A collection of cybersecurity content.

Tag: windows

  • Detecting DNS Tunneling

    Detecting DNS Tunneling

    Intro DNS Tunneling represents a threat often operating under the radar of traditional defense measures. By leveraging a fundamental protocol of the internet, Domain Name System (DNS), this technique allows threat actors to exfiltrate data or establish command and control (C2) channels, often leaving IT security teams none the wiser. What is DNS Tunneling? DNS […]

  • Idea List for Lost or Stolen Corporate Computers

    Idea List for Lost or Stolen Corporate Computers

    Before implementing any monitoring or recording methods, consult with legal experts, as these practices may be illegal or unethical in some jurisdictions, potentially violating privacy laws and individuals’ rights. Intro Although the primary emphasis here addresses a lost or stolen corporate computer with some type of backdoor into the machine (EDR or otherwise), some of […]

  • Modifying User and System Shell Folder Paths: Collecting Evidence

    Modifying User and System Shell Folder Paths: Collecting Evidence

    Intro User and System Shell folders are a bunch of folders in Windows used to store a lot of the user’s personal data and settings. You most likely know these as Desktop, Start Menu, My Documents, and Startup folders. There are many others but those are some of the most popular. These locations are also […]

  • Registry Run Keys: Maintaining Persistence

    Registry Run Keys: Maintaining Persistence

    Intro Want to start Outlook on login? Easy. Start malware on login…even in safe mode? Just as easy. Registry run keys in Windows help start programs, scripts, or commands when your computer boots up or when you log in. They make managing apps and services easier when it comes to IT management or enhancing the […]

  • Scheduled Tasks: Collecting Evidence

    Scheduled Tasks: Collecting Evidence

    Intro Scheduled tasks are a valuable feature in Windows that enables users to schedule specific actions on their systems at desired times. This feature allows users to start designated programs at login, reboot their computers on a set schedule, and execute custom commands or scripts. However, this feature can also be exploited by adversaries to […]

  • Abusing DNS: Hiding Commands in TXT Records

    Abusing DNS: Hiding Commands in TXT Records

    Intro While TXT DNS (text domain name system) records have legitimate purposes, it is important to be aware that adversaries can exploit TXT records to hide content and commands. Adversaries may use DNS to establish communication with systems that are under their control within a victim network, all while appearing as normal, expected traffic. What […]

  • PowerShell Phishing: How Adversaries Use the Command Line to Steal Your Credentials

    PowerShell Phishing: How Adversaries Use the Command Line to Steal Your Credentials

    Intro In addition to the well-known email-based phishing attacks where attackers impersonate legitimate websites to deceive users into revealing their login credentials, attackers can employ other methods to trick users into giving away their sensitive information. It is possible to deceive users on an internal network to engage them with a prompt that will coerce […]

  • Searching for File Locations by Name: Investigations on Windows

    Searching for File Locations by Name: Investigations on Windows

    Intro When it comes to cybersecurity, there are times when it becomes necessary to locate specific files on a system. This could be for an incident investigation, or as a result of a request from HR. Regardless of the reason, the ability to quickly and accurately find files is crucial for effective cybersecurity operations. Usefulness […]

  • Windows Prefetch Data: Collecting Evidence

    Windows Prefetch Data: Collecting Evidence

    Intro The Prefetch feature in Windows optimizes the performance of frequently used programs by preloading certain files into memory, reducing the time it takes to start a process. By storing this information on disk, the feature includes properties related to file execution that can be beneficial for incident response teams. Explained Loading files from memory […]

  • System EXEs and DLLs: Collecting Evidence

    System EXEs and DLLs: Collecting Evidence

    Intro It is critical for incident response teams to have a complete understanding of any incident. Gathering information on the signature statuses, sizes, hashes and other attributes of key files is a crucial component in achieving enough data to help paint a full picture during an incident and to give pivoting points to extend and […]

  • Recent Files & Directories: Collecting Evidence

    Recent Files & Directories: Collecting Evidence

    Intro During an incident, it is imperative to gather as much information as possible to establish a comprehensive timeline of events. One crucial aspect of information collection is identifying the most recent files and directories on the impacted host found in %AppData%\Roaming\Microsoft\Windows\Recent. This information plays a crucial role in helping to understand the sequence of […]

  • Unconstrained Delegation: Hunting for AD Weaknesses

    Unconstrained Delegation: Hunting for AD Weaknesses

    Intro Unconstrained delegation is a setting in Active Directory that allows a computer to impersonate a user and perform actions on their behalf. This feature is enabled by default on domain controllers in Active Directory. Concept Explained Imagine you have a big library with lots of books. Some of the books are really special and […]

  • Applications: Identifying Social Engineering Installations

    Applications: Identifying Social Engineering Installations

    Intro Windows OS maintains a repository in the registry to keep track of applications that have been installed using the Windows Installer. This database is used by varying parts of the operating system in order to manage the installation, modification, and removal of software on the host. This information can aid incident responders in determining […]

  • Hunting Indirect Command Execution Using FTP

    Hunting Indirect Command Execution Using FTP

    Intro Ftp.exe can be used for starting arbitrary processes and commands. Indirect Command Execution is a technique used by adversaries to execute arbitrary commands through a trusted system or application. Adversaries use this technique to evade security controls and conceal their actions, making it difficult for defenders to detect and prevent malicious activity. Did you […]

  • Windows Firewall: Collecting Configuration Evidence

    Windows Firewall: Collecting Configuration Evidence

    Intro The Windows Firewall is a host-based feature in Windows OS that helps protect the computer from unauthorized access to the network and the internet. It is used to restrict incoming and outgoing network traffic based on a set of user-defined rules. The firewall monitors the network traffic and blocks any traffic that does not […]

  • Startup Folders: Persistence on Windows

    Startup Folders: Persistence on Windows

    Intro The Startup folder in Windows is a location that plays an important role in the functioning of a system. Essentially, it contains shortcuts to applications that are automatically launched when a user logs in to the system. This can be a convenient way for IT teams to automate various tasks and ensure necessary software […]

  • Hunting Shortcut Files: Mapping “.LNKs” to a Target File

    Hunting Shortcut Files: Mapping “.LNKs” to a Target File

    Intro Shortcuts, also known as symbolic links, are simple files that provide convenient access to frequently used programs. These files are popular among users for their ease of use and accessibility. However, adversaries are also drawn to shortcuts as they provide a covert method for executing malicious programs. By disguising commands and harmful software within […]

  • Macros: Hunting for Documents that Users Trusted and Enabled

    Macros: Hunting for Documents that Users Trusted and Enabled

    Intro In a previous blog, I visited the topic of identifying internet-sourced files on a host system to help incident response teams quickly collect information to investigate a potential incident by utilizing Zone Identifiers. This information is crucial to gather as it could often answer the questions surrounding source attribution. So now that we found […]

  • Hunting Masquerading Executables: The Significance of the MZ header

    Hunting Masquerading Executables: The Significance of the MZ header

    INTRO A common technique for adversaries to avoid detection when executing malware is to masquerade their tools under the guise of something that appears to be harmless. MITRE gives some wonderful descriptions into the techniques that have been used by various actors under Defense Evasion: T1036 Masquerading. Say, for instance, an adversary managed to coerce […]

  • Hunting for Hashes: Algorithm Unknown? No problem!

    Hunting for Hashes: Algorithm Unknown? No problem!

    INTRO Hashes are a fundamental tool in technical fields. Utilizing the values of hashes has become a common practice for ensuring the integrity of data, such as verifying the authenticity of a file during transfer or detecting malicious files through hash hunting. In the realm of security operations, threat hunting for known indicators is a […]

  • Zone Identifier 3: Finding All Files Originating from the Internet

    Zone Identifier 3: Finding All Files Originating from the Internet

    Intro Did you know you can easily find all your internet downloaded files on Windows and the website links they came from even if you cleared your browser history? Windows uses “tag” attributes called Zone Identifiers, which are a feature in Windows that assigns values between 0-4 (by default) to files in order to track […]