We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let's have a quick look at the plugins … Continue reading Memory Forensics with Vshot and Remnux (rogue process identification,2)
I originally retweeted this information in my account, I often do so with information I want to read but I can not read at the time I find it. When I first skimmed through, what caught my attention was the fact that the organization in this case PagerDuty, was disclosing their internal Incident Response processes. … Continue reading Exploring incident response procedures with PagerDuty.
This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which … Continue reading Memory Forensics with Vshot and Remnux (1)
This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/
Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id's for their detection. Another must read. http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10
One more interesting article about the most abused commands in windows. It is a must read if you are interesting in endpoint hunting. http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html
I am not going to add much to this article, I know is not very original but you should go straight into the presentation. It is worth your time if you are looking to understand lateral movement, examples with windows event id's and Kerberos KDC vulnerability. https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf