Clik here to view.
Triaging a System Infected with Poweliks
Change is one of the only constants in incident response. In time most things will change; technology, tools, processes, and techniques all eventually change. The change is not only limited to the...
View ArticleLinkz for Detection and Response
The fastest way to reach a destination is to learn from those who have traveled parts of the journey you are on. Others may point you in a direction to avoid the obstacles they faced or show you the...
View ArticleClik here to view.
Process Hollowing Meets Cuckoo Sandbox
Growing up I loved to watch horror movies. In hindsight, they scared the crap out of me probably because I was too young to watch them. One such movie was the 1986 movie Night of the Creeps. Alien...
View ArticleClik here to view.
The Jock Becomes the Geek
We interrupt the normal DFIR programming on this blog for a different kind of post. A post about a situation I found myself in. It's a story others may find amusing or cause them to have empathy for...
View ArticleClik here to view.
Compromised Root Cause Analysis Model Revisited
How? The one question that is easy to ask but can be very difficult to answer. It's the question I kept asking myself over and over. Reading article after article where publicized breaches and...
View ArticleClik here to view.
Python: print “Hello DFIR World!”
Coursera's mission is to "provide universal access to the world's best education." Judging by their extensive course listing it appears as if they are delivering on their mission since the courses are...
View ArticleClik here to view.
Making Incident Response a Security Program Enabler
Incident response is frequently viewed as a reactive process. As soon as something bad happens that is when the incident response process is activated to respond to what occurred. This view is similar...
View ArticleClik here to view.
Introducing the Active Threat Search
Have you found yourself looking at a potential security event and wishing there was more context. The security event could be an IDS/IPS triggering on network activity, antivirus software flagging a...
View ArticleClik here to view.
Security Monitoring with Attack Behavior Based Signatures
Coaches and athletes both gather intelligence against their upcoming opponent by watching game film. Based on what they learn, they adjust their strategies to account for their opponent’s strengthens,...
View ArticleLinkz for Intelligence Driven Security and Threat Intelligence
What’s the strategy one should use when trying to defend an organization against the threats we face today. At times the security strategy has been reactive. Decisions and the direction forward are...
View ArticleClik here to view.
Villager or Special Forces - That Is The Question
At certain times we will find ourselves being like Special Forces going against what seems like a villager with a pitchfork. We are better equipped, better trained, possess more technical knowledge,...
View ArticleSIEM – One Year Later
We are overwhelmed with data and are not sure what to look at or collect? I came across this paraphrased comment in a SIEM forum and it echoes a sentiment I have seen about SIEM. Deploying the...
View ArticleMinor Updates to Auto_rip
This is a quick post to pass along that I updated my auto_rip script. For those who may not know, auto_rip is a wrapper script for Harlan Carvey's RegRipper program and it executes RegRipper’s plug-ins...
View ArticleGo Against the Grain
“You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.” —Richard Buckminster FullerIt's very easy to accept the way...
View ArticleClik here to view.
A Warning about Hidden Costs
I saw the excitement in my son's eyes as the biggest smile was stretching from ear to ear. He slowly stretched out his arm to show me what he got at camp that day. He was extremely excited and I could...
View ArticleRandom Thoughts
Things have been quiet on jIIr since I over committed myself. The short version is I had zero time for personal interests outside of my commitments, $dayjob, and family. Things are returning back to...
View ArticleAdding an Event Triage Drop to the Community Bucket
By failing to prepare, you are preparing to fail.~ Benjamin FranklinLet's also stop saying if company X looked into their alerts then they would had seen there was a security issue. We need to start...
View ArticleTriage Practical – Malware Event – Prefetch $MFT IDS
Another Monday morning as you stroll into work. Every Monday morning you have a set routine and this morning was no different. You were hoping to sit down into your chair, drink some coffee, and work...
View ArticleClik here to view.
Triage Practical Solution – Malware Event – Prefetch $MFT IDS
You are staring at your computer screen thinking how you are going to tell your ISO what you found. Thinking about how this single IDS alert might have been overlooked; how it might have been lost...
View ArticleClik here to view.
Triage Practical – Malware Event – Proxy Logs Prefetch $MFT IDS
The ISO was thrilled and excited about the possibilities after you successfully triaged the previous suspicious network activity. They got a glimpse of the visibility one attains through security...
View ArticleClik here to view.
Blaming Others
As we marched across the parade deck from the side we looked as one. The sound of about 70 Marines' heels hitting the pavement but sounded as one. The sound of the hoarse drill instructor's voice...
View ArticleClik here to view.
Triage Practical Solution – Malware Event – Proxy Logs Prefetch $MFT IDS
Staring at your Mountain Dew you think to yourself how well your malware triage process worked on triaging the IDS alert. It’s not perfect and needs improvement to make it faster but overall the...
View ArticleBreaking Out of Routines
I was digging a hole to plant my blackberries plants when I kept hearing a noise of something moving around the corner of my house. I stopped digging and walked around the house to see what was making...
View ArticleThanks a Million
Last week a new member on my $DayJob’s team reached the point in his in-house training where they started to read articles on jIIr. After I cracked a joke about the blog’s author he mentioned how my...
View ArticleClik here to view.
Changing Perspectives
In the Fall I was staring out my back window seeing my yard covered in orange leaves. This sight is one I see each year and I have always viewed as my yearly chore. The chore of cleaning up the leaves...
View Article