Author Archives: Unknown

If you’re worked in DFIR or threat intel for any amount of time, you’ve likely either seen or heard how threat actors modify systems to meet their own needs, configuring systems to provide data or hide their activities, as they make their way through a… Continue reading Timestomping Registry Keys→

Krzysztof shared another blog post recently, this one that addresses the battery use and the battery level of a system, and how it applies to an investigation.At first thought, I’m sure a lot of you are asking, “wait…what?”, but think about it for a … Continue reading Scheduled Tasks and Batteries→

Before I kick this blog post off, I’d like to thank Lina L for her excellent work in developing and sharing her work, both on Twitter, as well as in a blog post. Both are thoughtful, cogent, and articulate.In her blog post, Lina references detection te… Continue reading Windows Event Log Evasion Review→

My previous post on this topic presented my thoughts on how the concept of “artifact categories” were being misused.My engagement with artifact categories goes back to 2013, when Corey Harrell implemented his thoughts on categories via auto_rip. I… Continue reading The (Mis)Use of Artifact Categories, pt II→

A request that’s been pretty consistent within the industry over time has had to do with reporting. I’d see a request, some responses, someone might ask for a template, and then the exchange would die off…I assumed that it had moved to DMs or offline… Continue reading DFIR Reporting→

Very often in DFIR, we categorize artifacts in an easy-to-understand and easy-to-digest manner, as using or relying on these categories often helps us navigate our investigations. There are also times when we reduce those artifacts to a level where the… Continue reading The (Mis)Use of Artifact Categories→

What, again?!?!I know, right?!?Not long ago, I read this fascinating article from Joe Helle that discussed malicious uses for Windows shortcuts, or LNK files, and also discussed a Python3 scripts called “lnkbomb”.As a side note, check out what Joe had … Continue reading LNK Files, Again→

Over the years, changes in the threat landscape have made attribution more difficult. Attribution has always been challenging, but has been and can continue to be eased through visibility. That is, if your view into an event or campaign is limited to r… Continue reading The Threat Landscape and Attribution→

From the time I started in DFIR, one question was always on the forefront of incident responder’s minds…how do you know what “bad” looks like? When I was heading on-site during those early engagements, that question was foremost on my mind, and … Continue reading How Do You Know What "Bad" Looks Like?→

Why is Registry analysis important?The Windows Registry, in part, controls a good bit of the functionality of a Windows system. As such, Registry analysis can help you understand why you’re seeing something, or why you’re not seeing something, as the c… Continue reading Registry Analysis – The "Why"→