Rapid7 recently shared a fascinating post regarding the Kimsuky threat actor group making changes in their playbooks, specifically in their apparent shift to the use of .chm/"compiled HTML Help"...
http://windowsir.blogspot.com/2024/03/a-look-at-threat-intel-through-lens-of.html
I ran across an interesting LinkedIn post recently, "interesting" in the sense that it addressed something I hadn't seen a great deal of reporting on; that is, ransomware threat actors dropping m...
http://windowsir.blogspot.com/2024/03/threat-actors-dropping-multiple.html
I was listening to a couple of fascinating interviews on the Uptycs Cybersecurity Standup podcast recently, and I have to tell you, there were some pretty insightful comments from the speakers....
http://windowsir.blogspot.com/2024/03/uptycs-cybersecurity-standup.html
Investigative Scenario Chris Sanders posted another investigative scenario on Tues, 12 Mar, and this one, I thought, was interesting (see the image to the right). First off, you can find the...
http://windowsir.blogspot.com/2024/03/investigative-scenario-2024-03-12.html
I was doing some research recently regarding what's new to Windows 11, and ran across an interesting artifact, which seems to be referred to as "PCA". I found a couple of interesting references r...
It's been almost a year, but this Elastic Security write-up on the r77 rootkit popped up on my radar recently, so I thought it would be useful to do a walk-through of how someone with my backg...
http://windowsir.blogspot.com/2024/02/a-look-at-threat-intel-through-lens-of.html
There're a lot of discussions out there on social media regarding how to get started or improve yourself or set yourself apart in cybersecurity, and lot of the advice centers around doing things ...
There's been a good bit of discussion in the cybersecurity community regarding "EDR bypasses", and most of these discussions have been centered around technical means a threat actor can use to "...
So far, parts I and II of this series have been published, and at this point, there's something that we really haven't talked about. That is, the "So, what?". Who cares? What are the benefits...
http://windowsir.blogspot.com/2024/01/human-behavior-in-digital-forensics-pt_10.html
On the heels of my first post on this topic , I wanted to follow up with some additional case studies that might demonstrate how digital forensics can provide insight into human activity and beha...
http://windowsir.blogspot.com/2024/01/human-behavior-in-digital-forensics-pt.html
I I've always been a fan of books or shows where someone follow clues and develops an overall picture to lead them to their end goal. I've always like the "hot on the trail" mysteries, particu...
http://windowsir.blogspot.com/2024/01/human-behavior-in-digital-forensics.html
Another trip around the sun is in the books. Looking back over the year, I thought I'd tie a bow on some of the things I'd done, and share a bit about what to expect in the coming year. In Augu...
MSSQL is still a thing TheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I'm always interested in things like this becaus...
I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response... If you've followed me for any amount of time, particularly recently, you'll...
One of the things I love about the industry is that it's like fashion...given enough time, the style that came and went comes back around again. Much like the fashion industry, we see things time...
I don't like checklists in #DFIR. Rather, I don't like how checklists are used in #DFIR. Too often, they're used as a replacement for learning and knowledge, and looked at as, "...if I do jus...
Some analysts may be familiar with the topic of time stomping, particularly as it applies to the NTFS file system, and is explained in great detail by Lina Lau in her blog . If you're not famili...
http://windowsir.blogspot.com/2023/10/investigating-time-stomping.html
On the heels of my previous blog post on this topic , I read a report that, in a lot of ways, really highlighted some of the issues I mentioned in that earlier post. The recent IDC report from Bi...
http://windowsir.blogspot.com/2023/09/the-state-of-windows-digital-analysis_19.html
Something that I've seen and been concerned about for some time now is the state of digital analysis, particularly when it comes to Windows systems. From open reporting to corporate blog posts an...
http://windowsir.blogspot.com/2023/09/the-state-of-windows-digital-analysis.html
I recently had an opportunity to review the book, Effective Threat Investigation for SOC Analysts , by Mostafa Yahia. Before I start off with my review of this book, I wanted to share a li...
http://windowsir.blogspot.com/2023/08/book-review-effective-threat.html
Okay, so we've integrated Yara into the RegRipper workflow , and created "YARR"...now what? The capability is great...at least, I think so. The next step (in the vein of the series ) is really le...
http://windowsir.blogspot.com/2023/08/the-next-step-integrating-yara-with.html
It's about that time again, isn't it? It's been a while since we've had a significant (or, depending upon your perspective, radical) shift in the cyber crime eco-system, so maybe we're due. W...
http://windowsir.blogspot.com/2023/08/yet-another-glitch-in-matrix.html
A lot of writing and training within DFIR about the Registry refers to it as a database where configuration settings and information is maintained. There's really a great deal of value in that, a...
http://windowsir.blogspot.com/2023/08/integrating-yara-with-regripper.html
I thought I'd continue The Next Step series of blog posts with something a little different. This "The Next Step" blog post is about taking a tool such as RegRipper to "the next step", which is ...
http://windowsir.blogspot.com/2023/08/the-next-step-expanding-regripper.html
The morning of 1 Aug, I found an article in my feed about a ransomware attack against a municipality; specifically, Montclair Township in New Jersey. Ransomware attacks against municipalities are...
http://windowsir.blogspot.com/2023/08/ransomware-attack-timeline.html