Tag: Windows Incident Response

Hunting Fileless Malware

I ran across Manuel Arrieta‘s Hunting Fileless Malware in the Windows Registry article recently, and found it to be an interesting read. Let me start by saying that the term “fileless malware”, for me, is like finger nails dragged down…

Read more →

Program Execution, follow-up pt II

On the heels of my previous post on this topic, it occurred to me that this tendency to incorrectly refer to ShimCache and AmCache artifacts as “evidence of execution” strongly indicates that we’re also not validating program execution. That is…

Read more →

I’ve Seen Things, pt II

As a follow-on to my previous post with this title, I wanted to keep the story going; in fact, there are likely to be several more posts in this series, so stay tuned. And hey, I’m not the only one…

Read more →

Program Execution, follow-up

 Last Nov, I published a blog post titled Program Execution: The ShimCache/AmCache Myth as a means of documenting, yet again and in one place, the meaning of the artifacts. I did this because I kept seeing the “…these artifacts illustrate program…

Read more →

I’ve Seen Things

< p style=”text-align: left;”>I like the movie “Blade Runner”. I’ve read Philip K. Dick’s “Do Androids Dream of Electric Sheep“, on which the movie is based.   So what does this have to do with anything? Well, I’ve been around the…

Read more →

Know Your Tools

In 1998, I was in a role where I was leading teams on-site to conduct vulnerability assessments for organizations. For the technical part of the assessments, we were using ISS’s Internet Scanner product, which was a commercial scanner. Several years…

Read more →

WMI

The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…

Read more →

WMI

The folks over at CyberTriage recently shared a complete guide to WMI; it’s billed as a “complete guide to WMI malware”, and it covers a great deal more than just malware. They cover examples of discovery and enumeration, as well…

Read more →

The Problem with the Modern Security Stack

I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…

Read more →

The Problem with the Modern Security Stack

I read something interesting recently that stuck with me. Well, not “interesting”, really…it was a LinkedIn post on security sales. I usually don’t read or follow such things, but for some reason, I started reading through this one, and really…

Read more →