I made this list from my tweets (April to September 2019).
DFIR
A quick set of anomalies to look for to identify a compromised Linux system
https://www.linkedin.com/pulse/quick-set-anomalies-look-identify-compromised-linux-system-b-/
15 Linux commands ready to try.
Threat hunting using DNS firewalls and data enrichment | blog.redteam.pl
https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html
Useful content based on the author’s experience.
AmCache Analysis | Agence nationale de la sécurité des systèmes d’information
https://www.ssi.gouv.fr/en/publication/amcache-analysis/
ANSSI report on AmCache’s usefulness for forensics.
NTFS Journal Forensics — YouTube
https://www.youtube.com/watch?v=1mwiShxREm8
Contains a description of the differences between $MFT, $UsnJrnl, and $LogFile.
Windows Incident Response: Program Execution…Or Not
http://windowsir.blogspot.com/2019/08/program-executionor-not.html
Just because you run a program doesn’t mean you used it.
Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and Rekall Tools | FireEye Inc
Dates in Hiding — Uncovering Timestamps in Forensic Email Examination
https://www.metaspike.com/timestamps-forensic-email-examination/
You can see a list of time stamps that you may encounter during the analysis.
Export corrupts Windows Event Log files — Fox-IT International blog
https://blog.fox-it.com/2019/06/04/export-corrupts-windows-event-log-files/
Be careful when exporting an event log to a.evtx file because some entries have incorrect timestamps.
SANS Digital Forensics and Incident Response Blog | Triage Collection and Timeline Generation with KAPE | SANS Institute
https://digital-forensics.sans.org/blog/2019/08/22/triage-collection-and-timeline-generation-with-kape/
Tutorial on creating a timeline using KAPE.
Sigma-to — Google Spreadsheet
https://docs.google.com/spreadsheets/d/1mY6BGYZgwPH3UiVAdxU4Hraa9n1gFLXSMcR_5mhs0GE/edit#gid=2078972446
List of search queries useful for threat hunting.
Using MITRE ATT&CK for Forensics: WMI Event Subscription (T1084) — Cyber Forensicator
https://cyberforensicator.com/2019/07/13/using-mitre-attck-for-forensics-wmi-event-subscription-t1084/
An article on persistence detection.
AmCache is not alone; Using .WER files to hunt evil
https://medium.com/dfir-dudes/amcache-is-not-alone-using-wer-files-to-hunt-evil-86bdfdb216d7
The .WER file may contain SHA -1 for the crashed process.
Finding Insider Threats: Digging Deeper — 2019 — Webinars | ForensicFocus.com
https://forensicfocus.com/c/aid=321/webinars/2019/finding-insider-threats-digging-deeper/
How to associate multiple artifacts and showcase artifacts that have appeared and left the Windows 10 environment.
Following The RTM: Forensic Examination Of A Computer Infected With A Banking Trojan | Forensic Focus — Articles
https://articles.forensicfocus.com/2019/05/06/following-the-rtm-forensic-examination-of-a-computer-infected-with-a-banking-trojan/
Article on forensic analysis of machines infected with RAT.
macOS Incident Response | Part 1: Collecting Device, File & System Data
https://www.sentinelone.com/blog/macos-incident-response-part-1-collecting-device-file-system-data/
Apple Watch Forensics 02: Analysis | ElcomSoft blog
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
meirwah/awesome-incident-response: A curated list of tools for incident response
https://github.com/meirwah/awesome-incident-response
Sysmon 10.1の新機能:プロセスのDNSクエリーログをElasticsearchで採取してみる (動作確認編) — Qiita
https://qiita.com/rhpenguin/items/660f6e53ba7a49a1459c
“What’s New in Sysmon 10.1: Elasticsearch Gathers the DNS Query Log for Processes” (in Japanese).
Malware Analysis
ATT&CK Techniques and Trends in Windows Malware | Kris Oosthoek
https://krisk.io/post/attack/
A study that analyzed over 900 labeled samples of the Windows malware family from 2003 to 2018 and mapped implemented approaches to ATT & CK.
Definitive Dossier of Devilish Debug Details — Part One: PDB Paths and Malware | FireEye Inc
Hexacorn | Blog PDB Goodness
http://www.hexacorn.com/blog/2019/08/31/pdb-goodness/
Zero 2 Hero — SentinelOne
https://www.sentinelone.com/lp/zero2hero/
“From Zero to Hero: Malware Reverse Engineering & Threat Intelligence” is a free, 12-week course. It’s for beginners.
Automated Malware Analysis: Malicious Documents: The Evolution of country-aware VBA Macros
http://blog.joesecurity.org/2019/03/malicious-documents-evolution-of.html
LockerGogaの内部構造を紐解く | MBSD Blog
https://www.mbsd.jp/blog/20190827.html
“Unravel the internal structure of LockerGoga” (in Japanese)
OSINT
A Brief Comparison of Reverse Image Searching Platforms — DomainTools Blog
https://blog.domaintools.com/2019/09/a-brief-comparison-of-reverse-image-searching-platforms/
MISC
Infographic: Ranking the Top 100 Websites in the World
https://www.visualcapitalist.com/ranking-the-top-100-websites-in-the-world/
Search results for: security | DISBOARD: Discord Server List
https://disboard.org/en/search?keyword=security
IppSec — YouTube
https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
Video explaining how to solve Hack the Box, including trial and error.
Cyber Simulation | HackTale
https://www.hacktale.com/
A game where you can experience forensic research.
State of Industrial Control Systems (ICS) in Italy — VoidSec
https://voidsec.com/state-of-industrial-control-systems-ics-in-italy/
Update History
- 2019/09/29 New.
- 2020/03/03 Revised.
