Threat hunting is not an easy task. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of intrusion during which attackers have less room to manoeuvre. And just the perfect attack phase for this […]
Tag: dfir
Register(ing) activity related to documents
The last two posts concerned hiding traces of malicious activity in the environment and attempts to confuse analysts. This time we will focus on traces that allow us to determine what the user or the attacker was doing. Forensic analysis can have two main purposes. In cases most often associated with threat intelligence, we will try to detect the activities of attackers leading […]
Anti-forensics techniques - registry timestomping
In the previous post, we dealt with one of the most popular anti-forensic techniques – timestomping. So we changed the timestamps of the files to confuse the analysts and make the files appear unrelated to malicious activity. This time we will try to transfer timestomping to another source of evidence - the Windows registry. The registry is definitely one of the […]
Anti-forensic - introduction and timestomping
As I mentioned in the blog, threat intelligence is essentially threat counterintelligence - the process of stopping hostile infiltration of the environment. This time we will deal with a strictly technical issue related to how attackers can try to (anti-forensic) hide traces of their activities and how to detect such activities. The starting point for our considerations [...]