Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Attackers have long been searching for ways to meddle with the day-to-day operations of an average computer user. It’s no wonder the Microsoft Office suite has been one of the key targets of adversaries to compromise endpoints. What better than to dispatch a seemingly-harmless office document to a rather naive user? It’s mayhem.

Owing to the popularity of Office documents as a technique to carry out execution, I’ll be discussing an interesting strategy employed by attackers to further increase the chances of evasion. Although first brought to light by Didier Stevens in February 2020 — the technique VBA Purging is…

The article is a write-up for challenge number one — the Web Server Case — by Ali Hadi on his blog, ‘ashemery.com’. The premise is set to:

A company’s web server has been breached through their website.

Image for post
Image for post


For this investigation, we’re asked to answer the following questions:

  1. What type of attacks has been performed on the box?
  2. How many users has the attacker(s) added to the box, and how were they added?
  3. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
  4. What software…

Image for post
Image for post

Sysmon, short for System Monitor, is a utility tool developed by Mark Russinovich, as part of the Sysinternals suite. The utility is registered in a Windows box as a system service and a device driver, which in sync, help log activities across the environment to the Windows Event log. Just a quick analysis of the logs generated by Sysmon can help identify malware, intrusions, and breaches within the network.

What Does Sysmon Do?

Due to active development of the project, newer artifacts and evidence sources are constantly being added to Sysmon’s capabilities. …

It’s unfortunate that the Windows Command Prompt, the descendant of the prehistoric command.com from MS-DOS, has no persistent storage of command execution. It does, however, support temporary storage of commands executed in an active session. So, if an attacker proceeds to enumerate other hosts or ex-filtrate data using a console window, does a defender have no means of identifying the execution of a binary? Well, it’s not entirely true.

Auditing Process Creations

Windows does support command-line auditing or process creation auditing to some extent.

The event ID, 4688, is widely recognized on Windows operating systems for “Process Creation”.

Although the auditing for process…

Image for post
Image for post
Nasty Rootkits hiding in memory? No more!

Ah, the sweet days of running your memory sample through volatility. It’s not over yet — but Microsoft has done an amazing job at releasing a new service, which can perform a full-blown volatile memory analysis of a Linux system, with special focus on detecting rootkits.

Let’s go in a little more detail now.

What is ‘Freta’?

‘Project Freta’ is a free, cloud-based solution by Microsoft which can be used to automated full-system volatile memory analysis of Linux systems — the memory has to be acquired in order to generate reports using Freta.

Freta is available for usage/automation via:

  • Command-line interface
  • Programmatic API…

Before you get started with the deployment of QRadar in your infrastructure, you need to understand the several components it makes use of to function properly. IBM QRadar SIEM (Security Information and Event Management) features a modular architecture where you can scale its deployment to add on more devices, endpoints, and machines in your infra to help with your analysis and logging needs. You can also add in modules to help with the analysis, which are easily provided by IBM on the App Exchange. The list includes but is not inclusive to:

  • QRadar Vulnerability Manager
  • QRadar Risk Manager
  • QRadar Watson…

What are DLLs?

Dynamic-link Libraries (DLLs) are Microsoft’s implementation of shared code on the Windows Operating System. By means of modularizing code into smaller segments and individual files, Windows applications can utilize this shared code. This allows them to avoid including the same piece of code, again and again.

Usually, the functions written in a DLL file are exportable. The DllMain function in a particular file carries out the basic tasks, whereas the individual functions can then be imported into code as well. For example, you can load the ws2_32.dll library by using the LoadLibrary API call and then, make use of the…

Image for post
Image for post

As a service provider, ensuring availability and reliability is fairly important. One of the many methods which can allow you to ensure these two traits is load sharing and load balancing.

What is Load Sharing and Balancing?

If you have multiple network resources operating, you might want to consider breaking down the load on each of these resources. For example, if one server is responding to queries continuously, the others (say 3 for the sake of this example), shouldn’t be waiting for the first server to stop responding. Rather, the four servers should begin to share the load. …

Image for post
Image for post

The internet is restrained with a certain number of devices being able to operate using the IPv4 scheme. A workaround this problem was the introduction of private address spaces. An organization or a privately run firm can separate its networks into private address spaces.

However, if you wished to connect from the private space to the global internet, how would you do that?

Network Address Translation (NAT) is commonly used to set up a one-to-one mapping or connection between the private address and a globally routable address (public address). So, if the private system at wanted to connect to…

Image for post
Image for post

The TCP/IP stack is a suite of protocols. It is based on the OSI model which acts as the reference model for several other network architecture models as well.

Layers of the TCP/IP Stack:

The TCP/IP protocol suite follows the following layer architecture:

  • Application Layer (encompasses the Application, Presentation, and the Session layers of the OSI)
  • Transport Layer
  • Internet Layer (formerly known as the Network layer)
  • and the Network Access layer (encompasses the Data-link and Physical layers of the OSI model)

Protocols Used in Layers:

As discussed, the TCP/IP stack is a suite of protocols which are followed at each…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store