Investigating an engineering workstation – Part 2

In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. The TIA Portal maintains a file called “Settings.xml” under the following path: C:\Users\$USERNAME\AppData\Roaming\Siemens\Portal V15_1\Settings\. Please remember we … Continue reading Investigating an engineering workstation – Part 2

Vulnerability Management in a nutshell

Introduction Vulnerability Management plays an important role in an organization's line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses. What is Vulnerability … Continue reading Vulnerability Management in a nutshell

Hunting Emotet campaigns with Kusto

Introduction Emotet doesn't need an introduction anymore - it is one of the more prolific cybercriminal gangs and has been around for many years. In January 2021, a disruption effort took place via Europol and other law enforcement authorities to take Emotet down for good. [1] Indeed, there was a significant decrease in Emotet malicious … Continue reading Hunting Emotet campaigns with Kusto

Cortex XSOAR Tips & Tricks – Tagging War Room Entries

Introduction The war room in Cortex XSOAR incidents allows a SOC analyst to do additional investigations by using any command available as an automation or integration command. It also contains the output of all tasks used in playbooks (if not in Quiet mode). In this blogpost we will show you how to format output of … Continue reading Cortex XSOAR Tips & Tricks – Tagging War Room Entries

Investigating an engineering workstation – Part 1

In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction … Continue reading Investigating an engineering workstation – Part 1

Cobalt Strike: Memory Dumps – Part 6

This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted Cobalt Strike traffic starting with … Continue reading Cobalt Strike: Memory Dumps – Part 6

DeTT&CT : Mapping detection to MITRE ATT&CK 

Introduction Building detection is a complex task, especially with a constantly increasing amount of data sources. Keeping track of these data sources and their appropriate detection rules or avoiding duplicate detection rules covering the same techniques can give a hard time to detection engineers. For a SOC, it is crucial to have an good overview … Continue reading DeTT&CT : Mapping detection to MITRE ATT&CK