Tag: Windows Incident Response

“When Windows Lies”…what does that really mean?  Mari had a fascinating blog post on this topic some years ago; she talked about the process DFIR analysts had been using to that point to determine the installation date of the operating…

Read more →

During my time in the industry, I’ve seen a couple of interesting aspects of “information sharing”. One is that not many like to do it. The other is that, over time, content creation and consumption has changed pretty dramatically. Back…

Read more →

That’s a good question. You go into work every day, sit down at your desk, log in…but who actually “owns” the systems and network that you’re using? Is it you, your employer…or someone else? Anyone who’s been involve in this…

Read more →

The Windows Registry is a magical place that I love to research because there’s always something new and fun to find, and apply to detections and DFIR analysis! Some of my recent research topics have included default behaviors with respect…

Read more →

Something I’ve thought about quite often during my time in DFIR is the threat actor’s perspective…what is the attacker seeing and thinking during their time in an infrastructure. As a DFIR analyst, I don’t often get to ‘see’ the threat…

Read more →

Many within the DFIR community make use of virtual systems for testing…for detonating malware, trying things within a “safe”, isolated environment, etc. However, sometimes it can be tough to get hold of suitable images for creating that testing environment. I’ve…

Read more →

As a follow-on to my earlier blog post, I’ve seen a few more posts and comments regarding EDR ‘bypass’ and blinding/avoiding EDR tools, and to be honest, my earlier post stands. However, I wanted to add some additional thoughts…for example,…

Read more →

I ran across an interesting post recently regarding blinding EDR on Windows systems, which describes four general techniques for avoiding EDR monitoring. Looking at the techniques, I’ve seen several of these techniques in use on actual, real world incidents. For…

Read more →

It’s said that those who do not study history are doomed to repeat it. I’d suggest that the adage should be extended to, “those who do not study history and learn from her lessons are doomed to repeat it.” My…

Read more →

I saw this tweet from Ankit recently, and as soon as I read through it, I thought I was watching “The Matrix” again. Instead of seeing the “blonde, brunette, redhead” that Cypher saw, I was seeing actionable detection opportunities and…

Read more →

Very often, we view data sources as somewhat one dimensional, and don’t think about how we can really get value from that data source. We’re usually working on a case, just that investigation that’s in front of us, and we’re…

Read more →

On the heels of my last blog post on this topic, I had a couple of thoughts and insights that I wanted to research a bit, and then address. I wanted to take a look at ways that the StartupApproved\Run…

Read more →

Most DFIR and SOC analysts are familiar with the Run keys as autostart locations within the Windows Registry: [HKLM|HKCU]\Software\Microsoft\Windows\CurrentVersion\Run Values beneath these keys are automatically run asynchronously upon system start and user login, respectively. This is something we’ve know for…

Read more →

Now and again I pop my head up and take a look around to see where RegRipper has been, and is being, used. My last blog post on this topic had quite a few listings, but sometimes changing the search…

Read more →

This article has been indexed from Windows Incident Response If you ask DFIR analysts, “What is best in life?“, the answer you should hear is, “…creating timelines!” After all, industry luminaries such as Andrew said, “Time is the most important…

Read more →

This article has been indexed from Windows Incident Response Back in 2005, Cory Altheide and I published the first paper on tracking USB storage devices across Windows systems; at the time, the focus was Windows XP. A lot has happened…

Read more →

This article has been indexed from Windows Incident Response Back in 2005, Cory Altheide and I published the first paper on tracking USB storage devices across Windows systems; at the time, the focus was Windows XP. A lot has happened…

Read more →

This article has been indexed from Windows Incident Response Back in 2005, Cory Altheide and I published the first paper on tracking USB storage devices across Windows systems; at the time, the focus was Windows XP. A lot has happened…

Read more →

This article has been indexed from Windows Incident Response Following on the heels of my previous post regarding file formats and sharing the link to the post on LinkedIn, I had some additional thoughts that would benefit greatly from not…

Read more →

This article has been indexed from Windows Incident Response It’s great when a plan, or a puzzle, comes together, isn’t it?  I’m not just channeling my inner Hannibal Smith…I’m talking about bringing various pieces or elements together to build a cohesive,…

Read more →

This article has been indexed from Windows Incident Response Not long ago, I posted regarding how LNK files can be (ab)used; the post refers to LNK file metadata, and how, if the LNK file is sent by the threat actor,…

Read more →

This article has been indexed from Windows Incident Response One of the challenges within DFIR, particularly as we’ve moved to an enterprise approach by leveraging EDR telemetry, is the root cause analysis, or “RCA”. In short, the challenge is observing…

Read more →

This article has been indexed from Windows Incident Response Having an understanding of file formats is an important factor in DFIR work. In particular, analysts should understand what a proper file using a particular format should look like, so that…

Read more →

This article has been indexed from Windows Incident Response Having an understanding of file formats is an important factor in DFIR work. In particular, analysts should understand what a proper file using a particular format should look like, so that…

Read more →

This article has been indexed from Windows Incident Response I’ve discussed LNK files a number of times in this blog, and to be honest, I really don’t think that this is a subject that gets the attention it deserves. In…

Read more →

This article has been indexed from Windows Incident Response I’ve discussed LNK files a number of times in this blog, and to be honest, I really don’t think that this is a subject that gets the attention it deserves. In…

Read more →

This article has been indexed from Windows Incident Response Krzysztof shared another blog post recently, this one that addresses the battery use and the battery level of a system, and how it applies to an investigation. At first thought, I’m…

Read more →

This article has been indexed from Windows Incident Response Before I kick this blog post off, I’d like to thank Lina L for her excellent work in developing and sharing her work, both on Twitter, as well as in a…

Read more →

This article has been indexed from Windows Incident Response A request that’s been pretty consistent within the industry over time has had to do with reporting. I’d see a request, some responses, someone might ask for a template, and then…

Read more →

This article has been indexed from Windows Incident Response My previous post on this topic presented my thoughts on how the concept of “artifact categories” were being misused. My engagement with artifact categories goes back to 2013, when Corey Harrell implemented…

Read more →

This article has been indexed from Windows Incident Response Very often in DFIR, we categorize artifacts in an easy-to-understand and easy-to-digest manner, as using or relying on these categories often helps us navigate our investigations. There are also times when…

Read more →

This article has been indexed from Windows Incident Response What, again?!?! I know, right?!? Not long ago, I read this fascinating article from Joe Helle that discussed malicious uses for Windows shortcuts, or LNK files, and also discussed a Python3…

Read more →

This article has been indexed from Windows Incident Response Over the years, changes in the threat landscape have made attribution more difficult. Attribution has always been challenging, but has been and can continue to be eased through visibility. That is,…

Read more →

This article has been indexed from Windows Incident Response From the time I started in DFIR, one question was always on the forefront of incident responder’s minds…how do you know what “bad” looks like? When I was heading on-site during those…

Read more →

This article has been indexed from Windows Incident Response Why is Registry analysis important? The Windows Registry, in part, controls a good bit of the functionality of a Windows system. As such, Registry analysis can help you understand why you’re…

Read more →

This article has been indexed from Windows Incident Response Editing and FeedbackWhen it comes to writing books, having someone can trust to give you honest, thoughtful, insightful feedback is a huge plus. It can do a lot to boost your…

Read more →

This article has been indexed from Windows Incident Response Chris Sanders tweeted out an interesting pair of questions recently, and the simple fact is that for me to fully answer the question, the tweet thread would be just too extensive.…

Read more →

This article has been indexed from Windows Incident Response Context & Finding PersistenceI was looking into an unusual mechanism for launching applications recently, and that research brought back a recurring issue I’ve seen time and again in the industry, specifically…

Read more →

This article has been indexed from Windows Incident Response While I worked for one company, I did a lot of public speaking on the value of threat hunting. During these events, I met a lot of folks who were interested…

Read more →

This article has been indexed from Windows Incident Response Over the years, I’ve seen DFIR referred to in terms of special operations forces. I’ve seen incident response teams referred to as “Cyber SEALs”, as well as via various other terms.…

Read more →

This article has been indexed from Windows Incident Response Context is king, it makes all the difference. You may see something run in EDR telemetry, or in logs, but the context of when it ran in relation to other activities…

Read more →

This article has been indexed from Windows Incident Response I’ve posted on the topic of data exfiltration before (here, etc.) but often it’s a good idea to revisit the topic. After all, it was almost two years ago that we…

Read more →

This article has been indexed from Windows Incident Response Learn to think critically. Don’t take what someone says as gospel, just because they say it. Support findings with data, and clearly communicate the value or significance of something. Be sure…

Read more →

This article has been indexed from Windows Incident Response During my time in the industry, I’ve been blessed to have opportunities to engage with a number of different EDR tools/frameworks at different levels. Mike Tanji offered me a look at…

Read more →

This article has been indexed from Windows Incident Response Imposter Syndrome.  This is something many of us have experienced to one degree or another, at various times. Many have experienced, some have overcome it, others may not be able to…

Read more →

This article has been indexed from Windows Incident Response Over the years, every now and then I’ve taken a look around to try to see where RegRipper is used. I noticed early on that it’s included in several security-oriented Linux…

Read more →

This article has been indexed from Windows Incident Response Part I of this series kicked things off for us, and honestly I have no idea how long this series will be…I’m just writing the posts without a specific plan or outline…

Read more →

This article has been indexed from Windows Incident Response During my time in the industry, I’ve authored 9 books under three imprints, and co-authored a tenth. There, I said it. The first step in addressing a problem is admitting you…

Read more →

This article has been indexed from Windows Incident Response On the heels of my first post with this subject, I thought I’d continue adding tips as they came to mind… I’ve been engaged with EDR frameworks for some time now.…

Read more →

This article has been indexed from Windows Incident Response There’s been a lot of discussion on social media around how to “break into” the cybersecurity field, not only for folks just starting out but also for those looking for a…

Read more →

This article has been indexed from Windows Incident Response Over the years as a DFIR analyst…first doing digital forensics analysis, and then incorporating that analysis as a component of IR activity…there have been some stunningly simple truths that I’ve learned,…

Read more →

This article has been indexed from Windows Incident Response Okay, I think that we can all admit that ransomware has consumed the news cycle of late, thanks to high visibility attacks such as Colonial Pipeline and JBS. Interestingly enough, there…

Read more →

This article has been indexed from Windows Incident Response I was reading this Splunk blog post recently, and I have to say up front, I was disappointed by the fact that the promise of the title (i.e., “Detecting Cl0p Ransomware”)…

Read more →

This article has been indexed from Windows Incident Response  As most regular readers of this blog can tell you, I’m a bit of a fan of LNK files…a LNK-o-phile, if you will. I’m not only fascinated by the richness of…

Read more →

This article has been indexed from Windows Incident Response One of Shakespeare’s lines from Hamlet I remember from high school is, “…there are more things on heaven and earth, Horatio, than are dreamt of in your philosophy.” And that’s one…

Read more →

This article has been indexed from Windows Incident Response  As most regular readers of this blog can tell you, I’m a bit of a fan of LNK files…a LNK-o-phile, if you will. I’m not only fascinated by the richness of…

Read more →

Read the original article: On #DFIR Analysis, pt III – Benefits of a Structured Model  In my previous post, I presented some of the basic design elements for a structured approach to describing artifact constellations, and leveraging them to further…

Read more →

Read the original article: On #DFIR Analysis, pt II – Describing Artifact Constellations  I’ve been putting some serious thought into the topic of a new #DFIR model, and in an effort to extend and expand upon my previous post a bit, I wanted…

Read more →

Read the original article: On #DFIR Analysis I wanted to take the opportunity to discuss DFIR analysis; when discussing #DFIR analysis, we have to ask the question, “what _is_ “analysis”?” In most cases, what we call analysis is really just…

Read more →

Read the original article: LNK Files, Again  I ran across SharpWebServer via Twitter recently…the first line of the readme.md file states, “A Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes.” I…

Read more →

Read the original article: Extracting Toolmarks from Open Source Reporting, pt II On the heels of my previous post on this subject, I ran across this little gem from Microsoft regarding the print spooler EOP exploitation. I like articles like this…

Read more →

Read the original article: Extracting Toolmarks from Open Source Reporting, pt II On the heels of my previous post on this subject, I ran across this little gem from Microsoft regarding the print spooler EOP exploitation. I like articles like this…

Read more →

Read the original article: Extracting Toolmarks from Open Source Intel I’ve talked about toolmarks before…what they are, why (I believe) they’re important, that sort of thing.  I’ve also described how I’ve implemented them, and about toolmarks specific to different artifacts,…

Read more →

Read the original article: Speaking at Conferences, 2020 edition As you can imagine, 2020 has been a very “different” year, for a lot of reasons, and impacts of the events of the year have extended far and wide.  One of…

Read more →

Read the original article: Speaking at Conferences, 2020 edition As you can imagine, 2020 has been a very “different” year, for a lot of reasons, and impacts of the events of the year have extended far and wide.  One of…

Read more →

Read the original article: Happy Birthday, Marine Corps!   I thought today of all days would be a good time to break from tradition and share a post that has nothing to do with DFIR or Windows, one that isn’t…

Read more →

Read the original article: Happy Birthday, Marine Corps!   I thought today of all days would be a good time to break from tradition and share a post that has nothing to do with DFIR or Windows, one that isn’t…

Read more →

Read the original article: Name Resolution How often to DFIR analysts think about name resolution, particularly on Windows systems?  I know that looking back across engagements I’ve done in the past, I’ve asked for DNS server logs but very often,…

Read more →

Read the original article: Name Resolution How often to DFIR analysts think about name resolution, particularly on Windows systems?  I know that looking back across engagements I’ve done in the past, I’ve asked for DNS server logs but very often,…

Read more →

Read the original article: Name Resolution How often to DFIR analysts think about name resolution, particularly on Windows systems?  I know that looking back across engagements I’ve done in the past, I’ve asked for DNS server logs but very often,…

Read more →

Read the original article: Settings That Impact The Windows OS There are a number of settings within Windows systems that can and do significantly impact the functionality of Windows, and as a result, can also impact what is available to…

Read more →

Read the original article: #OSDFCON  The agenda for the 11th annual Open Source Digital Forensics Conference has been posted.  I’ve attended OSDFCON before (several times), it’s one of the conferences where I’ve enjoyed presenting over the years. Maybe someone reading this remembers…

Read more →

Read the original article: Toolmarks  I recently ran across an interesting article from Sophos, indicating that the Maze ransomware threat group had taken a page from the Ragnar ransomware threat group.  The article stated that the Maze group was seen…

Read more →

Read the original article: The Death of AV?? I had a conversation recently, which started out being about endpoint technologies.  At one point in the conversation, the topic of AV came up.  The question was, is there still value in…

Read more →

Read the original article: Toolmarks: The “How”  I recently published a post where I discussed DFIR toolmarks, and not long after sharing it on Twitter, someone asked me for a list of resources that describe the “how”; that is, how to…

Read more →

Read the original article: Toolmarks and Intrusion Intelligence Very often, DFIR and intel analysts alike don’t appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with…

Read more →

Read the original article: Toolmarks and Intrusion Intelligence Very often, DFIR and intel analysts alike don’t appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with…

Read more →

Read the original article: Toolmarks and Intrusion Intelligence Very often, DFIR and intel analysts alike don’t appear to consider such things as toolmarks associated with TTPs, nor intrusion intelligence. However, considering such things can lead to greater edge sharpness with…

Read more →

Read the original article: On Artifact Constellations And “Toolmarks” Something I’ve been pretty focused on in my analysis for some time is the concept of “artifact constellations”.  I originally referred to this concept as “artifact clusters”, but I heard someone…

Read more →

Read the original article: On Artifact Constellations And “Toolmarks” Something I’ve been pretty focused on in my analysis for some time is the concept of “artifact constellations”.  I originally referred to this concept as “artifact clusters”, but I heard someone…

Read more →

Read the original article: Plugin Spotlight – consentstore, consentstore_tln, appcompatflags.pl update These plugins were developed as a result of this article posted to Medium by Zach, aka, “svch0st“.  The article is fascinating, in that Zach found that there’re Registry keys…

Read more →

Read the original article: Plugin Spotlight – printer_settings, featureusage Given the number of RegRipper plugins that are part of the distro, I thought it would be a good idea every now and then to spotlight a plugin or two, and…

Read more →

Read the original article: Tips on Using RegRipper v3.0 With the “new” release, I thought it would be good to share a couple of tips as to how you can get the most out of RegRipper v3.0. I should note…

Read more →

Read the original article: RegRipper v3.0 I recently released RegRipper v3.0, something I’ve been working on since Aug, 2019. I am no longer supporting RegRipper 2.8.  I’ll leave the repo up for the time being, but I will not be…

Read more →

Read the original article: Registry Analysis, pt II In my last blog post, I provided a brief description of how I perform “Registry analysis”, and I thought it would be a good idea to share the actual mechanics of getting…

Read more →

In my last blog post, I provided a brief description of how I perform “Registry analysis”, and I thought it would be a good idea to share the actual mechanics of getting to the point of performing Registry analysis. First…

Read more →

When you see the words, “Registry analysis”, what comes to mind?  Okay, now…what actually happens when we ‘do’ this thing we call “Registry analysis”?  More often than not, what this refers to manifests itself as opening a Registry hive file…

Read more →

Going Beyond   Advertise on IT Security News. Read the complete article: Going Beyond

Read more →

Hardly a week (sometimes a day??) passes without some mention of ransomware, and another organization or municipality (or three) feeling the impact of a ransomware attack. In fact, just recently, the City of Durham, NC, was hit with a Ryuk…

Read more →

Hardly a week (sometimes a day??) passes without some mention of ransomware, and another organization or municipality (or three) feeling the impact of a ransomware attack. In fact, just recently, the City of Durham, NC, was hit with a Ryuk…

Read more →

As I prepare a presentation for a government agency, I’ve been thinking quite a bit about the idea of “program execution”.  I’ve actually blogged on this topic before, and I thought that maybe now was a good time to revisit…

Read more →

Based on a Twitter thread from 19 Feb 2020, during which Phill Moore made the request, I updated RegRipper to check for “dirty” hives, and provided a warning that RegRipper does NOT automatically process Registry transaction logs.  This can be…

Read more →

I read a fascinating blog post recently that described something called RID hijacking, which can be used as a method for maintaining elevated privileges on a system.  The PenTestLabs article not only outlines how to perform RID hijacking manually, but…

Read more →

In his book, “Call Sign Chaos”, Jim Mattis made the statement that ‘your own personal experiences are not enough to sustain you.”  This statement was made in the context of reading for professional development, and it applies to much more…

Read more →

Not long ago, I took at look at an image that Dr. Ali Hadi had put together to demonstrate an aspect of digital analysis to his students.  Dr. Hadi’s blog post describes how the use of the ADSs, particularly when launching…

Read more →

One of the things I like to do is engage in DFIR analysis of CTF and challenge images, just to see what pops out and what new things I can learn.  I did just that recently with Dr. Ali Hadi’s…

Read more →

Developing and Using Lessons Learned   Advertise on IT Security News. Read the complete article: Developing and Using Lessons Learned

Read more →

‘cogphn’ recently reached to me via the RegRipper GitHub repo to let me know that they’d found an issue with a plugin, and this was followed by a similar issue posted by William Schaefer.  It seems that as soon as…

Read more →

‘cogphn’ recently reached to me via the RegRipper GitHub repo to let me know that they’d found an issue with a plugin, and this was followed by a similar issue posted by William Schaefer.  It seems that as soon as…

Read more →