Windows Incident Response: Human Behavior In Digital Forensics, pt II

Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT installer to 8 endpoints, and had the installer launched via a Scheduled Task.
About a week later, we saw that the threat actor had pushed out another version of their RAT to a completely separate endpoint, by dropping the installer into the StartUp folder for an admin account.
The first thing we did once we got started was roll out our EDR tech, and begin getting insight into what was going on...which accounts had been compromised, which were the nexus systems the threat actor was operating from, how they were getting in, etc.
So we found this RAT installer in the StartUp folder for an admin account...a communal admin account.
We found it because in the course of rolling out our EDR tech, the admins used this account to push out their software management platform, as well as our agent...and the initial login to install the software management platform activated the installer.
We grabbed a full image of that endpoint, so we were able to get information from VSCs, including a copy of the original installer file.
The customer didn't have EDR in place prior to our arrival, so there's a lot we likely missed out on, but from what we were able to assemble from host-based historical data, it seemed that the threat actor's plan, at the point we were brought in, was to establish a beachhead. Pro Bono Legal CaseA number of years ago, I did some work on a legal case.
Jump forward about a year, and the guy who got hired grew disillusioned, and went in one Friday morning, logged into the computer, wrote out a Word document where they resigned, effective immediately.
They sent the document to the printer, then signed it, handed it in, and apparently walked out.
There were suits and countersuits, and I was asked to examine the image of the system, after exams had already been performed by law enforcement and an expert from SANS. What I found was that on Thursday evening, the day before the guy resigned, at 9pm, someone had logged into the system locally and surfed the web for about 6 minutes.
Using a variety of data sources, to include the Registry, Event Log, file system metadata, etc.
As part of the legal battle, the guy had witness statements and receipts from the bar he had been at the evening prior to resigning, where he'd been out with friends celebrating.
Further, the employer had testified that they'd sat at the computer the evening prior, but all they'd done was a short web browser session before logging out.
On the surface, what happened was clearly what the former employer described; the former employee came in, typed and printed their resignation, and launched the ransomware executable on their way out the door.
File system metadata, Registry key LastWrite times, and browser history painted a different story all together.
RAT RemovalDuring another targeted threat actor response engagement, I worked with a customer that had sales offices in China, and was seeing sporadic traffic associated with a specific variant of a well-known RAT come across the VPN from China.
As part of the engagement, we worked out a plan to have the laptop in question sent back to the states; when we received the laptop, the first thing I did was remove and image the hard drive.
Apparently, the employee/user of the endpoint had been coerced to install the RAT. Using all the parts of the buffalo, we were able to determine that, at one point, the user had logged into the console, attached a USB device, and run the RAT installer.
I turned out that an employee with remote access had somehow ended up with a keystroke logger installed on their home system, which they used to remote into the corporate infrastructure via RDP. This was about 2 weeks before they were scheduled to implement MFA. The threat actors was moving around the infrastructure via RDP, using an account that hadn't accessed the internal systems, because there was no need for the employee to do so.
This incident had to be reported to the PCI Council, but we did so with as complete a picture as possible, which showed that the threat actor was both unaware of the files, as well as apparently not interested in credit card, nor billing, data.


This Cyber News was published on windowsir.blogspot.com. Publication date: Sat, 06 Jan 2024 19:13:05 +0000


Cyber News related to Windows Incident Response: Human Behavior In Digital Forensics, pt II

What is digital forensics and incident response? - Digital forensics and incident response is a combined set of cybersecurity operations that incident response teams use to detect, investigate and respond to cybersecurity events. As the acronym implies, DFIR integrates digital forensics and incident ...
1 year ago Techtarget.com
How Digital Forensics Supports Incident Response: Insights For Security Leaders - This article explores how digital forensics enhances incident response, the essential techniques involved, and practical strategies for security leaders to implement robust DFIR capabilities. Digital forensics focused on the collection, preservation, ...
1 month ago Cybersecuritynews.com
Incident Response Plan: How to Build, Examples, Template - A strong incident response plan - guidance that dictates what to do in the event of a security incident - is vital to ensure organizations can recover from an attack or other cybersecurity event and minimize potential disruption to company ...
1 year ago Techtarget.com
How to Conduct Incident Response Tabletop Exercises - An incident response tabletop exercise is an activity that involves testing the processes outlined in an incident response plan. Attack simulations are run to ensure incident response team members know their roles and responsibilities - and whether ...
1 year ago Techtarget.com
New Microsoft Incident Response team guide shares best practices for security teams and leaders - The incident response process can be a maze that security professionals must quickly learn to navigate-which is no easy task. Surprisingly, many organizations still lack a coordinated incident response plan, and even fewer consistently apply it. ...
1 year ago Microsoft.com
Using Memory Forensics Tools To Enhance Advanced Incident Response - By combining proper tools, trained personnel, and well-defined procedures, organizations can leverage memory forensics to significantly enhance their incident response capabilities and improve their overall security posture against increasingly ...
1 month ago Cybersecuritynews.com
Digital Forensics In 2025: How CSOs Can Lead Effective Investigations - Digital forensics now encompasses a broad spectrum of investigative techniques and methodologies used to extract, preserve, and analyze data from computers, smartphones, servers, cloud platforms, and a wide array of Internet of Things (IoT) devices. ...
1 month ago Cybersecuritynews.com
Teaching Digital Ethics: Navigating the Digital Age - In today's digital age, where technology permeates every aspect of our lives, the need for ethical behavior in the digital realm has become increasingly crucial. This article explores the significance of digital ethics education in our society and ...
1 year ago Securityzap.com
Thoma Bravo Acquires Magnet Forensics in Billion Dollar Deal - Thoma Bravo, a leading private equity investment firm, recently announced an agreement to acquire Magnet Forensics, a global leader in digital investigation technology, in a billion-dollar deal. This marks the largest Thoma Bravo purchase ever and ...
2 years ago Securityweek.com
4 key steps to building an incident response plan - In this Help Net Security interview, Mike Toole, head of security and IT at Blumira, discusses the components of an effective security incident response strategy and how they work together to ensure organizations can address cybersecurity issues. An ...
10 months ago Helpnetsecurity.com
Building A Unified Security Strategy: Integrating Digital Forensics, XDR, And EDR For Maximum Protection - To effectively counter these threats, organizations must integrate Digital Forensics, Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR) into a unified security framework. It involves two main components: digital ...
1 month ago Cybersecuritynews.com
How to build a cyber incident response team - As an incident response manager himself, Valentin regularly coordinates security responses for companies of all shapes and sizes - including many of the examples discussed in this post. He explains everything you need to know about building and ...
1 year ago Heimdalsecurity.com
Building a Culture of Digital Responsibility in Schools - In today's technologically-driven world, schools have a critical role in cultivating a culture of digital responsibility among students. Promoting digital responsibility involves educating students about the potential risks and consequences ...
1 year ago Securityzap.com
Digital Citizenship Lessons for Students - This article aims to emphasize the significance of digital citizenship lessons for students, focusing on three key aspects: the definition and scope of digital citizenship, online etiquette, and safe online behavior. By equipping students with ...
1 year ago Securityzap.com
How to create an incident response playbook - Creating and maintaining an incident response playbook can significantly improve the speed and effectiveness of your organization's incident response. To help, here's a crash course on what incident response playbooks are, why they are important, how ...
1 year ago Techtarget.com
A Heimdal MXDR Expert on Incident Response Best Practices and Myth Busting - I got to talk to Dragoș Roșioru, a seasoned MXDR expert, about incident response best practices and challenges. Get an in-depth understanding of the do's and don'ts in incident response as Dragoș explains how to avoid the most common mistakes ...
1 year ago Heimdalsecurity.com
Best MDR (Managed Detection & Response) Solutions - 2025 - Cybereason Managed Detection and Response solutions provide 24/7 threat monitoring, advanced endpoint protection, and rapid incident response. Cynet MDR solutions provide automated threat detection and response, ensuring comprehensive security ...
2 months ago Cybersecuritynews.com
Strengthening Cybersecurity: The Role of Digital Certificates and PKI in Authentication - Data protection remains integral in our wide digital world. This has been possible because of the increasing awareness amidst enterprises, small and large, across industries on the paramount need for the protection of sensitive data, securing digital ...
1 year ago Feeds.dzone.com
Law Firms are Raising the Bar on Cybersecurity - Corresponding with recent increases in threat actor activity in the legal industry, law firms are investing more time and attention in modernizing security operations. Both midsize and large law firms are increasingly engaging with cybersecurity ...
2 years ago Bluevoyant.com
Continuity in Chaos: Applying Time-Tested Incident Response to Modern Cybersecurity - Incident response is foundational to every security program, yet many companies still struggle with adoption and testing. He enumerated the top challenges of incident response at the time which were 1) Increasing complexity and sophistication of ...
1 year ago Securityweek.com
The Importance of Incident Response for SaaS - The importance of a thorough incident response strategy cannot be understated as organizations prepare to identify, investigate, and resolve threats as effectively as possible. Most security veterans are already well aware of this fact, and their ...
1 year ago Securityboulevard.com
What a Digital ID Means to How Australians Interact With Businesses Online - Australia is about to get a national online ID system - the Digital ID - which promises to improve the security and privacy of data online. In just a few months, Australians will have access to a new form of ID, which aims to make identification ...
1 year ago Techrepublic.com
Important details about CIRCIA ransomware reporting - This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments. Ransomware attacks have become ...
1 year ago Securityintelligence.com
How to Implementing SOAR To Reduce Incident Response Time Effectively - Once these foundational integrations are in place, organizations can expand their SOAR implementation to include more advanced capabilities, such as automated vulnerability scanning, endpoint isolation, and integration with cloud security tools. This ...
1 month ago Cybersecuritynews.com
Windows Incident Response: Human Behavior In Digital Forensics - I. I've always been a fan of books or shows where someone follow clues and develops an overall picture to lead them to their end goal. The main web page even includes a brief history of behavioral profiling. Apparently ,it is, as there's research to ...
1 year ago Windowsir.blogspot.com