Threat Hunting: What it Is, and What it Is Not
Nowadays everybody is talking about threat hunting. Everyone wants to be a threat hunter. Every employer wants to hire a thr…
SQM: New Evidence of Execution Source?
Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifac…
Following the RTM
Researchers became aware of the activities of the RTM group in December 2015. Since then, phishing emails distributing the t…
Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)
As was promised, we continue our Using MITRE ATT&CK for Forensics series. This time we are going to discuss another pers…
Using MITRE ATT&CK for Forensics: BITS Jobs (T1197)
If you are doing incident response, you must know what MITRE ATT&CK is. As it’s a great guide to threat actors tac…
Detection of Algorithmically Generated Malicious Domain
In recent years, many malware writers have relied on Dynamic Domain Name Services (DDNS) to maintain their Command and Contr…
AutoMacTC: Automated Mac Forensic Triage Collector
AutoMacTC is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse th…
Sysmon-Modular: A Sysmon Configuration Repository for Everybody to Customise
This is a Microsoft Sysinternals Sysmon configuration repository by Olaf Hartong, set up modular for easier maintenance and …
Badly behaving scripts
As browser and operating system security have been improving, there has been a rise in conventional malware attacks relying …
Extracting Activity History from PowerShell Process Dumps
Lee Holmes has posted about how to extract activity history from PowerShell process dumps. Such dumps may be gold mines, esp…
