Detecting Lateral movement through event logs

Japan Cert has recently released a new research paper in wich the show the value of envent logs for the detection of lateral movement. The research papers is outstanding following the quaility of all documentation that the Japan Cert often releases to the public. The research provides and insight into the current tools used by…

Memory Forensics with Vshot and Remnux (code injection, 4)

With this post we are getting nearly to the end of these series of memory analyis with Vshot and Remnux. In this post we are covering some of the plugins to detect the most targeted and stealthy attacks you can find today out there. More often than in previous years, I am coming across more…

Network Threat Hunting Books

  Here I leave you what are the best books I have ever read for network threat hunting – security monitoring. These books at the time I read them help me to get back on my feet after some long time without firing wireshark and seeing and nice packet capture. I recommend them as they…

Memory Forensics with Vshot and Remnux (1)

This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which…

The right ingredients for Threat Hunting

Threat Hunting and training such as GCFA are proving to be beneficial to lower the internal detection and dwell time. Not long ago we were discussing the long time that was taking to do internal detection and average dwell time but this is currently changing. Rob Lee and the SANS Institute in their GCFA update…

Book: Incident Response & Computer Forensics 3rd edition

As part of the training I took this year, GCFA ( https://www.sans.org/course/advanced-incident-response-threat-hunting-training) I was given this book together with the course. Thumbs up for the people at SANS again. I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it…

Intrusion Detection with Windows Event ID’s

This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document! http://tinyurl.com/zpggnfq

Battlefield Digital Forensics

In a quick break this weekend I had a chance to read this new paper developed by NATO to explain and train special forces in the art of digital intelligence and evidence collection. It is clear from this publication how rapidly the world around us is transforming, special forces from now on will be trained…