While Pandas may not care much about time then incident responders should. Timeline creation and analysis are the core activities of many deep dive digital forensics investigations. Run log2timeline/plaso on logs and other common evidence data and you’ll get a nice csv file with parsed events together with their associated time. This allows to correlateContinue reading “Super timeline initial triage with Jupyter and Pandas”
In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.
Techniques of interest: https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1021/ |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares Hypothesis: If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines. If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”
Originally published in 2015. Email addresses in freshly registered short lived domains are increasingly used to send spam and malware. They are also used in spear phishing campaigns often combined with bitsquatting/typosquatting techniques to fool users into trusting the message content. The same applies to websites serving malicious content that are linked by the phishingContinue reading “Finding newly registered domains for hunting and blocking.”