Infosec – Blog

Posted in HowTo, Infosec

Analyze Emotet and Trickbot with NetworkMiner and Suricata

As I explained in the previous post, NetworkMiner and Suricata are a great combination for performing quick and straightforward network forensics on captured traffic. Overview NetworkMiner provides a

Posted in HowTo, Infosec

Quick and easy setup for NetworkMiner and Suricata to perform network forensics

Many people know Suricata as network intrusion detection (IDS) system, i.e. acting on live traffic; many people know NetworkMiner as network forensics tool, i.e. acting on recorded traffic (e.g. in

Posted in Infosec

Sysmon v11.10 reads Alternate Data Streams

A few days ago, the new version 11.10 of Sysinternals Sysmon was released. Despite the minor version increase from 11.0 it ships with an exciting new feature: Reading NTFS Alternate Data Streams

Posted in Infosec

Collection of Windows commands abused by attackers

Only recently I stumbled upon a slightly dated but still relevant post published on the Japanese CERT blog: Windows Commands Abused by Attackers. The list is separated into the different attack

Posted in HowTo, Infosec, Python

Script to enumerate Windows events with name, ID, security monitoring recommendation, URL

When setting up and tuning a SIEM solution, you will write a lot of rules to detect well-known and arising security threats. If you need to protect systems running on Windows, you can use

Posted in Infosec

As DoH gains traction, some thoughts on DNS security and privacy

DNS – the Domain Name System – is a main cornerstone of the internet. Whenever you are browsing to a website, chances are high that your request will first go to one of the 1091 (as of

Posted in Infosec

Why you do not want to have “all” data in your SIEM

A common task when working with a SIEM is to onboard new technologies: In order to discover and alert on hackers attacking your new cloud instance|shopping website|password vault you need to see the

Posted in Infosec

Corona-induced home office: Bad for security, great for finding out who has an affair with whom

While the white-collar world was hastily relocating into the home office, IT departments were busy getting their hands on all remaining laptops, setting up VPN client software, and hoping that

Posted in Infosec

Sysmon 11.0 released: Spot hidden tracks even better

In the past I wrote a blog post about Process Explorer to find hidden threats on potentially compromised systems. As I said back then, Process Explorer is part of a suite called Sysinternals, which

Posted in HowTo, Infosec

Reading encrypted network traffic & why connection coalescing, session resumption and perfect forward secrecy help

Wireshark is a very useful tool for network troubleshooting, but also for Blue (discover attacks) and Red (sniff secrets) security teams. Nowadays most communication will be encrypted, which makes it