Blog: SANS Digital Forensics and Incident Response Blog: Tag - Incident Response

Blog: SANS Digital Forensics and Incident Response Blog:

Protecting Privileged Domain Accounts: Restricted Admin and Protected Users

It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into two articles. This article will cover specific updates Microsoft has provided to help protect user credentials. I'll follow up next week to discuss the Kerberos issues in depth.

As a quick reminder, the major takeaway from my previous articles on this subject are that we can successfully protect our privileged domain accounts by taking these 3 steps:


  1. Avoid interactive logons to untrusted hosts

  2. Disable ...

TorrentLocker Unlocked

Guest submission byTaneli Kaivola, Patrik Nisn and Antti Nuopponen of NIXU

TorrentLocker is a new breed of ransomware that has been spreading lately. Like CryptoLocker and CryptoWall it encrypts files on a victim's machine and then demands ransom. The victim has to pay to get the decryption software that can decrypt the files.

On a recent incident response case we came across a malware program that had all the known characteristics of TorrentLocker. We started to analyze the malware to see if there was a way to get the files decrypted without paying the ransom. It is well known that some ransomwares like CryptoLocker do implement proper encryption and that it is not possible to recover the encrypted files, but on the other hand, there are also several examples of malware that

...

Using Sysinternals System Monitor (Sysmon) in a Malware Analysis Lab

System Monitor (Sysmon) is a new tool from Microsoft, designed to run in the Windows system's background, logging details related to process creation, network connections, and changes to file creation time. This information can assist in troubleshooting and forensic analysis of the host where the tool was installed prior to the incident that's being investigated. This article explores the role that System Monitor might play in a malware analysis lab, possibly supplementing tools such as Process Monitor.

Dominando las 4 etapas del Anlisis de Malware

(This is a Spanish translation of the article Mastering 4 Stages of Malware Analysis. Este artculo fue traducido del ingls.) El anlisis de software malicioso o malware involucra una variedad de tareas, algunas ms simples que otras. Estas tareas pueden ser agrupadas en etapas basadas en la naturaleza de las tcnicas de anlisis de software malicioso. Agrupadas como capas, una encima de otra, estas etapas forman una pirmide que va creciendo conforme complejidad.

SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros

SRP streams in Microsoft Office documents can reveal older versions of VBA macro code used by the adversary in earlier attacks. After the attacker modifies the malicious document for a new attack, Microsoft Office sometimes retains a cache of the earlier macro inside these streams, allowing analysts to expand their understanding of the incident and derive valuable threat intelligence. In other words, SRP streams can help investigators travel back in time.