In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.
Finally, as the last part of the blog series we will have a look at the network traffic observed. We will do this in two sections, the first one will cover a few things useful to know if we are in the situation that Wireshark can dissect the traffic for us. The second section will … Continue reading Investigating an engineering workstation – Part 4
This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.
NVISO is proud to announce that it has successfully qualified as an APT Response service provider and is now recommended on the website of the German Federal Office for Information Security (BSI).⯠AdvancedâŻPersistent Threats (APT) are typically described as attack campaigns in which highly skilled, often state-sponsored, intruders orchestrate targeted, long-term attacks. Due to their … Continue reading NVISO approved as APT Response Service Provider
In our third blog post (part one and two are referenced above) we will focus on information we can get from the projects itself. You may remember from Part 1 that a project created with the TIA Portal is not a single file. So far we talked about files with the â.apXXâ extension, like â.ap15_1â … Continue reading Investigating an engineering workstation – Part 3
In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. The TIA Portal maintains a file called âSettings.xmlâ under the following path: C:\Users\$USERNAME\AppData\Roaming\Siemens\Portal V15_1\Settings\. Please remember we … Continue reading Investigating an engineering workstation – Part 2
