There was a time where there was an alarming rate at which malware would use some unique port that wasn’t used by other services. The port was usually some ephemeral port. These days though, it is being seen more and more of malware using ports commonly open outbound on a
Year: 2016
BlueSpectrum, an IOC framework written in PowerShell
The code can be found on my github at https://github.com/wiredpulse/BlueSpectrum. It was written to work with version 2 and newer. The idea behind this is to use what is available rather than always relying on a plethora of tools.
Under The Wire!
Under The Wire, the PowerShell gaming server is now web based and can be access at www.underthewire.tech. On there, you will find directions to access our servers using you own instance of PowerShell. To date, we have two games that are live with another in production.
Parsing Registry files with RegRipper
The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents
No Need to Unzip, Just Use Zcat or Zgrep
There will be times when you may encountered a zipped file and want to quickly parse it without having to unzip it. When the time comes, zcat and zgrep will be your savior. The usages of both are very straightforward but there are man pages for both for further reading.
Analyzing Various Memory Capture Formats
In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference. FTK Imager – Outputs to .mem – Can be analyzed in Volatility Vol.py –f –profile= VMWare (.vmem) – .vmem and .vmsm
Application Whitelisting with Applocker
If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in
Network Grep for the Folks Who Love to Grep!
Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP,
Extracting Data with Bulk Extractor
When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to
Analyzing Memory in the Wonderful World of Redline
Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include
Installing/Managing Linux Packages in an Offline Environment
A few good cheat sheets for installing/managing packages in an offline environment.
Another Layer of Defense… Microsoft Baseline Security Analyzer (MBSA)
Once installed, you can use the program via the GUI or command line. If utilizing the GUI, it is very straightforward as there are only three options available (scan a computer, scan multiple computers, and view existing security reports). At the conclusion of a scan, a report will be produced
Linux Secure Copy (SCP)
SCP is a must for quick transfer of files in native environments. In order to interact with a Windows machine, an SSH server is needed on the system but you may be able to get around that be specifying a different port. Below are a few examples of how it
Search Exchange 2010 Mailboxes
NOTE: The user you run the script with must have the “Discovery Management” RBAC Role. This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called
