Introduction Emotet doesn't need an introduction anymore - it is one of the more prolific cybercriminal gangs and has been around for many years. In January 2021, a disruption effort took place via Europol and other law enforcement authorities to take Emotet down for good.  Indeed, there was a significant decrease in Emotet malicious … Continue reading Hunting Emotet campaigns with Kusto
This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. In part 1, we explain that Cobalt Strike traffic is encrypted using RSA and AES cryptography, and that we found private RSA keys that can help … Continue reading Cobalt Strike: Overview – Part 7
Introduction The war room in Cortex XSOAR incidents allows a SOC analyst to do additional investigations by using any command available as an automation or integration command. It also contains the output of all tasks used in playbooks (if not in Quiet mode). In this blogpost we will show you how to format output of … Continue reading Cortex XSOAR Tips & Tricks – Tagging War Room Entries
In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction … Continue reading Investigating an engineering workstation – Part 1
This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted Cobalt Strike traffic starting with … Continue reading Cobalt Strike: Memory Dumps – Part 6
Introduction Building detection is a complex task, especially with a constantly increasing amount of data sources. Keeping track of these data sources and their appropriate detection rules or avoiding duplicate detection rules covering the same techniques can give a hard time to detection engineers. For a SOC, it is crucial to have an good overview … Continue reading DeTT&CT : Mapping detection to MITRE ATT&CK
When you work for NVISO, we invest heavily in your personal development: to ensure you reach your full potential as a top class cyber security specialist.
If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. You can use the SHA-1 extracted from the Amcache … Continue reading Amcache contains SHA-1 Hash – It Depends!
Introduction On March 2nd 2022, I observed a new Advanced Hunting table in Microsoft 365 Defender: UrlClickEvents Figure 1 - UrlClickEvents table At time of writing, this table is not yet present in every Office 365 tenant, and the official documentation does not contain information about it. A quick peak at the events it contains … Continue reading Drilling down on phishing campaigns with UrlClickEvents
Introduction When developing the automated SOC workflows for the NVISO Managed SOC and the additional NITRO services on Cortex XSOAR, we have started to make use of automations to do complex tasks instead of playbooks. Automations have much better performances and, if your team has a decent level of Python skills, developing complex tasks in … Continue reading Cortex XSOAR Tips & Tricks – Execute Command Function