The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of … Continue reading Detecting Ransomware Precursors
Detecting RunDLL32 ATT&CK Techniques
Launching a strange binary file on a target endpoint is a good way to raise alarm bells within the target organization's SOC. One of the more common #LOLBINS we see is to use RunDLL32.exe to execute malicious DLL files. This technique is well documented in MITRE's ATT&CK framework under T1085. In this post, we look … Continue reading Detecting RunDLL32 ATT&CK Techniques
Find Evil in 5 Easy Steps – Part2
In Part 1 we talked about Loki, Logparser and DeepBlueCLI for analyzing offline forensic artifacts in an effort to get the low hanging fruit left behind by most threat actors. Part 2 will focus on KAPE and Windows Registry analysis. 4. Parse all the things with KAPE! KAPE is a free tool which helps DFIR … Continue reading Find Evil in 5 Easy Steps – Part2
“Find Evil” in 5 easy steps!! (Part 1)
Some SOC alerts are so precise that a very specific set of response actions is warranted. For example, if a malicious email is detected, check if the user clicked on it. EDR events or forensic artifacts from the filesystem can be used to answer that question. However, when you have more ambiguous "detections" such as … Continue reading “Find Evil” in 5 easy steps!! (Part 1)
LogParser EVTX Adventures
I've been doing IR for a long time and I can't believe I have only now discovered the power of LogParser. Perhaps I was too spoiled by Splunk to actually be forced to learn this awesome tool. But now that I have gotten familiar with it, I see why it is so beloved. It's powerful … Continue reading LogParser EVTX Adventures