APT & CyberCriminal Campaign Collection. Contribute to CyberMonitor/APT_CyberCriminal_Campagin_Collections development by creating an account on GitHub.
Appendix B - Incident Response Forms - Incident Response and Computer Forensics, 3rd Edition
The following files are part of Appendix B of Incident Response and Computer Forensics 3rd Edition: Form 1 – Evidence Tag (.doc) – v1.0 Form 2 – Evidence Inventory (.doc) – v1.0 Form 3 – Client System Description (.doc) – v1.0 Form 4 – Evidence … Appendix B – Incident Response Forms Read More »
Lee Holmes | Extracting Forensic Script Content from PowerShell Process Dumps
After posting Extracting Activity History from PowerShell Process Dumps, I got an interesting follow up question: “Is it possible to extract the content of scripts (from disk) that were executed, even if those files were not captured?” The answer is “Yes”, but it’s also complicated. And to make it even more complicated, we’re going to go down a path showing how to do some of this detective work from scratch. This is going to require a lot of WinDbg automation, so for a first step, install the WinDbg module.
DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC.
Although initially labeled as ransomware due to the ransom message that is displayed after infection, it appears now that NotPetya functions more as a destructive wiper-like tool than actual ransomware
Using Alternate Data Streams to Persist on a Compromised Machine | enigma0x3
Back in the days before Windows Vista, Alternate Data Streams used to be an acceptable way for malware authors to hide their malicious code. An Alternate Data Stream can be used to hide the presenc…