DFIR & Threat Hunting

Professional digital forensics and incident response services

Authentication

Secure access to our DFIR tools and services with multi-factor authentication

Artifact Collection

Comprehensive artifact collection and secure transfer to analysis environment

Analysis Workspace

Advanced analysis tools in a secure virtual environment

DFIR Process Timeline

Our DFIR Process

DFIR Report Case Study

Investigations Report

Prepared for: XYZ Company

Incident Name: IRForensicsTest

Technical Findings Details

  • → Indicators of Compromise (IoCs)
  • → Evidence of Compromise
  • → Technical Details

WIN10PERSONAL | Real-time protection is disabled.

Pre-stage activity @ 2023-01-06 14:13:18.0000

-Microsoft-Windows-Windows Defender
-Information
-5001
-Win10Personal
-Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.

WIN10PERSONAL | Suspicious base64 string PowerShell

2023-01-06 22:24:31.3295

Suspicious Base64 encoded PowerShell command.

WIN10PERSONAL | Suspicious base64 string PowerShell

-Windows PowerShell -PowerShell -600 -   600 4 6 0x80000000000000  199 Windows PowerShell Win10Personal    Registry Started 	ProviderName=Registry
HostVersion=5.1.17763.316 HostId=e18b4d37-82ac-493b-b952-23aa2a408be5 HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	-W Hidden -Exec Bypass -Command cd /;$fileBase64Prefix =;$fileBase64Prefix= $fileBase64Prefix +;$fileBase64Prefix=	$fileBase64Prefix	+;$fileBase64Suffix=

Recommendation

  • → Malware Eradication
  • → System Recovery
  • → Future Prevention

Recommendations

Below we are sharing some security considerations that could have helped prevent this security incident.

Actions for Mimikatz or similar Malware

There are multiple known malware’s that are used to harvest credentials and create persistence on the environment.