Real-World Incidents
I’ve contributed to research and written articles based on my experiences in complex incident investigations. A few highlights are below:
Inside a GandCrab targeted ransomware attack on a hospital – Naked Security
Just before 9pm on Sunday, 3 February 2019, a GandCrab executable sparked into life for an instant, before its brief existence was snuffed out by antivirus software. Stopped in its tracks, the malware triggered the first of what would quickly become hundreds of separate alerts for a US healthcare provider in the grip of a targeted ransomware attack.
Intervention halts a ProxyLogon-enabled attack – Sophos News
In a recently-concluded engagement, Sophos’ Rapid Response team was called in to investigate an attack targeting an Exchange server. During the course of the work, the responders discovered that the attackers were still taking actions inside the target’s network, and stopped the slow-rolling, manually controlled attack before any lasting damage could be done.
Worms deliver cryptomining malware to web servers – Sophos News
An automated attack, targeting poorly-protected Apache Tomcat servers, turns enterprise hardware into a high-end cryptominer. We discovered an attack method recently while providing support to a company that runs an Apache Tomcat web server that was repeatedly getting infected.
Investigate WannaMine - CryptoJacking Worm
WannaMine, also known as a cryptojacking worm, is an all-in-memory malware that is a cryptocurrency miner using advanced techniques to steal credentials and exploitation modules to distribute laterally across the network.
WMI remains one of my favorite topics of research over the years. This malware was a fresh breath of air after Emotet which I talk about in the next block!
A Timestamp is that field or part of a log that marks the time an event occurred. As such, I would consider it the most important of all the fields contained within that log. It’s also the field most likely to be read or interpreted incorrectly by an on-looker.
This article is essentially a reference card wherein I’ve compare all major security platforms and how they display the Timestamp.
Kroll's Artifact Parser and Extractor (KAPE) lets forensic teams collect and process forensically useful artifacts within minutes. This article is about a KAPE Module I wrote which parses all the Scheduled Task XML Files contained within a triage image into a neat CSV.
Browser Extensions - Forensics
Featured in Detection Engineering Weekly #24
“Great deep dive in Google Chrome *****extension forensics. Singh steps through an example incident where a user installs a malicious browser extension, then gives tips and tricks on finding the extensions folder, using tools like Hindsight to export the extension data and metadata, and then digging into each extension to see how it behaves. They also give tips on triaging the same incident via SentinelOne and Defender for endpoint.*”
Decoding Malicious PowerShell Activity - A Case Study - Blog - Sophos Labs
IT Administrators and Security Specialists often run into a suspicious looking PowerShell command; sometimes they succeed in decoding them but often, they are reliant on researchers. This blog should serve as a guidance to identify the purpose of suspicious entries found in:
Remote Access Software Forensics Hub
This forensics guide focuses on dissecting commonly abused remote access tools such as TeamViewer, AnyDesk, MeshAgent, RustDesk, VNC variants, and others. The objective is to help analysts recognize key forensic artifacts, understand typical abuse patterns, and streamline their investigative approach during remote access-related intrusions.
PowerShell Command History Forensics
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. This article delves into the various artifacts around PowerShell execution.
Also, this is also referenced under References upon my submission to MITRE.
Indicator Removal: Clear Command History, Sub-technique T1070.003 - Enterprise | MITRE ATT&CK®
Mastering PowerShell De-obfuscation - Beyond the Basics
In this second installment, we dive deeper into the dark arts of PowerShell obfuscation. Attackers have refined their techniques beyond simple string manipulation or compression —weaponizing -join, -split, and -f operators, exploiting whitespace tricks, and drowning scripts in special characters to evade detection. We’ll break down deceptive IEX executions, explore script block logging tricks, and tackle heavily obfuscated VBS payloads leading to PowerShell execution.
<aside> ✅
If you've ever looked at a script and thought, "This makes no sense," you're in the right place.
</aside>
Reconstructing PowerShell scripts from multiple Windows event logs – Sophos News
When a large PowerShell script runs, it results in a number of fragmented artifacts deposited across multiple logs. Filtering for event ID 4104 returns a list of those artifacts. The content of one of these artifacts, contained in the Microsoft-Windows-PowerShell%4Operational.evtx event log.
This article helps you reconstruct all the ScriptBlocks into the original PS script.
<aside> 💡
This article featuring a script I developed, has been credited in the SANS FOR508 textbooks.
</aside>
🗺️ Who doesn’t like Mind Maps!
Browser Cache and Interrupted Downloads - Investigation Strategies
The article explores the investigation of detection triggers related to Chrome cache or temporary download files, employing tools such as Endpoint Detection and Response (EDR) or host forensics tools.
Create a Super Timeline with TACTICAL/IREC Triage Image
A straightforward article explaining about Timelining. What are Super Timelines, how to create one? Things to look out for etc.