markmckinnon

3 reasons attackers use WMI Event Consumers: → Stealth and evasion → Fileless persistence → Event-driven execution Learn how to investigate evil WMI event consumers: https://t.co/VEbh5gow5M

4 user activity insights from jump lists: → Files a user has accessed → Applications used to access files → Frequency files have been accessed → Evidence of files no longer on the system Learn how our DFIR experts do jump list forensics: https://t.co/KirOSHBlM3

3 examples of sneaky remote access: Malicious RATs Commercial Remote Access Remote Windows Access Attackers can use these to place incriminating evidence on an innocent user’s system. A suspect can claim the “Trojan Defense” How to back your claim: https://t.co/MPSxxm2BPE

Why “adaptive” collection kicks @$$ DFIR collection is about 2 things: #1 Getting all the evidence. #2 Getting it quickly. “Static” collectors focus only on #2. “Adaptive” collectors do both. (That’s why Cyber Triage comes with one) Learn more → https://t.co/3wkPYheT3H

Think your Linux system is compromised? Investigate it with UAC ⤵ UAC is an open-source static collection tool designed to collect key forensic artifacts from “nix” systems. Review the suspicious items in the output with Cyber Triage! https://t.co/68CrljNZU6

Attackers can evade you with one *tiny* change. It can cause you to not detect malware and miss evidence in your investigation. Learn how Cyber Triage uses ImpHash to detect fuzzy hashes in malware: https://t.co/9leA6v4WR7

4 EDR blindspots for DFIR: • Attackers can avoid EDRs • Retention policies limit data • Detection focus also limits data • Bias against false positives misses investigative clues Augment your Windows Defender with CT to avoid these blindspots: https://t.co/bptbJrpCbn.

Cyber Triage 3.12 is out now! This release introduces new key features with the focus of making your response even faster! Join us for a webinar October 9th 1PM EDT to see these features in action Read more here: https://t.co/o6tYOFGbZU Webinar SignUp: https://t.co/q1QK5VbGsq

DFIR Breakdown: Impacket Remote Execution Activity – atexec This blog post focuses on the script https://t.co/hzWunuVOSW - which can be abused by threat actors - and how to detect its remote execution activity from various DFIR artifacts. https://t.co/XayvOXrYlC

Have you ever needed to collect DFIR artifacts using a local non-DFIR person who didn’t want to use the command line? Check out this video included in our freely available training course materials now up on our YouTube channel! https://t.co/1zTO8be5gV

New "DFIR Next Steps" post on what to do when an alert relating to the use of curl.exe is raised. This post walks through a scenario suspecting that curl was used to download a rootkit or malware to the host and the three steps to take afterwards. https://t.co/Kj8qGoxfa9

DFIR Breakdown: Using Certutil To Download Attack Tools Windows certutil is a Windows utility that is used by threat actors during an attack to achieve some malicious goal by installing their own certificates on a system. Learn more and be prepared: https://t.co/pqNaau2hP9

Webinar at 1 today talking about BitLocker and other expanded disk image features in Cyber Triage. Hope to see you there.