Last week I posted an introduction to Kansa, the modular, Powershell live response tool I've been working on in preparation for my presentation at the SANS DFIR Summit. Please do me a favor and click the DFIR Summit link. :)My previous post was a high level overview. This one will dive in. If ... Read More

Folks who follow me on Twitter, @davehull, have seen chatter from me about a side-project I've been working on, Kansa, in preparation for my presentation at the SANS DFIR Summit in Austin in June. While the Github page for the project contains a Readme.md that gives a little information about what ... Read More

My last post here on triggers as a Windows persistence mechanism, see http://trustedsignal.blogspot.com/2014/02/triggers-as-windows-persistence.html, gave an example of a Windows Scheduled Task that would run a script when a specific event id appeared in the Microsoft-Windows-Security-Auditing log (i.e. the Security event log).I added a collector for Windows Service triggers to Mal-Seine, a ... Read More

@keydet89 posed the following question on Twitter:  The SANS ISC post discussing triggers as a persistence mechanism is at the following URL: https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+-+Part+3/15448 @z4ns4tsu responded that he'd seen it and gave some information about the scenario. I replied that I'd encountered it as well and that it also works for Scheduled Tasks, which is ... Read More

Microsoft's Trustworthy Computing initiative celebrated its 10th anniversary in 2012. Many diligent companies have adopted secure software development life cycles aimed at delivering more secure products or protecting their own assets. These initiatives are "front-end" heavy, that is to say, they invest significant time and resources in the early stages ... Read More