Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files
Getting in the Zone: dumping Active Directory DNS using adidnsdump
Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any … Continue reading Getting in the Zone: dumping Active Directory DNS using adidnsdump
mkYARA – Writing YARA rules for the lazy analyst
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code … Continue reading mkYARA – Writing YARA rules for the lazy analyst
PsiXBot: The Evolution Of A Modular .NET Bot
PsiXBot: The Evolution Of A Modular .NET Bot Summary In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes … Continue reading PsiXBot: The Evolution Of A Modular .NET Bot
Identifying Cobalt Strike team servers in the wild
How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an "extraneous space". This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past … Continue reading Identifying Cobalt Strike team servers in the wild
Your trust, our signature
Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario … Continue reading Your trust, our signature
Phishing – Ask and ye shall receive
During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to … Continue reading Phishing – Ask and ye shall receive
