Goods4CyberSec

A collection of cybersecurity content.

Month: March 2023

  • Scheduled Tasks: Collecting Evidence

    Scheduled Tasks: Collecting Evidence

    Intro Scheduled tasks are a valuable feature in Windows that enables users to schedule specific actions on their systems at desired times. This feature allows users to start designated programs at login, reboot their computers on a set schedule, and execute custom commands or scripts. However, this feature can also be exploited by adversaries to […]

  • Abusing DNS: Hiding Commands in TXT Records

    Abusing DNS: Hiding Commands in TXT Records

    Intro While TXT DNS (text domain name system) records have legitimate purposes, it is important to be aware that adversaries can exploit TXT records to hide content and commands. Adversaries may use DNS to establish communication with systems that are under their control within a victim network, all while appearing as normal, expected traffic. What […]

  • PowerShell Phishing: How Adversaries Use the Command Line to Steal Your Credentials

    PowerShell Phishing: How Adversaries Use the Command Line to Steal Your Credentials

    Intro In addition to the well-known email-based phishing attacks where attackers impersonate legitimate websites to deceive users into revealing their login credentials, attackers can employ other methods to trick users into giving away their sensitive information. It is possible to deceive users on an internal network to engage them with a prompt that will coerce […]

  • Searching for File Locations by Name: Investigations on Windows

    Searching for File Locations by Name: Investigations on Windows

    Intro When it comes to cybersecurity, there are times when it becomes necessary to locate specific files on a system. This could be for an incident investigation, or as a result of a request from HR. Regardless of the reason, the ability to quickly and accurately find files is crucial for effective cybersecurity operations. Usefulness […]

  • Windows Prefetch Data: Collecting Evidence

    Windows Prefetch Data: Collecting Evidence

    Intro The Prefetch feature in Windows optimizes the performance of frequently used programs by preloading certain files into memory, reducing the time it takes to start a process. By storing this information on disk, the feature includes properties related to file execution that can be beneficial for incident response teams. Explained Loading files from memory […]

  • System EXEs and DLLs: Collecting Evidence

    System EXEs and DLLs: Collecting Evidence

    Intro It is critical for incident response teams to have a complete understanding of any incident. Gathering information on the signature statuses, sizes, hashes and other attributes of key files is a crucial component in achieving enough data to help paint a full picture during an incident and to give pivoting points to extend and […]

  • Recent Files & Directories: Collecting Evidence

    Recent Files & Directories: Collecting Evidence

    Intro During an incident, it is imperative to gather as much information as possible to establish a comprehensive timeline of events. One crucial aspect of information collection is identifying the most recent files and directories on the impacted host found in %AppData%\Roaming\Microsoft\Windows\Recent. This information plays a crucial role in helping to understand the sequence of […]

  • Unconstrained Delegation: Hunting for AD Weaknesses

    Unconstrained Delegation: Hunting for AD Weaknesses

    Intro Unconstrained delegation is a setting in Active Directory that allows a computer to impersonate a user and perform actions on their behalf. This feature is enabled by default on domain controllers in Active Directory. Concept Explained Imagine you have a big library with lots of books. Some of the books are really special and […]