For a new project, I started to dig into older threat reports, like for example, "The ProjectSauron APT" from 2016. [1] The interesting thing about these old reports is that you see techniques mentioned before that are still used 10 years later.

We are familiar with eMClient and axios, so let me introduce Trufflehog, the new kid on the block. Trufflehog made headlines during the recent "Shai-Hulud" campaign, in which threat actors used it to search for passwords and sensitive information. [1] According to the Trufflehog GitHub page:

I was playing around with bincrypter from THC (The Hackers Choice) [1]. The interesting points, as you can see in the screenshot below, are that the binary is encrypted, obfuscated, and 100% in memory. No temporary files, etc.

Look at my tweet from February 2022. As simple as putting NG into the country field. Guess what I found in this week's Business E-Mail Compromise? Successful logins from NG. Oh well..

Reading a report from a recent Incident Response case from my teammate, Asger Strunk. "It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network."

I was reading an older report from CrowdStrike the other day: "CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]

A customer sent malware over. The file magic was CART.. What's that? Turns out, something pretty cool. "This is where CaRT (which stands for Compressed and RC4 Transport) comes in. CaRT is used to store and transfer malware, as well as its metadata.

I analyzed and recreated (a simpler version) of a PHP backdoor we detected in a recent Incident Response engagement. I used the backdoor to install an RMM agent on the compromised machine; the installed EDR did not raise a single alert.

I love reading Incident Response reports from my colleagues. This one here from Matthieu Chatelan: "Note that over 1700 lines (of risky sign-ins) were generated for this user account over the last 3 months.

Craig Rowland never disappoints 🥇 He is showing us cool tricks for finding inconsistencies in the output from different Linux commands, pointing to an active Kernel rootkit.

This is wild. From a recent IR engagement led by my teammate Florian Scheiber: "The investigation showed that the attacker first compromised the Administrator’s personal Gmail account, [email protected]. Those credentials appeared in a combolist leaked on 2 June 2025.

taskhostw.exe writes a PE file (see the classic TVqQAAMAAAA sequence there) inside the UCPD\DR registry key? Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).

This slide also didn't make the cut. Yes, anyone who has spent more than five minutes on a Hack The Box machine will know pspy, but what about my blue-team colleagues?

The following slide hasn't made it into my "Fantastic cleartext password" talk, however, it's still a good one to share 🤓 "This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.

Two of my teammates published artifacts on the Velociraptor Exchange this week 💪 Yann Malherbe released several VHDX artifacts, as described in his detailed blog post. [1]

Dropping ngrok in a ZIP file onto disk results in the file being removed and an alert being raised, but installing ngrok via winget works just fine? 🤔🤷‍♂️

This one here is a goodie! A customer called us because they had several incidents where the system time "magically" jumped days, sometimes even months, back and forth (see screenshot). You can imagine the issues inflicted by this behavior. So the question was.. Cyber? Attacker? Misconfiguration?

So, I wrote about "Behavior:Win32/SuspRclone" before. [1] "This behavioral monitoring signature gets triggered if the file Rclone.exe has been observed residing in a suspicious folder on a device." [2]

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer. dfir.ch/posts/today_...

Today I learned: SeManageVolumePrivilege While reading the HTB write-up for Certificate, I learned about SeManageVolumePrivilege. [1] A video by Grzegorz Tworek goes into great detail about how to abuse SeManageVolumePrivilege.[2]

Coming back to Maester! Do you know about the awesome Conditional Access What-If tests? [1] The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.

What is Maester? [1] Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.

Today I learned: Using diskshadow to fetch the NTDS.dit. As mentioned several times, I love reading the HTB writeups from 0xdf because I always learn something new. Like here [1]:

Lately, I’ve talked about (alternative) forensic artifacts where the retention time might be higher than your classical Security Event Logs, or might not be the first artifact to be deleted in an "anti-forensics" operation by a threat actor.

In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies.

We recently took over an APT investigation from another forensic company. While reviewing analysis reports from the other company, we discovered that the attackers had been active in the network for months and had deployed multiple backdoors.

Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?

1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].

1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).

1/ Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.

1/ In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1] The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.

My team colleague, Yann Malherbe, wrote an in-depth blog post about the Automation of VHDX Investigations with 🦖 labs.infoguard.ch/posts/automa...

1/ My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:

1/ Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).

1/ PingCastle now highlights when no policy is in place to prevent scripting files (such as .js) from being executed via double-click.

1/ Next one from the HP Wolf Report [1]: This file is decoded by the PowerShell command and saved as “CHROME.PIF” in the ProgramData directory. It is then run.

1/ XWorm, as described in the latest HP Wolf Security report [1], goes to great lengths to evade security products. .chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮‍

"Our analysis revealed a concerning scenario: threat actors compromised one victim, weaponized their real documents, and then used these compromised documents to attack another victim." Source: www.bitdefender.com/en-us/blog/b...

1/ Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.

1/ ASEC has recently discovered the massive distribution of SmartLoader malware through GitHub repositories. Upon searching for keywords such as game hacks, software crack, and automation tool,

⏳ Time is crucial in Incident Response ⏳ In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment.

1/ Remove discoverable passwords in Active Directory account attributes A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.

1/ I recently read an interesting blog post where the threat actor brought a copy of the Group Policy Editor toolkit onto the compromised host, started MMC, hid the window from the user, and simulated GUI operations to set up persistence (no UAC bypass was needed).

1/ Coming back to the Defender Portal. Malicious File? OMG 😱 Nope. Don't panic. What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].

1/ Do your Incident Response team a favour: If you are using the Defender Portal and sending screenshots, please set your timezone within your account to UTC. The following (redacted) image was sent to me yesterday by a client.

1/ Who is actively monitoring the installation/dropping of Python interpreters? The image below is from an ESET report [1], but we, for example, discovered a Python backdoor in a recent incident response case (a blog post is currently in progress).

1/ Interesting infection chain that utilizes the legitimate ftp.exe binary in conjunction with an FTP script to run the malicious payload (first copy it over and then start it). [1] (Mis-)using ftp.exe to run commands in a script is already documented in the LOLBAS project. [2]

1/ Yeah, sure. 😅 Show me the end user who checks the Target information from a shortcut (.LNK) file before running it (besides techies and IT security folks). However, we can better hunt for these files and their execution.

1/ What I learned today. Nice - I wasn't aware of the InstallProduct method from PowerShell to fetch a remotely hosted MSI file and subsequently install it. Invoke-WebRequest is one of the more popular methods, at least in our incident response cases.

1/ I'm pondering over a new talk 💭 - the following code came to mind, which I've pasted below. Does anyone still remember this one? 😅