Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of … Continue reading Detecting Ransomware Precursors

Detecting RunDLL32 ATT&CK Techniques

Launching a strange binary file on a target endpoint is a good way to raise alarm bells within the target organization's SOC. One of the more common #LOLBINS we see is to use RunDLL32.exe to execute malicious DLL files. This technique is well documented in MITRE's ATT&CK framework under T1085. In this post, we look … Continue reading Detecting RunDLL32 ATT&CK Techniques

Find Evil in 5 Easy Steps – Part2

In Part 1 we talked about Loki, Logparser and DeepBlueCLI for analyzing offline forensic artifacts in an effort to get the low hanging fruit left behind by most threat actors. Part 2 will focus on KAPE and Windows Registry analysis. 4. Parse all the things with KAPE! KAPE is a free tool which helps DFIR … Continue reading Find Evil in 5 Easy Steps – Part2

“Find Evil” in 5 easy steps!! (Part 1)

Some SOC alerts are so precise that a very specific set of response actions is warranted. For example, if a malicious email is detected, check if the user clicked on it. EDR events or forensic artifacts from the filesystem can be used to answer that question. However, when you have more ambiguous "detections" such as … Continue reading “Find Evil” in 5 easy steps!! (Part 1)