List of all posts
- May 3, 2024
Incident Response & Threat Hunting Series, Evidence Collection
KAPE Targets Let’s explore the concept of Triage Acquisition within the context of Incident Response and Threat Hunting.
Triage Acquisition involves obtaining specific files or artifacts that provide insights into the system’s state we are analyzing. - May 3, 2024
Incident Response & Threat Hunting Series, Autoruns
Description Let’s say our objective is to determine whether there is persistence during system boot or login, one of the most straightforward and effective methods is to use Microsoft Sysinternals Autoruns.
- May 3, 2024
Incident Response & Threat Hunting Series, Search Files & Content
Search Files & Content: Introduction This lesson will be an introductory overview for a short sub-series focused on the topic of file search and their contents within the AD Environment. The search method will vary based on the available data, whether it’s the file name, hash, or distinctive content of these files
- May 3, 2024
Incident Response & Threat Hunting Series, Asset Inventory
Description Starting from this lesson, we will begin using various and different artifacts to form a clear picture of several important aspects in the field of Incident Response and Threat Hunting.
In this lesson, our main topic will be Asset Inventory.
- May 3, 2024
Incident Response & Threat Hunting Series, Velociraptor EDR GUI Introduction
Description After we installed Velociraptor in the Active Directory Domain Environment in the previous videos, it’s time to explore the important pivotal points in the user interface that will appear to us as Incident Responders, and how to perform a simple Hunt as a prelude to more advanced topics.
- May 3, 2024
Incident Response & Threat Hunting Series, Velociraptor EDR Deployment in an AD Domain
Description Collecting evidence and obtaining information and artifacts is one of the most important stages during incident handling, especially when dealing with hundreds or thousands of systems. In this series, we will use Velociraptor Open-source EDR for its many advantages that facilitate expected tasks during Incident Response and Threat Hunting. There are more than one way to deploy Velociraptor, and we will explore two methods in this series:
- Agentless Deployment.
- Deployment as a service.
- May 3, 2024
Incident Response & Threat Hunting Series, Introduction
Description This post is a reflection to the first video in a series of specialized educational videos covering various important topics in cybersecurity. The series includes practical implementation and direct execution of all the ideas we discuss. The goal is to spread knowledge related to cybersecurity.
- Apr 10, 2021
How to find out if there is persistence using WMI?
If you would like to know about WMI, this post explains WMI in Details
- Apr 10, 2021
Windows Management Instrumentation (WMI)
What is Windows Management Instrumentation (WMI)?
- Mar 28, 2021
How to identify malicious processes by comparing an infected memory image with a clean baseline one?
Let’s check 1st advanced challenge (2nd Base) in (incident-response-challenge.com) website and try to solve it.
- Mar 20, 2021
How to identify process hollowing in a memory image?
What is Process Hollowing?
Process hollowing occurs when a malware launches a process in a suspended state and then deallocates the process memory which contains the original program’s code (Hollow process memory out), and replaces it with the malicious content/code.
- Mar 12, 2021
How to find out if there is persistence using Image File Execution Options (IFEO)?
What is Image File Execution Options (IFEO)?
IFEO is a feature which lets developers attach a debugger to an application/process. This allows to run the debugger/application at the time of running the application we wish to debug.
- Mar 2, 2021
How to find out if there is persistence using Registry run keys or Startup Folders?
Out of many persistence techniques, one of the most common ones is the usage of Registry run Keys or Startup Folders. This will cause an added application to be executed whenever a user logs in.
- Feb 21, 2021
How to prove there was a lateral movement using PsExec via EventLogs?
In a digital forensics investigation, one of the important points to look for is lateral movement between systems in the environment. This post shows how to prove if there was lateral movement through Sysinternal PsExec tool using only Windows EventLogs as an evidence artifacts.
- Feb 16, 2021
What information can you retrieve from lateral movement performed via RDP?
In case of an investigation which consists of lateral movement using RDP, one of the most important evidence we would like to investigate is RDP bitmap Cache files.
- Feb 13, 2021
What folders were accessed by a specific user?
Sometimes we would like to know when investigating a user profile, if that user has accessed important folders, for example.
- Feb 6, 2021
Was a USB connected to system?
Sometimes, we would like to investigate if a USB connected to a system, and provide information related to the USB such as its
- Maker
- Serial Number/UID
- USB Connection Date/Time
- Feb 3, 2021
Was a specific file deleted from filesystem?
Sometimes, we would like to prove if a specific file existed at sometime in filesystem, and then got deleted. That is, the received image doesn’t have the file we’re looking for.
- Jan 31, 2021
Was a malicious application executed on system?
Sometimes, we would like to answer once a malicious application found on system, the following questions
- Jan 28, 2021
Was a specific file accessed by this user?
Sometimes, we’re encountered with this question of whether for example a compromised account has accessed an important local/remote file.
- Jan 25, 2021
Was there timestomping on the analyzed system?
What is timestomping?
Timestomping is the ability from an attacker to modify original timestamps of folder/file in order to prevent the investigator from associating these timestamps with an attack period.