Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) . This can be in the form of a continuous connection or connect the victim machine directly. However, it’s convenient to have the victim machine connect to you. In other words: It … Continue reading Hunting for beacons
Combining both n-grams and random forest models to detect malicious activity. Author: Haroen Bashir An essential part of Managed Detection and Response at Fox-IT is the Security Operations Center. This is our frontline for detecting and analyzing possible threats. Our Security Operations Center brings together the best in human and machine analysis and we continually … Continue reading Detecting random filenames using (un)supervised machine learning
Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office … Continue reading Office 365: prone to security breaches?
Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of our Security Operations Center. One of these areas is applying data science techniques to real world data in real … Continue reading Using Anomaly Detection to find malicious domains
Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files