Category: Windows Incident Response

FTSCon

I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis trainin […] This article has…

FTSCon

I had the distinct honor and pleasure of speaking at the “From The Source” Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training, and ran two different…

Analysis Process

Now and again, someone will ask me, “…how do you do analysis?” or perhaps more specifically, “…how do you use RegRipper?”  This is a tough question to answer, but not because I don’t have an answer. I’ve already published a book…

Rundown

I ran across a fascinating post from Cyber Sundae DFIR recently that talked about the Capability Access Manager, and how with Windows 11 it includes database of applications that have accessed devices such as the mic or camera, going beyond just…

Exploiting LNK Metadata

Anyone who’s followed me for a bit knows that I’m a huge proponent of metadata, and in particular, exploiting metadata in LNK files that threat actors create, use as lures, and send to their targets. I read an article not…

Shell Items

I ran across a Cyber5W article recently titled, Windows Shell Item Analysis. I’m always very interested in not only understanding parsing of various data sources from Windows systems, but also learning a little something about how others view the topic. …

RegRipper Educational Materials

A recent LinkedIn thread led to a question regarding RegRipper educational materials, as seen in figure 1; specifically, are there any. Figure 1: LinkedIn request There are two books that address the use of RegRipper; Windows Registry Forensics, and Investigating…

What is “Events Ripper”?

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

What is “Events Ripper”?

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

Uptycs Cybersecurity Standup

I was listening to a couple of fascinating interviews on the Uptycs Cybersecurity Standup podcast recently, and I have to tell you, there were some pretty insightful comments from the speakers. < div>The first one I listened to was Becky…

Investigative Scenario, 2024-03-12

Investigative Scenario Chris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right). First off, you can find the scenario posted on X/Twitter, and here on LinkedIn. Now,…

PCAParse

I was doing some research recently regarding what’s new to Windows 11, and ran across an interesting artifact, which seems to be referred to as “PCA”. I found a couple of interesting references regarding this artifact, such as this one…

Lists of Images

There’re a lot of discussions out there on social media regarding how to get started or improve yourself or set yourself apart in cybersecurity, and lot of the advice centers around doing things yourself; setting up a home lab, using…

EDRSilencer

There’s been a good bit of discussion in the cybersecurity community regarding “EDR bypasses”, and most of these discussions have been centered around technical means a threat actor can use to “bypass” EDR. Many of these discussions do not seem…

2023 Wrap-up

Another trip around the sun is in the books. Looking back over the year, I thought I’d tie a bow on some of the things I’d done, and share a bit about what to expect in the coming year. In…

Round Up

MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I’m always interested in things like this because it’s possible that the author will provide clear observables so that folks can…

…and the question is…

I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response… If you’ve followed me for any amount of time, particularly recently, you’ll know that I’ve put some effort forth in…

Roll-up

One of the things I love about the industry is that it’s like fashion…given enough time, the style that came and went comes back around again. Much like the fashion industry, we see things time and again…just wait. A good…

Roll-up

I don’t like checklists in #DFIR.  Rather, I don’t like how checklists are used in #DFIR. Too often, they’re used as a replacement for learning and knowledge, and looked at as, “…if I do just this, I’m good…”. Nothing could…

Investigating Time Stomping

Some analysts may be familiar with the topic of time stomping, particularly as it applies to the NTFS file system, and is explained in great detail by Lina Lau in her blog. If you’re not familiar with the topic, give…

Yet Another Glitch In The Matrix

It’s about that time again, isn’t it? It’s been a while since we’ve had a significant (or, depending upon your perspective, radical) shift in the cyber crime eco-system, so maybe we’re due.  What am I referring to? Back in 2019,…

Integrating Yara with RegRipper

A lot of writing and training within DFIR about the Registry refers to it as a database where configuration settings and information is maintained. There’s really a great deal of value in that, and there is also so much more…

Ransomware Attack Timeline

The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…

Ransomware Attack Timeline

The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…

Events Ripper Updates

I uploaded a couple of new updates to Events Ripper plugins in the repo recently… defender.pl – added a check for event ID 2050 records, indicating that Defender uploaded a sample (as opposed to event ID 2051 records, indicating that…

Thoughts on Tool Features, pt II

My previous post on this topic addressed an apparent dichotomy (admittedly, based on a limited aperture) of thought between vendors and users when it comes to features being added to commercial forensic suites. This was the result of a road I’d…

Thoughts on Tool Features

Not long ago, some exchanges and conversations led me to do something I’d never done before…post a poll on LinkedIn. These conversations had to do with whether or not analysts and practitioners within the industry felt there was adequate value…

The Next Step

A lot of times, we’ll run across something or read something really very profound and valuable, something that opens our eyes and makes us go, “oh, wow”, and impacts us enough that it changes the way we do things. I…

Events Ripper Update

Something I really, really like about tools like RegRipper and Events Ripper is that when I see something in the data during an investigation, I can explore whether it makes sense to pull that out and make it visible to…

Hiding In The Windows Event Log

In May 2022, Kaspersky published a write-up on a newly-discovered campaign where malware authors wrote shellcode to the Windows Event Log. This was pretty interesting, and just about 4 months later, Tim Fowler published this blog post over at BlackHillsInfoSec,…

Interview Questions

There’s been a lot of ink put toward resume recommendations and preparing for interviews over the years, and I feel like there’s been even more lately, given the number of folks looking to transition to one of the cybersecurity fields,…

DFIR Core Principles

My copy of “Forensic Discovery” There are a lot of folks new to the cybersecurity industry, and in particular DFIR, and a lot of folks considering getting into the field. As such, I thought it might be useful to share…

The Need for Innovation in DFIR

Barely a week goes by and we see another yet post on social media that discusses knowledge sharing or “training” in cybersecurity, and in particular, DFIR and Windows forensic analysis. However, many times, these posts aren’t “new”, per se, but…

Events Ripper Update

Yet again, recent incidents have led to Events Ripper being updated. This time, it’s an updated plugin, and a new plugin. appissue.pl – I updated this plugin based on Josh’s finding and Tweet; I can’t say that I’ve ever seen…

Events Ripper Update

Working a recent incident, I came across something very unusual. I started by going back into a previous investigation run against the endpoint that had been conducted a month ago, and extracting the WEVTX files collected as part of that…

Events Ripper Updates

I updated an Events Ripper plugin recently, and added two new ones…I tend to do this when I see something new to that I don’t have to remember to run a command, check a box on a checklist, or take…

The Windows Registry

When it comes to analyzing and understanding the Windows Registry, where do we go, as an industry, to get the information we need? Why does this even matter? Well, an understanding of the Registry can provide insight into the target…

Events Ripper Updates

As you may know, I’m a pretty big proponent for documenting things that we “see” or find during investigations, and then baking those things back into the parsing and decoration process, as a means of automating and retaining corporate knowledge.…

Program Execution

By now, I hope you’ve had a chance to read and consider the posts I’ve written discussing the need for  validation of findings (third one here). Part of the reason for this series was a pervasive over-reliance on single artifacts…

On Validation, pt III

From the first two articles (here, and here) on this topic arises the obvious question…so what? Not validating findings has worked well for many, to the point that the lack of validation is not recognized. After all, who notices that…

New Events Ripper Plugins

I recently released four new Events Ripper plugins, mssql.pl, scm7000.pl, scm7024.pl and apppopup26.pl.  The mssql.pl plugin primarily looks for MS SQL failed login events in the Application Event Log. I’d engaged in a response where we were able to validate the…

On Validation, pt II

My first post on this topic didn’t result in a great deal of engagement, but that’s okay. I wrote the first post with part II already loaded in the chamber, and I’m going to continue with this topic because, IMHO,…

Unraveling Rorschach

Checkpoint recently shared a write-up on some newly-discovered ransomware dubbed, “Rorschach”. The write-up was pretty interesting, and had a good bit of content to unravel, so I thought I’d share the thoughts that had developed while I read and re-read…

On Validation

I’ve struggled with the concept of “validation” for some time; not the concept in general, but as it applies specifically to SOC and DFIR analysis. I’ve got a background that includes technical troubleshooting, so “validation” of findings, or the idea…

Password Hash Leakage

If you’ve been in the security community for even a brief time, or you’ve taking training associated with a certification in this field, you’ve likely encountered the concept of password hashes. The “Reader’s Digest” version of password hashes are that…

The “Why” Behind Tactics

Very often we’ll see mention in open reporting of a threat actor’s tactics, be they “new” or just what’s being observed, and while we may consider how our technology stack might be used to detect these tactics, or maybe how…

Threat Actors Changing Tactics

I’ve been reading a bit lately on social media about how cyber security is “hard” and it’s “expensive”, and about how threat actors becoming “increasingly sophisticated”.  The thing is, going back more than 20 yrs, in fact going back to…

On Using Tools

I’ve written about using tools before in this blog, but there are times when something comes up that provokes a desire to revisit a topic, to repeat it, or to evolve and develop the thoughts around it. This is one…

Devices

This interview regarding one of the victims of the University of Idaho killings having a Bluetooth speaker in her room brings up a very important aspect of digital forensic analysis; that technology that we know little about is very pervasive…

Why Write?

I shared yet another post on writing recently; I say “yet another” because I’ve published blog posts on the topic of “writing” several times. But something I haven’t really discussed is why should we write, nor what we should write…

WEVTX Event IDs

Now and again, we see online content that moves the community forward, a step or several steps. One such article appeared on Medium recently, titled Forensic Traces of Exploiting NTDS. This article begins developing the artifact constellations, and walks through…

Training and CTFs

The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…

Training and CTFs

The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…

Why Lists?

So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…

Why Lists?

So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…

Validating Tools

Many times, in the course of our work as analysts (SOC, DFIR, etc.), we run tools…and that’s it. But do we often stop to think about why we’re running that tool, as opposed to some other tool? Is it because…

Speaking Engagements

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Soft Skills: Writing

Writing.  Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…

Speaking Engagements

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Updates, Compilation

Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…

Soft Skills: Writing

Writing.  Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…

Updates, Compilation

Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…

Speaking Engagements

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Wi-Fi Geolocation, Then and Now

I’ve always been fascinated by the information maintained in the Windows Registry. But in order to understand this, to really get a view into this, you have to know a little bit about my background. The first computer I remember…

Keeping Grounded

As 2022 comes to a close, I reflect back over the past year, and the previous years that have gone before. I know we find it fascinating to hear “experts” make predictions for the future, but I tend to believe…

Persistence and LOLBins

Grzegorz/@0gtweet tweeted something recently that I thought was fascinating, suggesting that a Registry modification might be considered an LOLBin. What he shared was pretty interesting, so I tried it out. First, the Registry modification: reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\query” /v LOLBin…