Incident Response

How did they get in? Question number 4 in our Big 4. It may seem counterintuitive to try and solve this last, but in reality, this is often one of the least important questions to… Read More »Sniper Incident Response – How did they get in?

Where did they go? This question is all about lateral movement and knowing the scope of the infection. Windows systems have several artifacts that we can quickly triage to see which systems were accessed. These… Read More »Sniper Incident Response – Where did they go?

Are they still here? This question plays an important part of your investigation. If there is an active attacker in the environment you need to identify and block all of their remote access and backdoors… Read More »Sniper Incident Response – Are they still here?

What did they take? This question is always a key priority for lawyers. Knowing what data was taken and what it contained helps them decide on the next legal steps to protect the company. Often… Read More »Sniper Incident Response – What did they take?

In Part 1 of this series, we looked at collecting volatile data from a machine and analyzing running processes and network connections. Those things are great for analyzing a running system, but what if we… Read More »Finding Evil in 30 Minutes or Less Part 2 – Amcache, Shimcache and the Srum DB

In parts 1 and 2 of this series we examined the artifacts from live system by looking at the processes and network connections. We also looked at artifacts left behind after a system was powered… Read More »Finding Evil in 30 Minutes or Less Part 3 – Windows Registry

One of the other methods attackers are using to establish persistence is through Windows Management Instrumentation (WMI) This started to gain popularity around 2015 when Matt Graeber presented a talk at Blackhat. Shortly after that,… Read More »Finding Evil in 30 Minutes or Less Part 4 – Windows Event Logs and the WMI Database