Why? Executing code & persistence through scheduled tasks is one of the most common techniques used by the threat actors to persist on a device. I also have noted that quite often the threat hunting is based on something like schtasks being used to create those tasks. This is fine as that is likely...
The DFIR thing reg parsing #1
Adding registry parsing to the DFIR thing The Windows registry contains a lot of valuable information for investigating the devices. It can be a daunting task to get started with it but there are awesome tools like the Eric Zimmerman tools which offers great way to get started. I also want to include the...
The DFIR thing
The DFIR.. what? For the last couple of years I have tinkered around a docker-compose configuration for launching DFIR investigation system. The original one was created with four components: ELK – ingesting all the data with all the visualisations PLASO – parse all the Windows evidence Chainsaw – parse evtx logs Hayabusa – parse...
Impacket – part 3
Continuing with Impacket I will do one more post on the series and that will be it. The first post was mostly about the different ways that Impacket can launch semi-interactive shells, the second one was revolving around using WMI based techniques. On the third one I will go through some of the modules...
Impacket – Part 2
Hello mr. Impacket – I am back! Today I will write about Impacket. Last time I wrote about the psexec and smbexec modules which I found to be the most logical start to the series (BTW I would like to remind that 2 posts can be series). You know, it is a gift which...
Exploring hunting options for catching Impacket
Hunting for usage of Impacket Impacket is one of those tools which the threat actors are constantly using during the attacks. It is interesting tool as it allows interacting with several protocols with Python. It, for example, allows for a PsExec like behavior which is very often one of the key tools the threats...
Threat hunting for signs of credential dumping
Why this topic? I chose this topic because I’ve seen a lot of different queries to hunt for signs of credential dumping. However, these have been mostly developed around finding certain tools which do dump the credentials. My idea was to try to hunt for the activity done by the application which dumps the...
Hunting for signs of SEO poisoning
How to hunt for SEO poisoning? Well this is a good question to which I don’t have a good answer. This query is going to go through the very basics of how this can be started but it is not really that easy to do. I’ve had several different ideas of how to hunt...
Rare process launch as a service
Back after a long break The last post on this blog was published on mid-September 2023 so it has been a while since I was able to update the blog. The main reason for this is that I have been too busy. I’ve had extremely busy season at work and on top of that...
OpenCTI RSS feed support
RSS feed support in OpenCTI I haven’t been playing with the OpenCTI platform a lot since I first deployed it. I have a look at the data from time to time but haven’t had the time to create integrations. I just got back to this and started to look if the RSS feed ingestion...