Triage
EvilExtractor Network Forensics
Erik Hjelmvik | | 1-Password-Cookies, 193.42.33.232, 2-Credentials, 3-Files, 89.116.53.55, ANY.RUN, EvilExtractor, FTP, KK2023.zip, NetworkMiner, sandbox, tria.ge, Triage
I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim's computer and exfiltrates them ...
Hunting injected processes by the modules they keep
davehull | | analysis, digital investigations, Incident Detection, Incident Response, IR, Kansa, Kansa collector command line arguments, Kansa collectors, Triage, Windows
A relatively recent post showed how Metasploit's Meterpreter module made some noise on endpoints when the migrate command was used to move the agent code into a legitimate process, spoolsv.exe in our ...
Analyzing an Instance of Meterpreter’s Shellcode
davehull | | analysis, DFIR, Digital Forensics, digital investigations, forensics, Incident Response, IR, Malware, Triage
In my previous post on detecting and investigating Meterpreter's Migrate functionality, I went down a rabbit hole on the initial PowerShell attack spawned by and Excel macro. In that payload was a ...
The DFIR Hierarchy of Needs & Critical Security Controls
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, consider Matt Swann's Incident Response Hierarchy of Needs. Likely, at some point in ...