Teamviewer Forensic Artifacts

The average system administrator uses remote administration tools to enable them to tend to systems across their network. There are a variety of these tools available and one of them is Teamviewer. During an incident, there are several logs and artifacts of interest that are vital. Each log provides some

Parsing IIS Logs

Windows variant of a webserver is called Internet Information Services (IIS). The feature comes as part of Windows server builds but isn’t enabled but default. If you manage an IIS server, logs write to c:\inetpub\logs by default and without a tool or capability, aren’t necessarily the easiest to read. With

Invoke-Fail2Ban

Anyone who has a system that is accessible on the Internet has likely had their fair share of brute force attempts. Utilizing something like Fail2ban is great because it blocks those type of attacks, providing some level of security. The downfall about Fail2ban is that it was developed for *nix

Hidden Gems in McAfee ePO Audit Logs

There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include

Finding Reflective DLL Injections

DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed

Base64 with PowerShell

All too often I find myself on a Windows system and need to either encode or decode base64. Rather than using an online service, installing a program, or going to a *nix based system, I took to PowerShell. In PowerShell, we can use .NET to accomplish this. Encoding: $Text2Encode =

Under The Wire!

Under The Wire, the PowerShell gaming server is now web based and can be access at www.underthewire.tech. On there, you will find directions to access our servers using you own instance of PowerShell. To date, we have two games that are live with another in production.

Search Exchange 2010 Mailboxes

NOTE: The user you run the script with must have the “Discovery Management” RBAC Role. This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called

Traffic Generators

These tools will generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it. • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write

WMI on Linux

WMI is a great way to query Windows systems without being so intrusive. As of late, I have been dealing with it more and more. Typically, I use a Windows system to query another Windows system but the lack of speed inherit to the Windows OS always has me searching

ELK, the free alternative to Splunk

Installation of ELK is not too bad. There are a few guides online that walk through the processes but you will be hard pressed to find one to covers it all the way through. Some great links to help with this endeavor are: https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-ubuntu-14-04 https://www.ddreier.com/setting-up-elasticsearch-kibana-and-logstash/ Installing ELK (CentOS) This is

ELK stack, what is that?

In a previous post I did a comparison of ELK and Splunk. I will take a few minutes here to kind of explain what ELK is. ELK stack (Elasticsearch, Logstash, Kibana) is simply amazing. Each program making up ELK brings their own uniqueness and are vital parts to making the

Bare Monkey (Volatility)

I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates

Splunk vs. ELK Stack

When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion.

Collaboration with Elog

Elog is a great program used for collaboration in a LAN or WAN environment. Its very simple to use and easily customizable. This program is ideal for sharing notes or analyzing data and ensuring everyone else knows what is going on. There is an email function as well and the

Jump Bag Stuff

Wifi-Pineapple – https://hakshop.myshopify.com/products/wifi-pineapple?variant=81044992 PWN Plug – https://www.pwnieexpress.com/product/pwn-plug-elite/ Read-Only Flash Drive – http://www.kanguru.com/storage-accessories/flash-blu2.shtml SmartSniff – http://www.nirsoft.net/utils/smsniff.html

Parsing Metadata with ExifTool

Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool (https://hvdwolf.github.io/pyExifToolGUI/). The tool

Forensics Posters

Anybody getting into forensics knows its like putting on a pair of glasses and seeing things in a whole new light. Part of being able to identify bad or evil is being able to identify normal. In my opinion, SANS did a pretty good job depicting some common things to