Category: Windows Incident Response

On the heels of my previous blog post on this topic, I read a report that, in a lot of ways, really highlighted some of the issues I mentioned in that earlier post. The recent IDC report from Binalyze is…

Read more →

Something that I’ve seen and been concerned about for some time now is the state of digital analysis, particularly when it comes to Windows systems. From open reporting to corporate blog posts and webinars, it’s been pretty clear that there…

Read more →

Something that I’ve seen and been concerned about for some time now is the state of digital analysis, particularly when it comes to Windows systems. From open reporting to corporate blog posts and webinars, it’s been pretty clear that there…

Read more →

I recently had an opportunity to review the book, Effective Threat Investigation for SOC Analysts, by Mostafa Yahia.  Before I start off with my review of this book, I wanted to share a little bit about my background and perspective.…

Read more →

Okay, so we’ve integrated Yara into the RegRipper workflow, and created “YARR”…now what? The capability is great…at least, I think so. The next step (in the vein of the series) is really leveraging it by creating rules that allow analysts…

Read more →

It’s about that time again, isn’t it? It’s been a while since we’ve had a significant (or, depending upon your perspective, radical) shift in the cyber crime eco-system, so maybe we’re due.  What am I referring to? Back in 2019,…

Read more →

A lot of writing and training within DFIR about the Registry refers to it as a database where configuration settings and information is maintained. There’s really a great deal of value in that, and there is also so much more…

Read more →

I thought I’d continue The Next Step series of blog posts with something a little different. This “The Next Step” blog post is about taking a tool such as RegRipper to “the next step”, which is something I started doing…

Read more →

The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…

Read more →

The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are not new, and they can be pretty devastating to staff…

Read more →

I uploaded a couple of new updates to Events Ripper plugins in the repo recently… defender.pl – added a check for event ID 2050 records, indicating that Defender uploaded a sample (as opposed to event ID 2051 records, indicating that…

Read more →

My previous post on this topic addressed an apparent dichotomy (admittedly, based on a limited aperture) of thought between vendors and users when it comes to features being added to commercial forensic suites. This was the result of a road I’d…

Read more →

Not long ago, some exchanges and conversations led me to do something I’d never done before…post a poll on LinkedIn. These conversations had to do with whether or not analysts and practitioners within the industry felt there was adequate value…

Read more →

Keeping with the theme from my previous blog post of building on what others have done and written about, and of assembling the pieces that are already available to build on a foundation built by others, I found something interesting…

Read more →

A lot of times, we’ll run across something or read something really very profound and valuable, something that opens our eyes and makes us go, “oh, wow”, and impacts us enough that it changes the way we do things. I…

Read more →

Something I really, really like about tools like RegRipper and Events Ripper is that when I see something in the data during an investigation, I can explore whether it makes sense to pull that out and make it visible to…

Read more →

In May 2022, Kaspersky published a write-up on a newly-discovered campaign where malware authors wrote shellcode to the Windows Event Log. This was pretty interesting, and just about 4 months later, Tim Fowler published this blog post over at BlackHillsInfoSec,…

Read more →

There’s been a lot of ink put toward resume recommendations and preparing for interviews over the years, and I feel like there’s been even more lately, given the number of folks looking to transition to one of the cybersecurity fields,…

Read more →

I’ve posted previously on validation, and more recently, on validation of findings. In my recent series of posts, I specifically avoided the top of tool validation, because while tool validation predicates the validation of findings, and there is some overlap,…

Read more →

My copy of “Forensic Discovery” There are a lot of folks new to the cybersecurity industry, and in particular DFIR, and a lot of folks considering getting into the field. As such, I thought it might be useful to share…

Read more →

Barely a week goes by and we see another yet post on social media that discusses knowledge sharing or “training” in cybersecurity, and in particular, DFIR and Windows forensic analysis. However, many times, these posts aren’t “new”, per se, but…

Read more →

Yet again, recent incidents have led to Events Ripper being updated. This time, it’s an updated plugin, and a new plugin. appissue.pl – I updated this plugin based on Josh’s finding and Tweet; I can’t say that I’ve ever seen…

Read more →

Working a recent incident, I came across something very unusual. I started by going back into a previous investigation run against the endpoint that had been conducted a month ago, and extracting the WEVTX files collected as part of that…

Read more →

I updated an Events Ripper plugin recently, and added two new ones…I tend to do this when I see something new to that I don’t have to remember to run a command, check a box on a checklist, or take…

Read more →

Okay, to start off, if you haven’t seen Joe Slowik’s RSA 2022 presentation, you should stop now and go watch it. Joe does a great job of explaining and demonstrating why IOCs are truly composite objects, that there’s much more…

Read more →

When it comes to analyzing and understanding the Windows Registry, where do we go, as an industry, to get the information we need? Why does this even matter? Well, an understanding of the Registry can provide insight into the target…

Read more →

As you may know, I’m a pretty big proponent for documenting things that we “see” or find during investigations, and then baking those things back into the parsing and decoration process, as a means of automating and retaining corporate knowledge.…

Read more →

By now, I hope you’ve had a chance to read and consider the posts I’ve written discussing the need for  validation of findings (third one here). Part of the reason for this series was a pervasive over-reliance on single artifacts…

Read more →

From the first two articles (here, and here) on this topic arises the obvious question…so what? Not validating findings has worked well for many, to the point that the lack of validation is not recognized. After all, who notices that…

Read more →

I recently released four new Events Ripper plugins, mssql.pl, scm7000.pl, scm7024.pl and apppopup26.pl.  The mssql.pl plugin primarily looks for MS SQL failed login events in the Application Event Log. I’d engaged in a response where we were able to validate the…

Read more →

My first post on this topic didn’t result in a great deal of engagement, but that’s okay. I wrote the first post with part II already loaded in the chamber, and I’m going to continue with this topic because, IMHO,…

Read more →

There’s a good bit of open reporting available online these days, including (but not limited to) the annual reports that tend to be published around this time of year. All of this open reporting amounts to a veritable treasure trove…

Read more →

There’s a good bit of open reporting available online these days, including (but not limited to) the annual reports that tend to be published around this time of year. All of this open reporting amounts to a veritable treasure trove…

Read more →

Checkpoint recently shared a write-up on some newly-discovered ransomware dubbed, “Rorschach”. The write-up was pretty interesting, and had a good bit of content to unravel, so I thought I’d share the thoughts that had developed while I read and re-read…

Read more →

I’ve struggled with the concept of “validation” for some time; not the concept in general, but as it applies specifically to SOC and DFIR analysis. I’ve got a background that includes technical troubleshooting, so “validation” of findings, or the idea…

Read more →

If you’ve been in the security community for even a brief time, or you’ve taking training associated with a certification in this field, you’ve likely encountered the concept of password hashes. The “Reader’s Digest” version of password hashes are that…

Read more →

Very often we’ll see mention in open reporting of a threat actor’s tactics, be they “new” or just what’s being observed, and while we may consider how our technology stack might be used to detect these tactics, or maybe how…

Read more →

I’ve been reading a bit lately on social media about how cyber security is “hard” and it’s “expensive”, and about how threat actors becoming “increasingly sophisticated”.  The thing is, going back more than 20 yrs, in fact going back to…

Read more →

I’ve written about using tools before in this blog, but there are times when something comes up that provokes a desire to revisit a topic, to repeat it, or to evolve and develop the thoughts around it. This is one…

Read more →

This interview regarding one of the victims of the University of Idaho killings having a Bluetooth speaker in her room brings up a very important aspect of digital forensic analysis; that technology that we know little about is very pervasive…

Read more →

I shared yet another post on writing recently; I say “yet another” because I’ve published blog posts on the topic of “writing” several times. But something I haven’t really discussed is why should we write, nor what we should write…

Read more →

Now and again, we see online content that moves the community forward, a step or several steps. One such article appeared on Medium recently, titled Forensic Traces of Exploiting NTDS. This article begins developing the artifact constellations, and walks through…

Read more →

The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…

Read more →

The military has a couple of adages…one, “you fight like you train”, and another being, “the more you sweat in peace, the less you bleed in war.” The idea behind these adages is that progressive, realistic training prepares you for…

Read more →

So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…

Read more →

So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Lists of tools, lists of books, lists of sites with courses, lists of free courses, etc. CD-based distros are…

Read more →

Many times, in the course of our work as analysts (SOC, DFIR, etc.), we run tools…and that’s it. But do we often stop to think about why we’re running that tool, as opposed to some other tool? Is it because…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

Writing.  Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…

Read more →

Writing.  Like math in middle school, this is one of those subjects that we pushed back on, telling ourselves, “I’ll never have to use this…”, and then quite shockingly finding that it’s amazing how much writing we actually do. However,…

Read more →

Thoughts on Detection EngineeringI read something online recently that suggested that the role of detection engineering is to reduce the false positive (FPs) alerts sent to the SOC. In part, I fully agree with this; however, “cyber security” is a…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

I’ve always been fascinated by the information maintained in the Windows Registry. But in order to understand this, to really get a view into this, you have to know a little bit about my background. The first computer I remember…

Read more →

As 2022 comes to a close, I reflect back over the past year, and the previous years that have gone before. I know we find it fascinating to hear “experts” make predictions for the future, but I tend to believe…

Read more →

Grzegorz/@0gtweet tweeted something recently that I thought was fascinating, suggesting that a Registry modification might be considered an LOLBin. What he shared was pretty interesting, so I tried it out. First, the Registry modification: reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\Utilities\query” /v LOLBin…

Read more →

Yes, yes, I know…you’re probably thinking, “you wrote it, dude”, and while that’s true, that’s not the reason why I really love RegRipper. Yes, it’s my “baby”, but there’s so much more to it than that. For me, it’s about…

Read more →

Dr. Ali Hadi recently posted another challenge image, this one (#7) being a lot closer to a real-world challenge than a lot of the CTFs I’ve seen over the years. What I mean by that is that in the 22+…

Read more →

Investigating Windows SystemsIt’s the time of year again when folks are looking for stocking stuffers for the DFIR nerd in their lives, and my recommendation is a copy of Investigating Windows Systems! The form factor for the book makes it…

Read more →

Dr. Ali Hadi recently posted another challenge image, this one (#7) being a lot closer to a real-world challenge than a lot of the CTFs I’ve seen over the years. What I mean by that is that in the 22+…

Read more →

When I first started writing books, my “recipe” for how to present the information followed the same structure I saw in other books at the time. While I was writing books to provide content along the lines of what I…

Read more →

I recently posted to LinkedIn, asking my network for their input regarding the value proposition of RegRipper; specifically, how is RegRipper v3.0 of “value” to them, how does it enhance their work? I did this because I really wanted to…

Read more →

I recently posted to LinkedIn, asking my network for their input regarding the value proposition of RegRipper; specifically, how is RegRipper v3.0 of “value” to them, how does it enhance their work? I did this because I really wanted to…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

After reading some of the various open reports regarding how malware or threat actors were “using” the Registry, manipulating it to meet their needs, I wanted to take a look and see what the effects or impacts of these actions…

Read more →

During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…

Read more →

During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…

Read more →

During IR engagements, like many other analysts, I’ve seen different means of data exfiltration. During one engagement, the customer stated that they’d “…shut off all of our FTP servers…”, but apparently “all” meant something different to them, because the threat…

Read more →

Not long ago, I made a brief mention of Events Ripper, a proof-of-concept tool I wrote to quickly provide situational awareness and pivot points for analysts who were already on the road to developing a timeline. The idea behind the…

Read more →

I received a job description from a recruiter recently, along with the request that if I knew anyone who fit the bill and was interested, could I please forward the job description to them. The recruiter was looking for someone…

Read more →

I received a job description from a recruiter recently, along with the request that if I knew anyone who fit the bill and was interested, could I please forward the job description to them. The recruiter was looking for someone…

Read more →

I received a job description from a recruiter recently, along with the request that if I knew anyone who fit the bill and was interested, could I please forward the job description to them. The recruiter was looking for someone…

Read more →

For this post, I’ll throw out a bunch of little snippets, or “post-lets”, covering a variety of DFIR topics rather than one big post that covers one topic. What’s Old Is New AgainDuring Feb, 2016, Mari published a fascinating blog…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

Every now and again, I have a need (re: “opportunity”) to compile a list of recorded speaking events. The reasons vary…there’s a particular message in one or more of the recordings, or someone wants to see/hear what was said, or…

Read more →

I had the opportunity to speak at the recent ResponderCon, put on by Brian Carrier of BasisTech. I’ll start out by saying that I really enjoyed attending an in-person event after 2 1/2 yrs of virtual events, and that Brian’s…

Read more →

I’ve blogged a bit…okay, a LOT…over the years on the topic of parsing LNK files, but a subject I really haven’t touched on is LNK builders or generators. This is actually an interesting topic because it ties into the cybercrime…

Read more →

Not long ago, Florian Roth shared some fascinating thoughts via his post, The Bicycle of the Forensic Analyst, in which he discusses increases in efficiency in the forensic review process. I say “review” here, because “analysis” is a term that…

Read more →

I had the opportunity to speak at the recent ResponderCon, put on by Brian Carrier of BasisTech. I’ll start out by saying that I really enjoyed attending an in-person event after 2 1/2 yrs of virtual events, and that Brian’s…

Read more →

Not long ago, Florian Roth shared some fascinating thoughts via his post, The Bicycle of the Forensic Analyst, in which he discusses increases in efficiency in the forensic review process. I say “review” here, because “analysis” is a term that…

Read more →

Not long ago, I posted about When Windows Lies, and that post really wasn’t so much about Windows “lying”, per se, as it was about challenging analyst assumptions about artifacts, and recognizing misconceptions. Along the same lines, I’ve also posted…

Read more →

I’ve blogged a bit…okay, a LOT…over the years on the topic of parsing LNK files, but a subject I really haven’t touched on is LNK builders or generators. This is actually an interesting topic because it ties into the cybercrime…

Read more →