Incident Response & Forensics

Prefetch: The Little Snitch That Tells on You

Posted on July 25, 2023 by Roza Maille

Incident Response and forensic analysts use the contents of prefetch files in investigations to gather information, such as the source from which an executable was launched, how many times it was executed, what files it touched, and the date and time it was launched. A prefetch file is like the little brother that tells the…

The post Prefetch: The Little Snitch That Tells on You appeared first on TrustedSec.

Continue reading Prefetch: The Little Snitch That Tells on You→

Incident Response: Bring Out the Body File

Posted on June 20, 2023 by Roza Maille

An Incident Response (IR) examiner faced with a case or asked whether something ‘funny’ or ‘bad’ happened on a host will wonder if a comprehensive file listing is attainable for the system in question. Sometimes this comes in the form of a question, such as “How long has that malware been there,” or “Was the…

The post Incident Response: Bring Out the Body File appeared first on TrustedSec.

Continue reading Incident Response: Bring Out the Body File→

Obfuscation Using Python Bytecode

Posted on June 16, 2023 by Roza Maille

1.1 Introduction I love when I get tossed a piece of unique malware. Most of the time, malware is obfuscated using PowerShell or a dropper written in C. This time, however, it was obfuscated using Python. How fun! My first thought when I was asked to look at it was, “It’s Python. I’ll just read…

The post Obfuscation Using Python Bytecode appeared first on TrustedSec.

Continue reading Obfuscation Using Python Bytecode→

Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations

Posted on June 1, 2023 by Nathan Noll

On May 31, 2023, Progress Software released a security bulletin concerning a critical vulnerability within MOVEit Transfer, a widely used secure file transfer system. TrustedSec has performed analysis on the vulnerability and post-exploitation activities. At the time of publication, there is no associated CVE or CVS score. This post will describe the research conducted so…

The post Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations appeared first on TrustedSec.

Continue reading Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations→

PPID Spoofing: It’s Really this Easy to Fake Your Parent

Posted on May 30, 2023 by Roza Maille

1 New Blog Series on Common Malware Tactics and Tricks This will be the first post in a series of blogs covering some common malware tactics and tricks. The following list is of topics that will be discussed in these blogs. However, feel free to reach out if there is topic that is not on…

The post PPID Spoofing: It’s Really this Easy to Fake Your Parent appeared first on TrustedSec.

Continue reading PPID Spoofing: It’s Really this Easy to Fake Your Parent→

Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 3 – Network Analysis and Tooling)

Posted on April 25, 2023 by Nathan Noll

Within the first two installments of this series, we identified the key to successful incident preparation starts with making sure a solid incident triage process is in place, centralized analysis documentation is created, and the incident communication cadence has been solidified. This, in conjunction with a well-oiled rapid triage Windows artifact processing plan, allows analysts…

The post Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 3 – Network Analysis and Tooling) appeared first on TrustedSec.

Continue reading Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 3 – Network Analysis and Tooling)→

Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 2 – Incident Assessment and Windows Artifact Processing)

Posted on April 20, 2023 by Nathan Noll

In Part 1 of this series, we identified that there are three (3) key parts to successful incident preparation: ensuring that a solid incident triage process is in place, creating centralized analysis documentation, and solidifying incident communication. In Part 2 of this series, I will delve into the process of thoroughly evaluating the incident, explore…

The post Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 2 – Incident Assessment and Windows Artifact Processing) appeared first on TrustedSec.

Continue reading Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 2 – Incident Assessment and Windows Artifact Processing)→

Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 1 – Process Overview and Preparation)

Posted on April 18, 2023 by Nathan Noll

In this series, I will be discussing how to handle an incident with the speed and precision of a DFIR warrior. With a rapid triage mindset, you’ll be able to assess the situation quickly and efficiently, just like a Jiu-Jitsu practitioner sizing up their opponent before delivering a devastating submission. You will have the tools…

The post Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 1 – Process Overview and Preparation) appeared first on TrustedSec.

Continue reading Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 1 – Process Overview and Preparation)→

What You Need to Know About SBOM

Posted on March 30, 2023 by Roza Maille

What is an SBOM? A Software Bill of Materials (SBOM) is a hierarchical, itemized list of all dependencies, their version numbers and provenance for a given piece of software. It may also include other data, such as the license type or details about which database to query for vulnerability disclosure. SBOMs are not restricted to…

The post What You Need to Know About SBOM appeared first on TrustedSec.

Continue reading What You Need to Know About SBOM→

Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

Posted on March 17, 2023 by Roza Maille

Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of…

The post <strong>Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)</strong> appeared first on TrustedSec.

Continue reading Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)→