Week 6 – 2019

With contributions by Lodrina!

As always, thanks to those who give a little back for their support!



  • Chris Brenton at Active Countermeasures boils threat hunting basics down into steps including: identifying persistent outbound communications and their protocol, looking at the originating host and the reputation of the destination system, and ending with incident disposition including whitelisting or further investigation.
    How to Threat Hunt Your Network

  • Adam at Hexacorn, with inspiration from Samir Bousseaden, takes on the heroic task of surveying *every* Windows Event Log! A few mentions I found particularly interesting include: DriverFrameworks-UserMode\Operational (USB devices), Shell-Core\* (Shell related activity), as well as OfflineFiles\Operational and User Profile Service\Operational (user logon).
    Event Logs++

  • Cylance looks at how a SOC can put a sea of EDR events into context.
    Endpoint Detection and Response (EDR): The Case for Context

  • The Digital Shadows Security Engineering Team attended the 2019 SANS DFIR Cyber Threat Intelligence (CTI) Summit and sum up takeaways on metrics, models and frameworks, and how to use ATT&CK.
    SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

  • The European Union Agency for Network and Information Security (ENISA) released a substantial report (34 page PDF) on “CSIRTs and Incident Response (IR) capabilities in Europe towards 2025 at a strategic and policy level”. The report reviews different industry sectors (private, military, etc) and surveys laws in the EU and beyond.
    Study on CSIRT landscape and IR capabilities in Europe 2025

  • John Ferrell at Huntress Labs discusses Windows administrative shares, particularly as they relate to malware like Emotet or TrickBot moving laterally on a network.
    Deep Dive: Windows Administrative Shares

  • Wataru Takahashi at JPCERT/CC uses the free Sysmon log tool SysmonSearch – available at the JPCERTCC GitHub – to investigate a suspicious process.
    Investigate Suspicious Account Behaviour Using SysmonSearch

  • Katie Nickels at MITRE ATT&CK announces that Round 2 of ATT&CK Evaluations will be on the APT29/COZY BEAR/The Dukes group. Katie asks that anyone with knowledge about APT29 share information so that the MITRE emulation plan is realistic.
    Open Invitation to Share Cyber Threat Intelligence on APT29 for Adversary Emulation Plan and…

  • Nextron releases an updated Antivirus Event Analysis Cheat Sheet (2 page PDF) by Florian Roth.
    Antivirus Event Analysis Cheat Sheet v1.7

  • Lee Christensen at SpecterOps looks at extensions (.devicemanifest-ms and .devicemetadata-ms) which can be used for arbitrary RCE using Windows Driver Kit and provides a Proof of Concept exercise to perform using the command line, makecab.exe, and a hex editor.
    Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard

  • Richard Bejtlich at TaoSecurity further examines a story by Christopher Burgess about an insider intellectual property theft case involving downloading “restricted files to a personal thumb drive” and how Richard dealt with issues like this at GE-CIRT.
    Forcing the Adversary to Pursue Insider Theft

  • Chad Tilbury at SANS looks into Windows Management Instrumentation (WMI) attacks using a variety of different tools and techniques including Sysmon and the WMI-Activity Operational event log. More on WMI will be covered in Chad’s upcoming webinar, with a link to signup in the post.
    “Investigating WMI Attacks”

  • Scott Piper at Summit Route breaks down AWS trust relationships including IAM role trust relationships, resource policies, S3 ACLs, and Resource Access Manager resource sharing, and how an attacker can abuse these.
    Lateral movement between AWS accounts – Abusing trust relationships






And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s