Why your threat hunting program building shouldn’t stop once the engagement is over

September 14, 2021

Let’s see, it looks like your organization just met an annual Threat Hunting assessment compliance requirement or achieved the introductory objective of experiencing a formal Threat Hunting assessment. Well done! Now, what should the organization take into consideration after successfully completing the assessment? Once a third-party Threat Hunting assessment concludes, many organizations may feel overwhelmed…

Read

TrustedSec Incident Response Team Slack AMA 02.17.2021

March 16, 2021

On February 17, 2021 TrustedSec hosted an ‘Ask Me Anything’ on our Slack Workplace with TrustedSec’s Incident Response Team. Many great questions were asked and lots of information exchanged that we didn’t want to get lost with time, so we’ve put together this blog with questions and the conversation that blossomed from them. Please note:…

Read

Who Left the Backdoor Open? Using Startupinfo for the Win

February 18, 2021

In the endless quest to research additional Windows system forensic artifacts to use during an Incident Response investigation, I stumbled across something I thought was cool. This definitely wasn’t a new artifact, it was just a specific native Windows XML file that I wasn’t aware of. I noticed this file was not commonly used from…

Read

SolarWinds Backdoor (Sunburst) Incident Response Playbook

December 17, 2020

Over the last several days, TrustedSec has received queries on the best ways to contain, eradicate, and remediate the SolarWinds backdoor (aka #solarigate aka Sunburst). The TrustedSec Incident Response team has put together a playbook of recommended actions to provide some level of assurance that your organization is no longer affected by the backdoor. This…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

October 27, 2020

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

October 27, 2020

This is a continuation of The Tale of the Lost, but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Are You Seeing What…

Read

SMS Phish – An Incident Walkthrough

September 3, 2020

Opener The goal of this blog post is to provide an approach to analyzing a text-based phish link. I will primarily focus on the initial steps to properly view the phish site from a non-mobile browser, provide OPSEC setup and browsing analysis recommendations, and conclude with defense measures to protect against such attacks. Analysis Background…

Read

Become The Malware Analyst Series: PowerShell Obfuscation Shellcode

August 20, 2020

In this second installment of the ‘Become a Malware Analyst Series,” Principal Incident Response & Research Consultant Scott Nusbaum focuses on PowerShell obfuscation by analyzing a PowerShell sample that was identified during an incident response. Scott will also touch on methods and tools to identify common Metasploit function hashes.

Read

Become The Malware Analyst Series: Malicious Code Extraction and Deobfuscation

July 7, 2020

In this video, Senior Incident Response & Research Consultant Scott Nusbaum demonstrates a method to extract and deobfuscate code from a malicious document. Upon rendering the code readable, Nusbaum works to gain an understanding of the goals the malware was attempting to accomplish and the processes by which it undertook that effort. This video is…

Read

Are You Looking for Ants or Termites?

July 1, 2020

Over the last several months, I’ve noticed something when discussing Incident Response (IR) with clients. There is often confusion between the expectation and reality concerning the end results of an IR investigation. My goal here is to clarify and set those expectations, and to show how Threat Hunting factors in. When TrustedSec gets called to…

Read
  • Browse by Category

  • Clear Form