Finding Registry Malware Persistence with RECmd
Chad Tilbury has writen a post on how to use Eric Zimmerman’s RECmd and its batch files to uncover malware persistence mechanisms in the registry. The post is available here.
Chad Tilbury has writen a post on how to use Eric Zimmerman’s RECmd and its batch files to uncover malware persistence mechanisms in the registry. The post is available here.
In this post Ben Bornholm writes about how to detect PowerShell Empire using the tools from the Sysinternals suite.
An interesting post by D3xt3r’s Malware Laboratory describing another example of using LNK files as malware droppers.
Olaf Hartong has writted a blog post in which he shows how to use “Create Remote Thread” events to detect process injection which NoPowerShell relies on. NoPowerShell is a tool which can be used to execute certain PowerShell commands from Cobalt Strike without having to use PowerShell itself. Learn about this detection technique at Medium.
Brian Carrier and Chris Ray have found a way how to run PsExec and not reveal admin password hash. Check this blog post to learn how to do it.
Pasquale Stirparo has started a post series about macOS persistense mechanisms titled “Beyond good ol’ LaunchAgent”. The first post is devoted to LaunchAgents and LaunchDaemonsю
Derek King has published another post as part of his “Hunting with Splunk: The Basics” series. This time he is discussing lateral movement – one of the key indicators when you actually have an APT in your network as Ryan Kovar said.
In this post Magnet Forensics talks about Emergency Download (EDL). This is a Qualcomm feature that can be used for data recovery and performing some other tasks like unbricking or flashing the device. Finally, it can be used for creating a full image bypassing the passcode of the target device.
Temporal Tables are a new feature of SQL Server 2016. Join Pragmatic Works to learn what they are and how they track data change history for auditing and forensics. This presentation includes demos of how to create temporal tables, and how to use them once they are configured.
SANS DFIR posted the newest version of Windows Forensic Analysis poster. Updated Windows Time Rules table, lots of artifacts of file downloading, program execution, deleting files or files knowledge, and so on – don’t wait, download and learn!
Login