Cyber Triage

Investigating Ransomware Follow the Process Injection to discover WannaCry Ransomware → Initial Access: Evidence exploration, First Execution, Date and Time → Post Exploitation: Direct Evidence, windows/temp/ → C2 Malware: Sliver, Reversing Labs → Ransomware: WannaCry Case-Walk Through for investigative practice and hands-on experience! Course and webinar available here:?https://lnkd.in/eXJySht9 #DFIR #LearnDFIR #CyberTriage #SleuthKitLabs

3 examples of sneaky remote access: - Malicious RATs - Commercial Remote Access - Remote Windows Access Attackers can use these methods to exploit and place incriminating evidence on an innocent user’s system. When a suspect claims the “Trojan Defense”, investigators need to look for the artifacts that are left behind from remote access. Learn how to spot these artifacts and back your claim with confidence:?https://lnkd.in/e4dBGjeQ #DFIR #LearnDFIR #CyberTriage #SleuthKitLabs #TrojanDefense

Why “adaptive” collection kicks @$$ DFIR collection is about 2 things: # 1 Getting all the evidence. # 2 Getting it quickly. “Static” collectors focus only on # 2. They collect a predefined set of files based on paths, hashes, and Yara, so they routinely miss evidence. “Adaptive” collectors do both. They start with rules, then collect more based on what is found. Example: Many static tools will collect registry hives. Adaptive tools will also parse the hive, focus on the dozens of AutoRuns keys, and collect the file that will get launched. That’s where the real evidence is. In short,? adaptive collectors kick @$$, and that’s why Cyber Triage comes with one. For more on adaptive vs static collectors, read Brian Carrier ’s recent post → https://lnkd.in/eiTanqpb #DFIR #LearnDFIR #CyberTriage #SleuthKitLabs

Q: What tool was used in ~30% of ransomware data thefts investigated by Mandiant in 2023? A: Rclone Rclone, AKA the "Swiss Army Knife of cloud storage," can interact with 70+ cloud storage products and is the ransomware operator's tool of choice for data exfil. But it also can work *against* attackers. Trained investigators can use the artifacts Rclone leaves behind to access the attacker’s exfil site. Learn how in our first CT University! Tomorrow (11/13) at 11AM ET/8AM PT, Prof. Michael Wilkinson will teach you how to use Cyber Triage to investigate Rclone data exfil. He’ll also cover the fundamentals of investigating with Cyber Triage. Register today → https://lnkd.in/gsFJFnPG (Nearly 300 people already have) P.S. Link to the Mandiant research reference in comments.??

Learn how to investigate Rclone data exfil with CT. (New DFIR mini-class) We’re starting a new webinar series: CT University! Each 30-min session will help you master DFIR investigations with Cyber Triage, highlighting a different topic each time. Our first special topic is how to investigate Rclone data exfil.? The "Swiss Army Knife of cloud storage," Rclone is perfect for exfiltrating data. Every DFIR investigator should know how to spot it by the telltale artifacts it can leave behind.? Learn how in this CT University mini-class.? Program: - General investigation (10 min) - Special topic (5 min) - Office hours/AMA (15 min) Professor: Michael Wilkinson This class: Wed, Nov 13 at 11AM ET/8AM PT Register today → https://lnkd.in/gsFJFnPG

Think your Linux system is compromised? Investigate it with UAC ? UAC is an open-source static collection tool designed to collect key forensic artifacts from “nix” systems, including Linux. UAC is built around a single shell script but uses many config files. To collect with UAC: 1. Prepare network services to store the output 2. Copy?the TAR file onto the Linux system?and unpack 3. Launch as root 4. Specify what to collect and where to save Then, review the suspicious items in the output. (Cyber Triage can prioritize these for you automatically from UAC output) For UAC collection 201, read our blog: https://lnkd.in/erpNhWVp #DFIR #LearnDFIR #LinuxSecurity #IncidentResponse #UAC #DigitalForensics? #CyberTriage #SleuthKitLabs

Attackers can evade you with one *tiny* change. It can cause you to not detect malware and miss evidence in your investigation. Changing just one bit in a malicious file creates a completely different cryptographic hash. It’s easy for attackers to do. And easy to miss if files are not subject to further analysis. Catch it using ImpHash. ImpHash is a hashing method for PE executable files that makes fuzzy matches so you can identify executables that are similar, but not the same. Learn how Cyber Triage uses ImpHash to detect this fuzzy hash in malware:?https://lnkd.in/eMB-h-k3 #DFIR #LearnDFIR #hashing #fuzzyhashing #Imphash #CyberTriage #SleuthKitLabs

4 EDR blindspots for DFIR: ? Attackers can avoid EDRs ? Retention policies limit data? ? Detection focus also limits data? ? Bias against false positives misses investigative clues EDRs are excellent at detection — but not the full investigation. With Windows Defender Live Response and the Cyber Triage Collector, you are able to avoid these blindspots and collect more artifacts. Learn how to augment your Windows Defender?with Cyber Triage: https://lnkd.in/eZ5XveUS. #DFIR #CyberTriage #SleuthKitLabs #LearnDFIR

Want to make your KAPE collection easier? 3 steps: #1. Collect files with KAPE #2. Import KAPE data into Cyber Triage #3. Extract important artifacts with Cyber Triage Master KAPE + CT collection with Michael Wilkinson: https://lnkd.in/e-dB3Esg #LearnDFIR #DFIR #CyberTriage #SleuthKitLabs

5 (sneaky) time wasters in DFIR: ? Data exfil detection ? PowerShell detection ? USB storage identification ? Disk image processing ? Global IOC search And you can automate all 5 with CT 3.12! Learn how from (the one and only) Brian Carrier: https://lnkd.in/eeQMD9Dx #DFIR #CyberTriage #SleuthKitLabs