Unknown – Page 14 – WindowsTechs.com

An Attacker’s Perspective

Posted on August 8, 2022 by Unknown

Something I’ve thought about quite often during my time in DFIR is the threat actor’s perspective…what is the attacker seeing and thinking during their time in an infrastructure. As a DFIR analyst, I don’t often get to ‘see’ the threat actor’s action… Continue reading An Attacker’s Perspective→

An Attacker’s Perspective

Posted on August 8, 2022 by Unknown

Virtual Images for Testing

Posted on August 1, 2022 by Unknown

Many within the DFIR community make use of virtual systems for testing…for detonating malware, trying things within a “safe”, isolated environment, etc. However, sometimes it can be tough to get hold of suitable images for creating that testing envir… Continue reading Virtual Images for Testing→

EDR Blindness, pt II

Posted on July 31, 2022 by Unknown

As a follow-on to my earlier blog post, I’ve seen a few more posts and comments regarding EDR ‘bypass’ and blinding/avoiding EDR tools, and to be honest, my earlier post stands. However, I wanted to add some additional thoughts…for example, when cons… Continue reading EDR Blindness, pt II→

Rods and Cones, and EDR "blindness"

Posted on July 27, 2022 by Unknown

I ran across an interesting post recently regarding blinding EDR on Windows systems, which describes four general techniques for avoiding EDR monitoring. Looking at the techniques, I’ve seen several of these techniques in use on actual, real world inci… Continue reading Rods and Cones, and EDR "blindness"→

History Repeats Itself

Posted on July 24, 2022 by Unknown

It’s said that those who do not study history are doomed to repeat it. I’d suggest that the adage should be extended to, “those who do not study history and learn from her lessons are doomed to repeat it.”My engagement with technology began at an early… Continue reading History Repeats Itself→

Turning Open Reporting Into Detections

Posted on July 23, 2022 by Unknown

I saw this tweet from Ankit recently, and as soon as I read through it, I thought I was watching “The Matrix” again. Instead of seeing the “blonde, brunette, redhead” that Cypher saw, I was seeing actionable detection opportunities and pivot points. Ho… Continue reading Turning Open Reporting Into Detections→

Fully Exploiting Data Sources

Posted on July 19, 2022 by Unknown

Very often, we view data sources as somewhat one dimensional, and don’t think about how we can really get value from that data source. We’re usually working on a case, just that investigation that’s in front of us, and we’re so “heads down” that we may… Continue reading Fully Exploiting Data Sources→

StartupApproved\Run, pt II

Posted on July 17, 2022 by Unknown

On the heels of my last blog post on this topic, I had a couple of thoughts and insights that I wanted to research a bit, and then address. I wanted to take a look at ways that the StartupApproved\Run key might be impacted, so I started by grabbing the… Continue reading StartupApproved\Run, pt II→

Does "Autostart" Really Mean "Autostart"?

Posted on July 9, 2022 by Unknown

Most DFIR and SOC analysts are familiar with the Run keys as autostart locations within the Windows Registry:[HKLM|HKCU]\Software\Microsoft\Windows\CurrentVersion\RunValues beneath these keys are automatically run asynchronously upon system start and u… Continue reading Does "Autostart" Really Mean "Autostart"?→