This is the third post on memory analysis and I will quickly go throug the followin plugins from the Vshot script. dlllist getsids svcscan consoles shimcache userassist cmdscan connections connscan netscan If at this point you have founded as supicious process you can dig deeper into it analyzing its objects. It is recommended that by…
The DFIR compendium portal
If you are currently lookinto start a new career or an already established professional you will find valuable information in the following web. http://aboutdfir.com/ It’s a en extensive project that aims at becoming a DFIR compendium of all resources scattered in internet. The portal is very well divided in different sections such as, Education Reading…
How to define and build an effective Cyber Threat Intelligence Capability by Henry Dalziel and Eric Olson.
Have you heard all the buzz around threat intelligence? This book will explain CTI in plain english. It is a very simple book to read and I believe it is not only useful for technical people but also for Managers and Sales. Whether you need to implement a threat intelligence program or sell your organization’s…
Memory Forensics with Vshot and Remnux (rogue process identification,2)
We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let’s have a quick look at the plugins…
Exploring incident response procedures with PagerDuty.
I originally retweeted this information in my account, I often do so with information I want to read but I can not read at the time I find it. When I first skimmed through, what caught my attention was the fact that the organization in this case PagerDuty, was disclosing their internal Incident Response processes….
Memory Forensics with Vshot and Remnux (1)
This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which…
Paper: Wave your false flags! Deception tactics muddying attribution in targeted attacks
This is an 11 page white paper that goes through the current challenges faced by researchers to attribute cyber attacks. It goes through the current techniques such as, Timestamps Strings, debug and metadata Malware families, code reuse Threat infrastructure used It also present some of the most advance APT’s and their potential origin and techniques believed…
The right ingredients for Threat Hunting
Threat Hunting and training such as GCFA are proving to be beneficial to lower the internal detection and dwell time. Not long ago we were discussing the long time that was taking to do internal detection and average dwell time but this is currently changing. Rob Lee and the SANS Institute in their GCFA update…
Book: Android Malware and Analysis by Ken Dunham.
I needed to get an intro to Android Malware Analysis and some of the tools you can use for Analysis. This books is very easy to read and provides a good foundation to start doing Android Malware Analysis. It covers current malware landscape until 2014 an existing techniques and tools in static and dynamic analysis….
Hunting down Threat Infrastructure (2, with PassiveTotal)
It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here. The first post explained how attackers…
Book: Incident Response & Computer Forensics 3rd edition
As part of the training I took this year, GCFA ( https://www.sans.org/course/advanced-incident-response-threat-hunting-training) I was given this book together with the course. Thumbs up for the people at SANS again. I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it…
Lateral Movement Artefacts
This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/
