Mindmap Demystifying the “SVCHOST.EXE” Process and Its Command Line Options

Nasreddine Bencherchali published an article on Demystifying the “SVCHOST.EXE” Process and Its Command Line Options where he describes how the svchost.exe process works, the different command line flags it uses and which two registry keys are important. For my own notes I documented his article in a mindmap.

From threat intelligence to client scanning

An antivirus solution is an indispensable component in your defence arsenal but it does not protect you against all threats. Complimentary to an antivirus is Loki, an open-source IOC scanner. Loki is a scanner that allows you to search for intrusion activity such as

Network connections to C2 servers or malicious domains; Presence of files related to APT activity; Process anomalies such as malicious implants or patches in memory ; Credential dump activities; Checks forRead more.

A walkthrough of Watcher

One of the nice things of working in infosec is that there is always a new tool available to make your work easier. It can also cause a lot of frustration, as there is yet another new tool that you need to master. A tool I recently discovered is Watcher, a platform for discovering new cybersecurity threats targeting your organisation. Some of its key features include

Detecting emerging trends via social networks and RSS feeds;Read more.

Analyse Linux (syslog, auditd, …) logs with Elastic

The Elastic stack is a great tool to quickly visualise large volumes of log files. In a previous post I described how to load stored Windows EVTX logs in Security Onion, with the help of Winlogbeat. In this new post I describe something similar with the goal to analyse Linux auditd logs with Elastic. Instead of using the Elastic stack of Security Onion I use an Elastic cluster via Docker and instead of storing theRead more.

RDP Honeypots

In a recent post the SANS ISC warned of an increase in RDP Scanning. Although the initially reported number was adjusted downward later, there is still an increase in exposed RDP servers. It would be interesting to track the volume of RDP scans, and the credentials used in the scan. Let’s run an RDP honeypot.

One of these RDP honeypots is written by Sylvain Peyrefitte, RDPY. RDPY is more than just a RDP honeypot. ItRead more.

COVID-19 Blocklists

A lot of good initiatives popped up recently to combat malicious activity related to the Corona pandemic.

A MISP instance for tracking COVID-19 activity; A list of domains which provides legitimate COVID-19 services; The Slack channel of COVID19 Cyber Threat Coalition; The COVID-19 CTI League; Public MISP feed by DCSO; And a feed by 1984.sh; Threat reports by RiskIQ; A COVID-19 threat list by domaintools; The COVID-19 domain classifier by SANS; A MISP warning listRead more.

Sysmon not logging all process creation events (Calculator and other sandboxed apps)

System Monitor or Sysmon is a Windows system service and device driver that provides event data on process creation, network connections and file alterations. It is one of the most powerful tools available for security monitoring and gives detailed insight on what is happening on an endpoint.

Sysmon can be started from the command line, with a specific set of modules and processes to monitor but will in most cases be installed as a serviceRead more.

Parse stored Windows Event logs with Security Onion

Security Onion is a free tool to monitor for suspicious activity in network events. I find it very easy to use, especially if you integrate the MISP threat data with the Bro -Zeek- intelligence framework. Besides investigating network events, you can also use it to analyze Windows Event logs, both from a live event stream and for analyzing stored Windows events.

Winlogbeat, part of Elastic, is the shipper that we will use to send theRead more.

Which Incident Response Investments Are You Prioritizing in 2020?

I published an article on the IBM SecurityIntelligence blog on to Which Incident Response Investments Are You Prioritizing in 2020?

The post describes that improving incident response plans should be the number one priority for future investment, but there are other pressing areas to consider as well. Invest in the Future of Digital Forensics, especially in light of further inclusion of cloud, BYOD and IoT related devices. Get Ready for Changes in Network Monitoring asRead more.

Use Sysmon DNS data for incident response

Recent versions of Sysmon support the logging of DNS queries. This is done via event ID 22 in Applications and Services Log > Microsoft > Windows > Sysmon Operational.

To enable DNS logging, you need to include the section DnsQuery in your Sysmon configuration file. For example via

Note that enabling DNS queries can be noisy. It’s best to apply filtering as proposed by the SwiftOnSecurity sysmon config file and, additionally, filter out the commonlyRead more.