How (not) to log DNS traffic

thumbnail

Companies tend to create their security detections based on the trending behavior of threat actors. One of the constantly re-occurring techniques is DNS-based activities like exfiltration via DNS (Domain Name System) or C2 (Command and Control) communication via DNS. Still, a lot of companies are lacking in DNS logging, missing DNS-based detection rules, or not aware of their own blindspots. In this post I’m not trying to explain how to detect DNS-based techniques.
Read more

Unremovable malware with WSL

thumbnail

Windows Subsystem for Linux (or, as I’m incorrectly calling it, Linux Subsystem for Windows) is a tool in Windows 10 that provides a Linux kernel on top of the Windows kernel. WSL can translate Linux system calls to Windows language. This way one can execute Linux-related apps/commands in Windows without re-compilation. It can be powerful in the hand of a good administrator but it also has some drawbacks as it was mentioned in this reddit post: https://www.
Read more

Defcon DFIR CTF 2019 writeup - Triage VM

thumbnail

This year an unofficial Defcon DFIR CTF was provided by Champlain College’s Digital Forensic Association. They created challenges in 5 topics which are available for anyone for a little practice on this site: defcon2019.ctfd.io. The challenges are sorted into the following categories: DFA Crypto Challenge Deadbox Forensics Linux Forensics Memory Forensics Triage VM Questions I’m pretty new in forensics, started my journey approximately 9 months ago and have been doing it as an active hobby for 6 months now.
Read more