NVISO approved as APT Response Service Provider

NVISO is proud to announce that it has successfully qualified as an APT Response service provider and is now recommended on the website of the German Federal Office for Information Security (BSI).  Advanced Persistent Threats (APT) are typically described as attack campaigns in which highly skilled, often state-sponsored, intruders orchestrate targeted, long-term attacks. Due to their … Continue reading NVISO approved as APT Response Service Provider →

Investigating an engineering workstation – Part 3

In our third blog post (part one and two are referenced above) we will focus on information we can get from the projects itself. You may remember from Part 1 that a project created with the TIA Portal is not a single file. So far we talked about files with the “.apXX” extension, like “.ap15_1” … Continue reading Investigating an engineering workstation – Part 3 →

Investigating an engineering workstation – Part 2

In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. The TIA Portal maintains a file called “Settings.xml” under the following path: C:\Users\$USERNAME\AppData\Roaming\Siemens\Portal V15_1\Settings\. Please remember we … Continue reading Investigating an engineering workstation – Part 2 →

Cobalt Strike: Overview – Part 7

This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. In part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found private RSA keys that can help … Continue reading Cobalt Strike: Overview – Part 7 →

Investigating an engineering workstation – Part 1

In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction … Continue reading Investigating an engineering workstation – Part 1 →

Cobalt Strike: Memory Dumps – Part 6

This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted Cobalt Strike traffic starting with … Continue reading Cobalt Strike: Memory Dumps – Part 6 →

Amcache contains SHA-1 Hash – It Depends!

If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. You can use the SHA-1 extracted from the Amcache … Continue reading Amcache contains SHA-1 Hash – It Depends! →

Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting DNS Traffic – Part 5 →

Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting Obfuscated Traffic – Part 4 →

Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3

We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. And in part 2, we decrypted Cobalt Strike traffic starting with a private … Continue reading Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3 →