markmckinnon

Windows registry can contain evidence of: → Execution → Persistence → Data accessed Our overview of the registry and tools for analyzing it: cybertriage.com/blog/2025-guid…

One prioritizes alerts. One prioritizes devices. And SOCs must do both. @carrier4n6 explains: cybertriage.com/blog/alert-tri…

3 reasons attackers use WMI Event Consumers: → Stealth and evasion → Fileless persistence → Event-driven execution Learn how to investigate evil WMI event consumers: cybertriage.com/blog/how-to-in…

Are you ready? @carrier4n6 teaches endpoint triage tomorrow! Triage investigations tell you: → What happened on your system → What to prioritize during the investigation Don’t be a square. (Or, do be?) Either way, here’s how to register: attendee.gotowebinar.com/register/14271…

4 user activity insights from jump lists: → Files a user has accessed → Applications used to access files → Frequency files have been accessed → Evidence of files no longer on the system Learn how our DFIR experts do jump list forensics: cybertriage.com/blog/jump-list…

The DFIR concept you should be using. (but aren’t) ⤵ “Information Artifacts” Learn how to use this concept to make your investigations more efficient from @carrier4n6 → cybertriage.com/blog/informati…

EDRs won’t collect all DFIR Artifacts. 5 ways to deploy DFIR tools to help your investigation ⤵ Try all these methods with Cyber Triage Team + SentinelOne Singularity, Windows Defender, and CrowdStrike Falcon. P.S. Which method do you use?

3 examples of sneaky remote access: Malicious RATs Commercial Remote Access Remote Windows Access Attackers can use these to place incriminating evidence on an innocent user’s system. A suspect can claim the “Trojan Defense” How to back your claim: cybertriage.com/blog/dfir-arti…

Why “adaptive” collection kicks @$$ DFIR collection is about 2 things: #1 Getting all the evidence. #2 Getting it quickly. “Static” collectors focus only on #2. “Adaptive” collectors do both. (That’s why Cyber Triage comes with one) Learn more → cybertriage.com/blog/adaptive-…

Think your Linux system is compromised? Investigate it with UAC ⤵ UAC is an open-source static collection tool designed to collect key forensic artifacts from “nix” systems. Review the suspicious items in the output with Cyber Triage! cybertriage.com/blog/collectin…

Attackers can evade you with one *tiny* change. It can cause you to not detect malware and miss evidence in your investigation. Learn how Cyber Triage uses ImpHash to detect fuzzy hashes in malware: cybertriage.com/blog/intro-to-…

4 EDR blindspots for DFIR: • Attackers can avoid EDRs • Retention policies limit data • Detection focus also limits data • Bias against false positives misses investigative clues Augment your Windows Defender with CT to avoid these blindspots: cybertriage.com/blog/how-to-in….

Cyber Triage 3.12 is out now! This release introduces new key features with the focus of making your response even faster! Join us for a webinar October 9th 1PM EDT to see these features in action Read more here: cybertriage.com/blog/releases/… Webinar SignUp: register.gotowebinar.com/register/39945…

DFIR Breakdown: Impacket Remote Execution Activity – atexec This blog post focuses on the script atexec.py - which can be abused by threat actors - and how to detect its remote execution activity from various DFIR artifacts. cybertriage.com/blog/dfir-brea…

Have you ever needed to collect DFIR artifacts using a local non-DFIR person who didn’t want to use the command line? Check out this video included in our freely available training course materials now up on our YouTube channel! youtube.com/watch?v=fOT_Sa…

Glad I chose @Arbys drive thru tonight. Would have been nice to get the chicken portion of my chicken bacon and Swiss sandwich. Highlight of the meal were the fries dipped in Arby’s and horsey sauce as they were the only thing correct in the order.

New "DFIR Next Steps" post on what to do when an alert relating to the use of curl.exe is raised. This post walks through a scenario suspecting that curl was used to download a rootkit or malware to the host and the three steps to take afterwards. cybertriage.com/blog/dfir-next…

DFIR Breakdown: Using Certutil To Download Attack Tools Windows certutil is a Windows utility that is used by threat actors during an attack to achieve some malicious goal by installing their own certificates on a system. Learn more and be prepared: hubs.li/Q02HYsDV0

#LearnDFIR next week with a Fuzzy Malware Hashing Webinar. Tues at 1PM Eastern. We’ll look at: * Several fuzzy matching algorithms, such as ImpHash, ssdeep, and TLSH. * Pros and cons of them * Which can be used in DFIR attendee.gotowebinar.com/register/30107…

Webinar at 1 today talking about BitLocker and other expanded disk image features in Cyber Triage. Hope to see you there.