Clik here to view.
A Look At Threat Intel, Through The Lens Of The r77 Rootkit
It's been almost a year, but this Elastic Security write-up on the r77 rootkit popped up on my radar recently, so I thought it would be useful to do a walk-through of how someone with my background...
View ArticlePCAParse
I was doing some research recently regarding what's new to Windows 11, and ran across an interesting artifact, which seems to be referred to as "PCA". I found a couple of interesting references...
View ArticleClik here to view.
Investigative Scenario, 2024-03-12
Investigative ScenarioChris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right).First off, you can find the scenario...
View ArticleClik here to view.
Uptycs Cybersecurity Standup
I was listening to a couple of fascinating interviews on the Uptycs Cybersecurity Standup podcast recently, and I have to tell you, there were some pretty insightful comments from the speakers.The...
View ArticleClik here to view.
Threat Actors Dropping Multiple Ransomware Variants
I ran across an interesting LinkedIn post recently, "interesting" in the sense that it addressed something I hadn't seen a great deal of reporting on; that is, ransomware threat actors dropping...
View ArticleClik here to view.
A Look At Threat Intel Through The Lens Of Kimsuky
Rapid7 recently shared a fascinating post regarding the Kimsuky threat actor group making changes in their playbooks, specifically in their apparent shift to the use of .chm/"compiled HTML Help" files....
View ArticleClik here to view.
The Myth of "Fileless" Malware
Is "fileless" malware really fileless?Now, don't get me wrong...I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on...
View ArticleClik here to view.
What is "Events Ripper"?
I posted to LinkedIn recently (see figure 1), sharing the value I'd continued to derive from Events Ripper, a tool I'd written largely for my own use some time ago.Fig. 1: LinkedIn postFrom the...
View ArticleClik here to view.
RegRipper Educational Materials
A recent LinkedIn thread led to a question regarding RegRipper educational materials, as seen in figure 1; specifically, are there any.Figure 1: LinkedIn requestThere are two books that address the use...
View ArticleClik here to view.
Shell Items
I ran across a Cyber5W article recently titled, Windows Shell Item Analysis. I'm always very interested in not only understanding parsing of various data sources from Windows systems, but also learning...
View ArticleClik here to view.
Exploiting LNK Metadata
Anyone who's followed me for a bit knows that I'm a huge proponent of metadata, and in particular, exploiting metadata in LNK files that threat actors create, use as lures, and send to their targets.I...
View ArticleClik here to view.
Rundown
I ran across a fascinating post from Cyber Sundae DFIR recently that talked about the Capability Access Manager, and how with Windows 11 it includes database of applications that have accessed devices...
View ArticleClik here to view.
Analysis Process
Now and again, someone will ask me, "...how do you do analysis?" or perhaps more specifically, "...how do you use RegRipper?" This is a tough question to answer, but not because I don't have an answer....
View ArticleClik here to view.
Artifact Tracking: Workstation Names
Very often in cybersecurity, we share some level of indicators of compromise (IOCs), such as IP addresses, domain names, or file names or hashes. There are other indicators associated with many...
View ArticleClik here to view.
FTSCon
I had the distinct honor and pleasure of speaking at the "From The Source" Conference (FTSCon) on 21 Oct, in Arlington, VA. This was a 1-day event put on prior to the Volexity memory analysis training,...
View ArticleClik here to view.
Program Execution: The ShimCache/AmCache Myth
I recently saw another LinkedIn post from someone supporting and sending readers to a site that was reportedly started using the SANS DFIR poster as a reference. As illustrated in figure 1, this site...
View ArticleClik here to view.
UEPOTB, LNK edition
A while back, Jesse Kornblum published a paper titled, "Using Every Part of the Buffalo in Windows Memory Analysis". This was, and still is, an excellent paper, based on it's content and how it...
View ArticleCarving
Recovering deleted data, or "carving", is an interesting digital forensics topic; I say "interesting" because there are a number of different approaches and techniques that may be valuable, depending...
View ArticleClik here to view.
Artifacts: Jump Lists
In order to fully understand digital analysis, we need to have an understanding of the foundational methodology, as well as the various constituent artifacts on which a case may be built. The...
View ArticleClik here to view.
The Role of AI in DFIR
The role of AI in DFIR is something I've been noodling over for some time, even before my wife first asked me the question of how AI would impact what I do. I guess I started thinking about it when I...
View ArticleClik here to view.
Lina's Write-up
Lina recently posted on LinkedIn that she'd published another blog post. Her blog posts are always well written, easy to follow, fascinating, and very informative, and this one did not disappoint.In...
View ArticleClik here to view.
The Problem with the Modern Security Stack
I read something interesting recently that stuck with me. Well, not "interesting", really...it was a LinkedIn post on security sales. I usually don't read or follow such things, but for some reason, I...
View ArticleWMI
The folks over at CyberTriage recently shared a complete guide to WMI; it's billed as a "complete guide to WMI malware", and it covers a great deal more than just malware. They cover examples of...
View ArticleClik here to view.
Know Your Tools
In 1998, I was in a role where I was leading teams on-site to conduct vulnerability assessments fororganizations. For the technical part of the assessments, we were using ISS's Internet Scanner...
View ArticleClik here to view.
I've Seen Things
I like the movie "Blade Runner". I've read Philip K. Dick's "Do Androids Dream of Electric Sheep", on which the movie is based. So what does this have to do with anything? Well, I've been around the...
View Article