Collaborate Disseminate
WMI as an attack vector is not new. It has been used to aid attacks within Microsoft networks since its invention. However, it has been increasingly weaponized in recent years, largely due to its small forensic footprint. In a world of great… Continue reading “Investigating WMI Attacks”
Just in time for the holidays, we have a new update to the SANS Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for […] Continue reading SANS Memory Forensics Cheat Sheet
Just in time for the holidays, we have a new update to the SANS Memory Forensics Cheatsheet! Plugins for the Volatility memory analysis project are organized into relevant analysis steps, helping the analyst walk through a typical memory investigation. We added new plugins like hollowfind and dumpregistry, updated plugin syntax, and now include help for […] Continue reading SANS Memory Forensics Cheat Sheet
UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted […] Continue reading SANS FOR500 vs. FOR508
UPDATE: I am excited to announce that SANS FOR408 is now FOR500. Over the last few years, we have continued to add more technical content to the class while ageing out some of the more basic material. While the class still provides an excellent framework for conducting Windows forensic analysis, the course difficulty level has shifted […] Continue reading SANS FOR500 vs. FOR508
The team at FIRST (Forum of Incident Response and Security Teams) reached out to talk about my upcoming presentation on Windows credential attacks at their annual conference. We spoke about why enterprise credential protection is so important and some of the recent Microsoft updates to help minimize the attack surface. The entire Windows credential infrastructure […] Continue reading Credential Attack Podcast
The team at FIRST (Forum of Incident Response and Security Teams) reached out to talk about my upcoming presentation on Windows credential attacks at their annual conference. We spoke about why enterprise credential protection is so important and some of the recent Microsoft updates to help minimize the attack surface. The entire Windows credential infrastructure […] Continue reading Credential Attack Podcast
Note: This article originally appeared on the CrowdStrike blog. Look here for additional context. Detecting reconnaissance activity is something that few blue teams spend time on. Networks are barraged with a near continuous stream of scanning, and determining targeted activity versus Internet noise can be exceedingly difficult. However, there are a few things you can do to counter […] Continue reading Blue Team: Reconnaissance Detection
Note: This article originally appeared on the CrowdStrike blog. Look here for additional context. Detecting reconnaissance activity is something that few blue teams spend time on. Networks are barraged with a near continuous stream of scanning, and determining targeted activity versus Internet noise can be exceedingly difficult. However, there are a few things you can do to counter […] Continue reading Blue Team: Reconnaissance Detection
PowerShell is becoming ubiquitous in the Microsoft ecosystem, and, while it simplifies administration, it opens up a nearly unprecedented suite of capabilities for attackers. Nearly every malicious activity imaginable is possible with PowerShell: privilege escalation, credential theft, lateral movement, data destruction, persistence, data exfiltration, and much more. Malicious PowerShell is being used in the wild, […] Continue reading Investigating PowerShell: Command and Script Logging