As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another persistence mechanism that isn’t so common in-the-wild. It’s Image File Execution Options (or IFEO) injection, persistence technique with ID T1183. So, what are IFEO? These options enable a developer to attach a debugger to an application. What is more, IFEO …

First of all, I would like to thank all of those who liked and retweeted the previous article from this series, BITS Jobs (T1197). I’m planning to continue working on this series and publish a post a week. This week I’m going to write about a persistence mechanism that became quite popular recently – WMI Event Subscription (T1084). I think …

If you are doing incident response, you must know what MITRE ATT&CK is. As it’s a great guide to threat actors tactics and techniques, I thought it’s a good idea to look at it from a forensic perspective. The ATT&CK can definitelly help digital forensic analysts to find evil both during traditional host-based forensic activities and more incident response related …

On Marth 24th Telegram released a new version of their messenger, and introduced a new feature – ability “to delete any message you have sent or received from both sides in any private chat”. According to Telegram’s official website, “the messages will disappear for both you and the other person – without leaving a trace.” Sounds pretty interesting, right? Let’s …

Recently I’m becoming more and more interested in cyber threat intelligence. I even started preparing for GCTI certification. CTI uses models and chains, you may have heard about the Diamond Model and Cyber Kill-Chain. Incident response has its own lifecycle – from preparation and identification to recovery and lessons learnt. Digital forensics has a certain process as well: collection, examination, …

New Sunday – new Funday! This week’s Sunday Funday presented the following challenge to solve: What are all the methods of execution you can find that are not recorded in the Amcache hive? All testing have been done on Windows 10 (Version 1803, OS Build 17134.523). For testing I used netscan.exe (x64), it’s available here, it was renamed according to …

Had some free time last week, so decided to participate in David Cowen’s Sunday Funday challenge. My submission didn’t win, but I decided to post it anyway. 1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view) You can find these settings under: UsrClass.dat: Local Settings\Software\Microsoft\Windows\Shell\Bags\<Node_slot>\ComDlg\{GUID} …

Let’s continue to dissect unusual malicious email attachments used by modern APT. This time I’m going to focus on malicious CHM files used by Silence APT. If you haven’t heard about it for some reason, I would recommend to read this detailed report by Group-IB, as this APT attacks not only Russian banks, but also banks in more than 25 countries. …

Weaponized LNK files are not very popular way of distributing malware, but, of course, sometimes they take place. One of a good examples of such files is the one described by FireEye in November, that is assosiated with APT29 also known as Cozy Bear. It’s is beleived that Cozy Bear is a Russian hacker group. What’s more, it’s even associated …

This article is a general explanation why and how forensic experts and first responders could benefit from a tool that provides Image data retrieval. The product under review is a first-line tool for data retrieval and image mounting, as you cannot retrieve the data without mounting the images first. Also being able to read this data under any OS, regardless …