Incident Response

“Zero-day” is the all-powerful boogieman of the information security industry. Too many of us invoke it when discussing scary threats against which we feel powerless. We need to define and disambiguate this term before attempting to determine whether we’ve accounted for the associated threats when designing security programs. Avoid Zero-Day Confusion I’ve seen “zero-day” used to…

Share
Read More

“Zero-day” is the all-powerful boogieman of the information security industry. Too many of us invoke it when discussing scary threats against which we feel powerless. We need to define and disambiguate this term before attempting to determine whether we’ve accounted for the associated threats when designing security programs. Avoid Zero-Day Confusion I’ve seen “zero-day” used to…

Share
Read More

The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an Office macro-based infection. However, insert an unexpected process in-between and…

Share
Read More

The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe, wscript.exe, mshta.exe it is an obvious anomaly that may be a sign of an Office macro-based infection. However, insert an unexpected process in-between and…

Share
Read More

One of the less-known tools residing in Windows system32 directory is cmdln32.exe. It is being used by CMAK (Connection Manager Administration Kit) to set up Connection Manager service profiles. The profile is typically packaged into an .exe that can be deployed to the user system. The package installs the profile…

Share
Read More

One of the less-known tools residing in Windows system32 directory is cmdln32.exe. It is being used by CMAK (Connection Manager Administration Kit) to set up Connection Manager service profiles. The profile is typically packaged into an .exe that can be deployed to the user system. The package installs the profile…

Share
Read More

This article is a quick exercise and a small introduction to the world of Linux forensics.  Below, I perform a series of steps in order to analyze a disk that was obtained from a compromised system that was running a Red Hat operating system. I start by recognizing the file system,…

Share
Read More

This is the biggest and most comprehensive update for ShellBags Explorer to date. While the change log may not be lengthy, there are significant and important changes and optimizations in many of the changes. NEW: Added support for Windows backup related shellbags. These are populated as backup sets are navigatedNEW:…

Share
Read More

Nebula Logo While Empire (RIG-E) disappeared at the end of December after 4 month of activity Illustration of  the last month of witnessed Activity for Empire on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground. ——Selling EK Nebula——Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator…

Share
Read More

Nebula Logo While Empire (RIG-E) disappeared at the end of December after 4 month of activity Illustration of  the last month of witnessed Activity for Empire on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground. ——Selling EK Nebula——Nebula Exploit kitFeatures:-Automatic domain scanning and generating (99% FUD)-API rotator…

Share
Read More