Category: Windows Incident Response

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

Read more →

I posted to LinkedIn recently (see figure 1), sharing the value I’d continued to derive from Events Ripper, a tool I’d written largely for my own use some time ago. Fig. 1: LinkedIn post From the comments to this and…

Read more →

Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…

Read more →

Is “fileless” malware really fileless? Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard…

Read more →

I ran across an interesting LinkedIn post recently, “interesting” in the sense that it addressed something I hadn’t seen a great deal of reporting on; that is, ransomware threat actors dropping multiple RaaS variants within a single compromised organization. Now,…

Read more →

Rapid7 recently shared a fascinating post regarding the Kimsuky threat actor group making changes in their playbooks, specifically in their apparent shift to the use of .chm/”compiled HTML Help” files. In the post, the team does a great job of…

Read more →

I was listening to a couple of fascinating interviews on the Uptycs Cybersecurity Standup podcast recently, and I have to tell you, there were some pretty insightful comments from the speakers. < div>The first one I listened to was Becky…

Read more →

Investigative Scenario Chris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right). First off, you can find the scenario posted on X/Twitter, and here on LinkedIn. Now,…

Read more →

I was doing some research recently regarding what’s new to Windows 11, and ran across an interesting artifact, which seems to be referred to as “PCA”. I found a couple of interesting references regarding this artifact, such as this one…

Read more →

I was doing some research recently regarding what’s new to Windows 11, and ran across an interesting artifact, which seems to be referred to as “PCA”. I found a couple of interesting references regarding this artifact, such as this one…

Read more →

It’s been almost a year, but this Elastic Security write-up on the r77 rootkit popped up on my radar recently, so I thought it would be useful to do a walk-through of how someone with my background would mine open…

Read more →

There’re a lot of discussions out there on social media regarding how to get started or improve yourself or set yourself apart in cybersecurity, and lot of the advice centers around doing things yourself; setting up a home lab, using…

Read more →

There’re a lot of discussions out there on social media regarding how to get started or improve yourself or set yourself apart in cybersecurity, and lot of the advice centers around doing things yourself; setting up a home lab, using…

Read more →

There’s been a good bit of discussion in the cybersecurity community regarding “EDR bypasses”, and most of these discussions have been centered around technical means a threat actor can use to “bypass” EDR. Many of these discussions do not seem…

Read more →

So far, parts I and II of this series have been published, and at this point, there’s something that we really haven’t talked about. That is, the “So, what?”. Who cares? What are the benefits of understanding human behavior rendered…

Read more →

On the heels of my first post on this topic, I wanted to follow up with some additional case studies that might demonstrate how digital forensics can provide insight into human activity and behavior, as part of an investigation. Targeted…

Read more →

One the heels of my first post on this topic, I wanted to follow up with some additional case studies that might demonstrate how digital forensics can provide insight into human activity and behavior, as part of an investigation. Targeted…

Read more →

I I’ve always been a fan of books or shows where someone follow clues and develops an overall picture to lead them to their end goal. I’ve always like the “hot on the trail” mysteries, particularly when the clues are…

Read more →

Another trip around the sun is in the books. Looking back over the year, I thought I’d tie a bow on some of the things I’d done, and share a bit about what to expect in the coming year. In…

Read more →

MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I’m always interested in things like this because it’s possible that the author will provide clear observables so that folks can…

Read more →

I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response… If you’ve followed me for any amount of time, particularly recently, you’ll know that I’ve put some effort forth in…

Read more →

I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response… If you’ve followed me for any amount of time, particularly recently, you’ll know that I’ve put some effort forth in…

Read more →

One of the things I love about the industry is that it’s like fashion…given enough time, the style that came and went comes back around again. Much like the fashion industry, we see things time and again…just wait. A good…

Read more →

I don’t like checklists in #DFIR.  Rather, I don’t like how checklists are used in #DFIR. Too often, they’re used as a replacement for learning and knowledge, and looked at as, “…if I do just this, I’m good…”. Nothing could…

Read more →