In preparation for an upcoming FOR500 class I thought I would test out one of the recent additions to the class. This post by my colleague Zach shows that Win10 1903 and later has a registry key that will store the full path of any executable that utilises the computers camera or microphone.Read More »
Business email compromise is anything but awesome. According to the FBI, in 2020 cybercriminals cost US companies 2 billion through exploitation of business email systems.
I started an Awesome list to try and compile all of the links that I had previously just kept in my head for reference when doing a BEC investigation. It’s still very much a work in progress, and I hope people a) find it useful and b) contribute to it to make it even better.
I haven’t had a chance to add summaries/descriptions of the links referenced, and I’m considering adding a couple of other sections related to hunting for phishing emails (typically how a BEC has occurred in my experience) as well as email header analysis.
Keen for contributions and hope it helps people!
Recently I was given approximately 55 VMDKs after a cyber incident to try and identify the root cause. Ideally, these systems would be online so that we could deploy our distributed threat hunting and forensic analysis tool of choice, Velociraptor however this wasn’t a possibility in this scenario.
This means I had an interesting problem to solve; how do I get the relevant forensic artefacts that I wanted to so that I could triage the VMDKs and identify which systems that I wanted to dig deeper into.Read More »
Over the halfway point! (I appreciate week 6 was a while ago, I haven’t had a chance to clean up my write up for this until now). This week we’re looking at email authentication again, trying to identify the actual date of an email. I scraped this one by with only hours to spare, and chatting with the others it was interesting to see the different approaches taken.Read More »
I write my notes as I go along, but sometimes it takes me a bit to get it into a blogable format. This week took a little longer because I had to wait for Armans walkthrough. I got super close to the answer for part 3, but unfortunately missed out on the 100 points.
We’re back looking at EML files to help assist validating a story and identifying forgery, and get to play with an interesting technique!Read More »
Starting this post by admitting it took me a lot longer to get the answers to some of these questions than it should have, because I misunderstood some of the wording of the questions. I ended up going down a lot of RFC-related rabbitholes, only to find that certain parts were theoretical and others practical. Well, we all make mistakes, onto the post!Read More »
Week 3 is over! Well, it went for a couple of weeks, and is no longer active. But it was the third challenge!
This time we went looking into the PST file format, as well as identifying manipulated emails. I found this one a little bit easier than Week 4, which is currently giving me griefRead More »
Back for week 2 of the Metaspike weekly CTF. This week we’ve been given an MSG file containing correspondence between two colleagues. I tried to do this one with entirely free tools again, but there’s a minor caveat that you do need access to Outlook to get the full MSG parsing experience.
Please let me know if there’s a way to do this without Outlook!Read More »