All Posts

The framework ingests Zeek Logs in TSV or JSON format, and currently supports the following major features: Beaconing Detection:   Search for signs of beaconing behavior in and out of your network. Long Connection Detection : Easily see connections that have communicated for long periods of time. DNS Tunneling Detection : Search for signs of DNS based covert channels. Threat Intel Feed Checking : Query threat intel feeds to search for suspicious domains and hosts. Check out t

Much useful Incident Response (IR) tool released by CISA to run a full investigation against a customer’s Azure Active Directory...

The acquisition of volatile data in the IR process is very important and Incident Responders used to execute separate tools and commands...

Adding to the list of free RAM capture tools -WinPMEM — an open-source memory acquisition tool. Download from https://lnkd.in/g8eUvPM8...

Start Windows PowerShell (Run as Administrator) Lists all the established TCP connections in the system and output to text...

Though Chrome-URL list is huge, I have selected few from the list which can be useful for Incident Responders to quickly gather...

Track registry changes (useful for remote collection and analysis as a part of IR Process) In this example, we are tracking changes in...

Time Zone Information:SYSTEM\CurrentControlSet\Control \TimeZoneInformation Network Interfaces and Past Networks:SYSTEM\CurrentControlSet...

Analyse Windows.edb to parse normal records and recover deleted records. Step 1 : (Stop SearchIndexer in order to copy windows.edb...

History of Bluetooth Registry Entries to investigate (MAC address of connected bluetooth devices) After that use free utility called...

There are events that carry information about shell Items, network shares, apps that require privileges, RunKey information etc.; When...

During incident response process, it is important to quickly collect hash value of all files in a folder. Use PowerShell as administrator...

Filter by IP address: displays all traffic from IP, be it source or destination ip.addr == 192.168.1.1 Filter by source address: display...

CertUtil in windows is mostly related to managing and viewing certificates, but very useful for getting hash value of any file using...

The Ntds.dit file is an Active Directory database that maintains information about user objects, groups, and group membership. It...