Gesamtlänge aller Episoden: 6 days 5 minutes
This week it's more about lateral movement and kerberos events.
In a typical Linux "bin" directory, you can find various types of executable files and scripts that are used to perform different tasks. The confusing part is that there are a number of different BIN directories throughout the file system. What is the...
Werfault is in interesting artifact in that there is not a lot of documentation on it but yet it may affect an investigation in different ways. Its appearance in logs sometimes adds a bit of confusion to an investigation because it could mean...
Certutil, a powerful command-line utility, possesses the potential for misuse by malicious actors to establish illicit network connections. Therefore, it is crucial to familiarize oneself with its legitimate applications and recognize common...
This week I'm going to cover an important Windows event that provides valuable information about authentication attempts and potential security breaches. The event may be used to identify compromised accounts, identify brute, force, attacks, or...
In Linux and Unix-based operating systems, the "root" account is the superuser or administrator account with the highest level of privileges. It has complete control over the system and can perform any action, including modifying system files,...
This week we are taking a bit of a deep dive into an advanced attack technique to accomplish remote execution called “fetch and execute.” While there are different methods to accomplish the sort of thing what I am going to be focusing on is...
This week I am going to focus on a specific remote execution technique that you may see in the wild. Remote execution is important for incident response investigations but also for file use and knowledge investigations, particularly those that...
Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps...
This week I will discuss the use of the OODA loop and JOHARI window in security incident response investigations. These two frameworks are designed to help organizations quickly and effectively respond to security incidents, and can be used in...