3 examples of sneaky remote access: Malicious RATs Commercial Remote Access Remote Windows Access Attackers can use these to place incriminating evidence on an innocent user’s system. A suspect can claim the “Trojan Defense” How to back your claim: cybertriage.com/blog/dfir-arti…

Why “adaptive” collection kicks @$$ DFIR collection is about 2 things: #1 Getting all the evidence. #2 Getting it quickly. “Static” collectors focus only on #2. “Adaptive” collectors do both. (That’s why Cyber Triage comes with one) Learn more → cybertriage.com/blog/adaptive-…

Think your Linux system is compromised? Investigate it with UAC ⤵ UAC is an open-source static collection tool designed to collect key forensic artifacts from “nix” systems. Review the suspicious items in the output with Cyber Triage! cybertriage.com/blog/collectin…

Attackers can evade you with one *tiny* change. It can cause you to not detect malware and miss evidence in your investigation. Learn how Cyber Triage uses ImpHash to detect fuzzy hashes in malware: cybertriage.com/blog/intro-to-…

4 EDR blindspots for DFIR: • Attackers can avoid EDRs • Retention policies limit data • Detection focus also limits data • Bias against false positives misses investigative clues Augment your Windows Defender with CT to avoid these blindspots: cybertriage.com/blog/how-to-in….

Cyber Triage 3.12 is out now! This release introduces new key features with the focus of making your response even faster! Join us for a webinar October 9th 1PM EDT to see these features in action Read more here: cybertriage.com/blog/releases/… Webinar SignUp: register.gotowebinar.com/register/39945…

DFIR Breakdown: Impacket Remote Execution Activity – atexec This blog post focuses on the script atexec.py - which can be abused by threat actors - and how to detect its remote execution activity from various DFIR artifacts. cybertriage.com/blog/dfir-brea…

Have you ever needed to collect DFIR artifacts using a local non-DFIR person who didn’t want to use the command line? Check out this video included in our freely available training course materials now up on our YouTube channel! youtube.com/watch?v=fOT_Sa…

Glad I chose @Arbys drive thru tonight. Would have been nice to get the chicken portion of my chicken bacon and Swiss sandwich. Highlight of the meal were the fries dipped in Arby’s and horsey sauce as they were the only thing correct in the order.

New "DFIR Next Steps" post on what to do when an alert relating to the use of curl.exe is raised. This post walks through a scenario suspecting that curl was used to download a rootkit or malware to the host and the three steps to take afterwards. cybertriage.com/blog/dfir-next…

DFIR Breakdown: Using Certutil To Download Attack Tools Windows certutil is a Windows utility that is used by threat actors during an attack to achieve some malicious goal by installing their own certificates on a system. Learn more and be prepared: hubs.li/Q02HYsDV0

#LearnDFIR next week with a Fuzzy Malware Hashing Webinar. Tues at 1PM Eastern. We’ll look at: * Several fuzzy matching algorithms, such as ImpHash, ssdeep, and TLSH. * Pros and cons of them * Which can be used in DFIR attendee.gotowebinar.com/register/30107…

Webinar at 1 today talking about BitLocker and other expanded disk image features in Cyber Triage. Hope to see you there.

Interesting ImpHash post from Chris Ray in our R&D team on false positives and negatives with using it to find malware. Learn about why it's great for some malware, but less effective with .Net, Go, packed EXEs, and some trojans. cybertriage.com/blog/limitatio…

Learn about the Trojan Defense and #DFIR artifacts. Know if someone else accessed a suspect's computer. Look for malware, commercial remote access, and authentications from external IPs. Read the blog or come see my talk at @technosecurity cybertriage.com/blog/dfir-arti…

What is Kerberoasting and how to detect it after an attack? In this blog post, we will look into Kerberoasting from a DFIR perspective and how the recently added analytics into Cyber Triage can detect domain controller attacks. Read more here: hubs.li/Q02z5tCz0

Webinar This Week! Join us on Thursday as we look at how EDR evasion works and tools to aid DFIR collection. Register here: hubs.li/Q02ysZV_0 After registration, visit hubs.li/Q02ys_Dd0 to learn about some of the collection tools that will be discussed!

Where should you start your Linux Investigation? When a Linux system is compromised, you will need to begin your investigation by collecting data/DFIR Artifacts which you can do efficiently using UAC and Cyber Triage. Read more on how here: hubs.li/Q02ymSD30

Learn how to collect #DFIR artifacts with @crowdstrike Real Time Response and @cybertriage It's a simple PowerShell integration that downloads our collector and upload artifacts. It's important to quickly collect artifacts as soon as you get an alert. cybertriage.com/blog/integrati…

Static vs Adaptive File Collectors. I started to use the term adaptive to compare different #dfir collectors. Adaptive tools go beyond the initial static set of rules. They parse artifacts and get addl. files to adapt to the host. cybertriage.com/blog/adaptive-…