Category: Windows Incident Response

I’m not a fan of many podcasts. I do like a conversational style, and there are some podcasts that I listen to, albeit not on a regular basis, and not for technical content. They’re mostly about either “easter eggs” in Marvel…

Read more →

Every now and then, I get contacted by someone who tells me that they used the open source tools I’ve released in either a college course they took, or in a course provided by one of the many training vendors in…

Read more →

I was reading a pretty interesting write-up from Seqrite regarding, in part, the use of pseudo-polyglot documents. In this case, delivery occurred via ZIP archive that contains an LNK file and a PNG file. The PNG file is pseudo-polyglot file…

Read more →

Maurice posted on LinkedIn recently about one of the FeatureUsage Registry key subkeys; specifically, the AppSwitched subkey. Being somewhat, maybe even only slightly aware of the Windows Registry, I read the post with casual, even mild interest.  Someone posted recently that cybersecurity…

Read more →

Warning – before you get started reading this blog post, it’s only fair that I warn you…in this post, I make the recommendation that you document your analysis process. If you find this traumatic, you might want to just move…

Read more →

I saw it again, just today. Another post on social media stating that IT teams/defenders “face unprecedented complexity”.  This one stood out amongst all of the posts proclaiming the need for agentic AI on the defender’s side, due to how these…

Read more →

In writing Investigating Windows Systems, published in 2018, I made use of publicly available images found on the Internet. Some were images posted as examples of techniques, others were posted by professors running courses, and some were from CTFs. If…

Read more →

I’m a huge fan of MS file formats, mostly because they provide for the possibility of an immense (and often untapped, unexploited) amount of metadata. Anyone who’s followed me for any length of time, or has read my blog, knows…

Read more →

Over the passed couple of days, I’ve had images pop up in my feed showing people’s workstations, most often with multiple screens. I’ve seen various configurations, some with three or more screens, but the other thing I’ve noted is that…

Read more →

In 2005, Cory Altheide and I published the first peer-reviewed paper to address tracking USB devices on Windows systems. Over the years, it’s been pretty amazing to see not only the artifacts expand and evolve, but to also see folks…

Read more →

First off, what is “analysis”? I submit that “analysis” is what happens when an examiner has investigative goals and context, and applies this, along with their knowledge and experience, to a data set. This can be anything, from a physical…

Read more →

Not long ago, I ran across this LinkedIn post on analyzing a ransomware executable, which led to this HexaStrike post. The HexaStrike post covers analyzing an AI-generated ransomware variant, which (to be honest) is not something I’m normally interested in;…

Read more →

I recently read through this FalconFeeds article on Qilin ransomware; being in DFIR consulting for as long as I have, and given how may ransomware incidents I’ve responded to or dug into, articles with titles like this attract my attention.…

Read more →

I ran across Manuel Arrieta‘s Hunting Fileless Malware in the Windows Registry article recently, and found it to be an interesting read. Let me start by saying that the term “fileless malware”, for me, is like finger nails dragged down…

Read more →

On the heels of my previous post on this topic, it occurred to me that this tendency to incorrectly refer to ShimCache and AmCache artifacts as “evidence of execution” strongly indicates that we’re also not validating program execution. That is…

Read more →

As a follow-on to my previous post with this title, I wanted to keep the story going; in fact, there are likely to be several more posts in this series, so stay tuned. And hey, I’m not the only one…

Read more →

 Last Nov, I published a blog post titled Program Execution: The ShimCache/AmCache Myth as a means of documenting, yet again and in one place, the meaning of the artifacts. I did this because I kept seeing the “…these artifacts illustrate program…

Read more →

< p style=”text-align: left;”>I like the movie “Blade Runner”. I’ve read Philip K. Dick’s “Do Androids Dream of Electric Sheep“, on which the movie is based.   So what does this have to do with anything? Well, I’ve been around the…

Read more →

In 1998, I was in a role where I was leading teams on-site to conduct vulnerability assessments for organizations. For the technical part of the assessments, we were using ISS’s Internet Scanner product, which was a commercial scanner. Several years…

Read more →

The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…

Read more →