Some Statistics on Cobalt Strike Configs in April and May 2021 — Collected from over 1000 configurations, here are some high-level statistics that demonstrate some of the common trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from live servers around early May 2021. If you are interested in how the data was collected, scroll…

Windows Server Artefact — Overview User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database. Digital forensics and incident response The KPMG Cyber Response Services team is dedicated to helping clients respond to cyber incidents. In a recent…advisory.kpmg.us

Windows Memory Forensics — Part 1 What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question. This search was…

Windows Memory Forensics — Part 1 What is the IPv4 address that myaccount.google.com resolves to? At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor…

Windows Memory Forensics — Challenge 10 *At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. * What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx” I started this week with the netscan plugin vol.py -f memdump.mem --profile=Win7SP1x64 netscan From the netscan output…

Windows Memory Forensics — Part 1 The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string. I started off by running kdbgscan over the image to get the profile: Win7SP1x64 When reading the question for part 1, I had…

Part 1 What package(s) were installed by the threat actor? Select the most correct answer! Part 2 Why? - hosting a database - serving a webpage - to run a php webshell - create a fake systemd service Part 1 Especially considering last weeks question, we know where to look when we…

Part 1 Domains and Such What is the IP address of the HDFS primary node? Part 2: Is the IP address on HDFS-Primary dynamically or statically assigned? Part 3: What is the interface name for the primary HDFS node? Part 1 If you navigate to /etc/network/interfaces on the primary image, you can…

Challenge 6 (Nov. 9–16) The Elephant in the Room 25 Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On…