tag:blogger.com,1999:blog-9518042.post2168287113003396397..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Data Points And AnalysisUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-39059764752830081012019-02-06T02:53:56.566-05:002019-02-06T02:53:56.566-05:00Morning Harlan
I agree that often assumptions are...Morning Harlan<br /><br />I agree that often assumptions are made that are not justified or supported by evidence beyond suspects can do something is often an easier state to achieve than have they done something.<br /><br />I often see decisions made based on 'threat intelligence' because of said a domain or IP was malicious but it often lacks context and any form of formal grading to allow an investigator to assess and apply the intelligence to the investigation which often leads to inaccurate assumptions.<br /><br />This combined with a reliance on tools to 'give' an answer when how the results were reached may not be fully understood. This was a question i raised at the SANS Digital Forensic Summit a number of years ago that off the shelf forensics tools were creating investigators with lower understanding as the tools did the work for them which may not be validated.<br /><br />It concerns me that i see CVs now where Digital Forensics to recruiters and companies means they were trained to use FTK or Encase and that makes them an expert. I feel it is more about how we think rather than the tools available.<br /><br />I wrote this a number of years ago on Threat Intelligence http://www.thecyberparadigm.co.uk/2016/07/does-threat-intelligence-need-to-evolve.html<br /><br />Ranting stand down :)<br /><br />Adam Hugheshttps://www.blogger.com/profile/18095753118377757063noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-25123512219546435012019-02-05T07:47:49.519-05:002019-02-05T07:47:49.519-05:00Ali,
Thanks for leaving a comment...
> ...LNK...Ali,<br /><br />Thanks for leaving a comment...<br /><br />> ...LNK files and how they could be used for attribution and for checking campaigns...<br /><br />With the exception of the work that the FireEye guys have done, I really believe that this is an incredibly untapped resource of information. <br /><br />Too many times, we make assumptions about data based on our aperture or collection bias. A number of years ago, I attended an ISOI-APT meeting in Ashburn, VA, and presented on a finding regarding a well-known PoisonIvy configuration we'd seen. I asked those in the room who were familiar with this malware, how it was delivered, and 100% of the folks said phishing.<br /><br />I demonstrated delivery by subverting the user, and having them install it via USB. I also illustrated how the user had tried to "clean up" before returning their system, and we pulled the full malware binary out of a hibernation file. <br /><br />As such, I do not believe that the full value of file structure metadata, particularly from LNK files (but also from .doc lure documents) has been tapped, nor realized.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-58675667526381134012019-02-05T07:40:18.458-05:002019-02-05T07:40:18.458-05:00Hello,
I agree with you about verifying these mut...Hello,<br /><br />I agree with you about verifying these mutable artifacts, because they might not have been modified, plus if we exclude them, then we might turn out to exclude everything. You mentioned a good example of just opening the binary file for the LNK file and going to the time offset and zeroing it out, would be one! There are so many other ways were anti-X stuff could happen. Therefore, it is not bad to verify instead of immediate exclude.<br /><br />Also, LNK files and how they could be used for attribution and for checking campaigns, that also I think is very useful. And I would say yes, we could use them for checking that they belong to the same threat actor group.<br /><br />Thanks again for another useful post. B!n@ryhttps://twitter.com/binaryz0nenoreply@blogger.com