Memory Forensics with Vshot and Remnux (rogue process identification,2)

We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let's have a quick look at the plugins … Continue reading Memory Forensics with Vshot and Remnux (rogue process identification,2)

Exploring incident response procedures with PagerDuty.

I originally retweeted this information in my account, I often do so with information I want to read but I can not read at the time I find it. When I first skimmed through, what caught my attention was the fact that the organization in this case PagerDuty, was disclosing their internal Incident Response processes. … Continue reading Exploring incident response procedures with PagerDuty.

Memory Forensics with Vshot and Remnux (1)

This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which … Continue reading Memory Forensics with Vshot and Remnux (1)

Lateral Movement Artefacts

This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/

The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id's for their detection. Another must read. http://www.slideshare.net/Hackerhurricane/the-top-10-windows-logs-event-ids-used-v10

Windows Commands abused by attackers (Japan CERT)

One more interesting article about the most abused commands in windows. It is a must read if you are interesting in endpoint hunting. http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html

Detecting Lateral Movement in APT’S by Japan CERT

I am not going to add much to this article, I know is not very original but you should go straight into the presentation. It is worth your time if you are looking to understand lateral movement, examples with windows event id's and Kerberos KDC vulnerability. https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf