Sunday, July 17, 2016


Book Update
I recently and quite literally stumbled across an image online that was provided as part of a challenge, involving a compromised system.  I contacted the author, as well as discussed the idea of updating the book with my tech editor, and the result of both conversations is that I will be extending the book with an additional chapter.  This image is from a Windows 2008 web server that had been "compromised", and I thought it would be great to add this to the book, given the types of "cases" that were already being covered in the book.

RDP Bitmap Cache Parser
I ran across this French web site recently, and after having Google translate it for me, got a bit better view into what went into the RDP bitmap cache parsing tool. This is a pretty fascinating idea; I know that I've run across a number of cases involving the use of RDP, either by an intruder or a malicious insider, and there could have been valuable clues left behind in the bitmap cache file.

Pancake Viewer
I learned from David Dym recently that Matt (works with David Cowen) is working on something called the "pancake viewer", which is as DFVFS-backed image viewer using wxPython for the GUI.  This looks like a fascinating project, and something that will likely have considerable use, particularly as the "future functionality" is added.

Web Shells
Web shells are nothing new; here is a Security Disclosures blog post regarding web shells from 3 years ago.  What's "new" is what is has recently been shared on the topic of web shells.

This DFIR.IT blog post provides some references (at the bottom of the post) where other firms have discussed the use of web shells, and this post on the SecureWorks site provides insight as to how a web shell was used as a mechanism to deploy ransomware.

This DFIR.IT blog post (#3 in the series) provides a review of tools used to detect web shells.

A useful resource for Yara rules used to detect web shells includes this one by 1aNOrmus.

No comments: