One of the other methods attackers are using to establish persistence is through Windows Management Instrumentation (WMI) This started to gain popularity around 2015 when Matt Graeber presented a talk at Blackhat. Shortly after that,… Read More »Finding Evil in 30 Minutes or Less Part 4 – Windows Event Logs and the WMI Database
When you are doing an IR it is crucial that you find answer fast. You often have the client asking for daily updates as well as legal counsel asking you to find the answers ASAP.… Read More »Finding Evil in 30 Minutes or Less Part 1 – Processes and Network Connections
The first time I responded to a breach solo was just a few months after starting my career as a DFIR consultant. I flew out early morning from Arizona across the country to New Jersey… Read More »Your first onsite IR
One of the major differences between working corporate security vs consulting is the interaction with customers. When you work in a SOC or CIRT, most of your work is done with members of your team… Read More »Just what is a Scoping Call?
I’ve been working in IT since 1999. I started out on Windows 3.1 machines running Token Ring networks. I worked as a sys admin for a little over 11 years before getting tired of it… Read More »Some Background