Keeping with the theme from my previous blog post of building on what others have done and written about, and of assembling the pieces that are already available to build on a foundation built by others, I found something interesting that seems like a great “next step”.
Anyone who’s followed this blog for any length of time knows that I’m a huge fan of metadata, and that anytime a threat actor sends you metadata from their endpoint or environment, it’s basically free money. For example, my posts on LNK metadata extraction and what can be derived from analysis of this data go back quite a ways. Another great example of the use of LNK metadata to further investigations comes from Mandiant, in this Cozy Bear blog post from Nov, 2018 (see fig. 5 and 6).
This article has been indexed from Windows Incident Response
Read the original article: Post navigation |