
DFSP # 435 - Good Ol' Powershell
Threat actors often exploit PowerShell in cyber attacks due to its capabilities and integration with Windows operating systems. Microsoft has cited powershell as one of the most commonly used tools in...
18 Jun 202429min

DFSP # 434 - The Reg
The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as...
11 Jun 202420min

DFSP # 433 - SU DOs and DONTS
On a Linux or Mac system, there can be user accounts that have the ability of privilege escalation. Knowing how to triage, for this has a twofold benefit: (1) you obviously want to know which account ...
4 Jun 202420min

DFSP # 432 - Control Bits
TCP control bits are part of the TCP header and are used to manage the connection between two devices. These control bits are single-bit flags that indicate various aspects of the TCP connection and a...
28 Mai 202424min

DFSP # 431 - Finding Needles
The time it takes from an initial escalation to the initial discovery of compromise is a key metric. Teams strive to do this as quickly as possible, but there are a number of challenges. You do not kn...
21 Mai 202422min

DFSP # 430 - Targeting Tasks
Windows Scheduled Tasks are often used by attackers to establish persistence. As an analyst, you want to be aware of the different windows event codes that record these details. These artifacts come u...
14 Mai 202418min

DFSP # 429 - Career Moves
This week I talk about career moves for the DFIR professional. The skill set is valuable, but it must be combined with the right additional technical skills to maximize future job opportunities. Of co...
7 Mai 202422min

DFSP # 428 - It's all about that XML
When you're triaging a Windows system for evidence of compromise, it's ideal if your plan is focused on some quick wins upfront. There are certain artifacts that offer this opportunity, and Windows Ev...
30 Apr 202427min


















