Super timeline initial triage with Jupyter and Pandas

While Pandas may not care much about time then incident responders should. Timeline creation and analysis are the core activities of many deep dive digital forensics investigations. Run log2timeline/plaso on logs and other common evidence data and you’ll get a nice csv file with parsed events together with their associated time. This allows to correlateContinue reading “Super timeline initial triage with Jupyter and Pandas”

Threat hunting with Microsoft Defender – Valid Accounts

In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.

Threat hunting with CrowdStrike – Valid Accounts

Techniques of interest: |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares   Hypothesis:  If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines.   If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”

Finding newly registered domains for hunting and blocking.

Originally published in 2015. Email addresses in freshly registered short lived domains are increasingly used to send spam and malware. They are also used in spear phishing campaigns often combined with bitsquatting/typosquatting techniques to fool users into trusting the message content. The same applies to websites serving malicious content that are linked by the phishingContinue reading “Finding newly registered domains for hunting and blocking.”