Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) . This can be in the form of a continuous connection or connect the victim machine directly. However, it’s convenient to have the victim machine connect to you. In other words: It … Continue reading Hunting for beacons
Combining both n-grams and random forest models to detect malicious activity. Author: Haroen Bashir An essential part of Managed Detection and Response at Fox-IT is the Security Operations Center. This is our frontline for detecting and analyzing possible threats. Our Security Operations Center brings together the best in human and machine analysis and we continually … Continue reading Detecting random filenames using (un)supervised machine learning
Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office … Continue reading Office 365: prone to security breaches?
Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of our Security Operations Center. One of these areas is applying data science techniques to real world data in real … Continue reading Using Anomaly Detection to find malicious domains
Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files
This posting is an update to Torrentlocker blog postings of October 15 and October 21. Introduction Since past weekend, the Netherlands were hit with another spam run spreading the Cryptolocker variant known as Torrentlocker. Torrentlocker presents itself to victims as Cryptolocker in all cases, however this is a completely different malware. Fox-IT received multiple reports … Continue reading Cryptolocker variant Torrentlocker making new victims in NL
This posting is an update to the Torrentlocker blog posting of October 15. For guidance on containment and recovery, see the previous blog post. Financial aspects Payments for the ransom have to be done in Bitcoins. We have identified 7 Bitcoin addresses that received ransom payments. The total income as of the 21th of October … Continue reading Update on the Torrentlocker ransomware