRipper and Events Ripper is that when I see something in the data during an investigation, I can explore whether it makes sense to pull that out and make it visible to…
Hiding In The Windows Event Log
In May 2022, Kaspersky published a write-up on a newly-discovered campaign where malware authors wrote shellcode to the Windows Event Log. This was pretty interesting, and just about 4 months later, Tim Fowler published this blog post over at BlackHillsInfoSec,…
Interview Questions
There’s been a lot of ink put toward resume recommendations and preparing for interviews over the years, and I feel like there’s been even more lately, given the number of folks looking to transition to one of the cybersecurity fields,…
Validation – This Time, Tool Validation
I’ve posted previously on validation, and more recently, on validation of findings. In my recent series of posts, I specifically avoided the top of tool validation, because while tool validation predicates the validation of findings, and there is some overlap,…
DFIR Core Principles
My copy of “Forensic Discovery” There are a lot of folks new to the cybersecurity industry, and in particular DFIR, and a lot of folks considering getting into the field. As such, I thought it might be useful to share…
The Need for Innovation in DFIR
Barely a week goes by and we see another yet post on social media that discusses knowledge sharing or “training” in cybersecurity, and in particular, DFIR and Windows forensic analysis. However, many times, these posts aren’t “new”, per se, but…
Events Ripper Update
Yet again, recent incidents have led to Events Ripper being updated. This time, it’s an updated plugin, and a new plugin. appissue.pl – I updated this plugin based on Josh’s finding and Tweet; I can’t say that I’ve ever seen…
Events Ripper Update
Working a recent incident, I came across something very unusual. I started by going back into a previous investigation run against the endpoint that had been conducted a month ago, and extracting the WEVTX files collected as part of that…
Events Ripper Updates
I updated an Events Ripper plugin recently, and added two new ones…I tend to do this when I see something new to that I don’t have to remember to run a command, check a box on a checklist, or take…
Composite Objects and Constellations
Okay, to start off, if you haven’t seen Joe Slowik’s RSA 2022 presentation, you should stop now and go watch it. Joe does a great job of explaining and demonstrating why IOCs are truly composite objects, that there’s much more…
The Windows Registry
When it comes to analyzing and understanding the Windows Registry, where do we go, as an industry, to get the information we need? Why does this even matter? Well, an understanding of the Registry can provide insight into the target…
Events Ripper Updates
As you may know, I’m a pretty big proponent for documenting things that we “see” or find during investigations, and then baking those things back into the parsing and decoration process, as a means of automating and retaining corporate knowledge.…
Program Execution
By now, I hope you’ve had a chance to read and consider the posts I’ve written discussing the need for validation of findings (third one here). Part of the reason for this series was a pervasive over-reliance on single artifacts…
On Validation, pt III
From the first two articles (here, and here) on this topic arises the obvious question…so what? Not validating findings has worked well for many, to the point that the lack of validation is not recognized. After all, who notices that…
New Events Ripper Plugins
I recently released four new Events Ripper plugins, mssql.pl, scm7000.pl, scm7024.pl and apppopup26.pl. The mssql.pl plugin primarily looks for MS SQL failed login events in the Application Event Log. I’d engaged in a response where we were able to validate the…
On Validation, pt II
My first post on this topic didn’t result in a great deal of engagement, but that’s okay. I wrote the first post with part II already loaded in the chamber, and I’m going to continue with this topic because, IMHO,…
Deriving Value From Open Reporting
There’s a good bit of open reporting available online these days, including (but not limited to) the annual reports that tend to be published around this time of year. All of this open reporting amounts to a veritable treasure trove…
Deriving Intel From Open Reporting
There’s a good bit of open reporting available online these days, including (but not limited to) the annual reports that tend to be published around this time of year. All of this open reporting amounts to a veritable treasure trove…
Unraveling Rorschach
Checkpoint recently shared a write-up on some newly-discovered ransomware dubbed, “Rorschach”. The write-up was pretty interesting, and had a good bit of content to unravel, so I thought I’d share the thoughts that had developed while I read and re-read…
On Validation
I’ve struggled with the concept of “validation” for some time; not the concept in general, but as it applies specifically to SOC and DFIR analysis. I’ve got a background that includes technical troubleshooting, so “validation” of findings, or the idea…
Password Hash Leakage
If you’ve been in the security community for even a brief time, or you’ve taking training associated with a certification in this field, you’ve likely encountered the concept of password hashes. The “Reader’s Digest” version of password hashes are that…
The “Why” Behind Tactics
Very often we’ll see mention in open reporting of a threat actor’s tactics, be they “new” or just what’s being observed, and while we may consider how our technology stack might be used to detect these tactics, or maybe how…
Threat Actors Changing Tactics
I’ve been reading a bit lately on social media about how cyber security is “hard” and it’s “expensive”, and about how threat actors becoming “increasingly sophisticated”. The thing is, going back more than 20 yrs, in fact going back to…
On Using Tools
I’ve written about using tools before in this blog, but there are times when something comes up that provokes a desire to revisit a topic, to repeat it, or to evolve and develop the thoughts around it. This is one…
Devices
This interview regarding one of the victims of the University of Idaho killings having a Bluetooth speaker in her room brings up a very important aspect of digital forensic analysis; that technology that we know little about is very pervasive…
Why Write?
I shared yet another post on writing recently; I say “yet another” because I’ve published blog posts on the topic of “writing” several times. But something I haven’t really discussed is why should we write, nor what we should write…
WEVTX Event IDs
Now and again, we see online content that moves the community forward, a step or several steps. One such article appeared on Medium recently, titled Forensic Traces of Exploiting NTDS. This article begins developing the artifact constellations, and walks through…
Training and CTFs
The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…
Training and CTFs
The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…
Why Lists?
So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…
Why Lists?
So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…
Validating Tools
Many times, in the course of our work as analysts (SOC, DFIR, etc.), we run tools…and that’s it. But do we often stop to think about why we’re running that tool, as opposed to some other tool? Is it because…
Speaking Engagements
Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…
Soft Skills: Writing
Writing. Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…
Speaking Engagements
Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…
Updates, Compilation
Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…
Soft Skills: Writing
Writing. Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…
Updates, Compilation
Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…
Speaking Engagements
Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…
Wi-Fi Geolocation, Then and Now
I’ve always been fascinated by the information maintained in the Windows Registry. But in order to understand this, to really get a view into this, you have to know a little bit about my background. The first computer I remember…
Keeping Grounded
As 2022 comes to a close, I reflect back over the past year, and the previous years that have gone before. I know we find it fascinating to hear “experts” make predictions for the future, but I tend to believe…
Persistence and LOLBins
Grzegorz/@0gtweet tweeted something recently that I thought was fascinating, suggesting that a Registry modification might be considered an LOLBin. What he shared was pretty interesting, so I tried it out. First, the Registry modification: reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\query” /v LOLBin…
Why I love RegRipper
Yes, yes, I know…you’re probably thinking, “you wrote it, dude”, and while that’s true, that’s not the reason why I really love RegRipper. Yes, it’s my “baby”, but there’s so much more to it than that. For me, it’s about…
Challenge 7 Write-up
Dr. Ali Hadi recently posted another challenge image, this one (#7) being a lot closer to a real-world challenge than a lot of the CTFs I’ve seen over the years. What I mean by that is that in the 22+…
Post Compilation
Investigating Windows SystemsIt’s the time of year again when folks are looking for stocking stuffers for the DFIR nerd in their lives, and my recommendation is a copy of Investigating Windows Systems! The form factor for the book makes it…
Challenge 7 Write-up
Dr. Ali Hadi recently posted another challenge image, this one (#7) being a lot closer to a real-world challenge than a lot of the CTFs I’ve seen over the years. What I mean by that is that in the 22+…
Thoughts on Teaching Digital Forensics
When I first started writing books, my “recipe” for how to present the information followed the same structure I saw in other books at the time. While I was writing books to provide content along the lines of what I…
RegRipper Value Proposition
I recently posted to LinkedIn, asking my network for their input regarding the value proposition of RegRipper; specifically, how is RegRipper v3.0 of “value” to them, how does it enhance their work? I did this because I really wanted to…
RegRipper Value Proposition
I recently posted to LinkedIn, asking my network for their input regarding the value proposition of RegRipper; specifically, how is RegRipper v3.0 of “value” to them, how does it enhance their work? I did this because I really wanted to…
Speaking Engagements
Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…
Testing Registry Modification Scenarios
After reading some of the various open reports regarding how malware or threat actors were “using” the Registry, manipulating it to meet their needs, I wanted to take a look and see what the effects or impacts of these actions…
Data Collection
During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…
Data Collection
During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…
Data Collection
During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…
Events Ripper
Not long ago, I made a brief mention of Events Ripper, a proof-of-concept tool I wrote to quickly provide situational awareness and pivot points for analysts who were already on the road to developing a timeline. The idea behind the…
We Need Cybersecurity Mentors
I received a job description from a recruiter recently, along with the request that if I knew anyone who fit the bill and was interested, could I please forward the job description to them. The recruiter was looking for someone…
We Need Cybersecurity Mentors
I received a job description from a recruiter recently, along with the request that if I knew anyone who fit the bill and was interested, could I please forward the job description to them. The recruiter was looking for someone…