Search Results

With businesses and individuals rapidly shifting their data to the cloud , digital forensic investigations have become more complex. Traditional endpoint analysis is no longer sufficient, as critical evidence often resides on third-party servers . The widespread adoption of cloud storage applications  like OneDrive, Google Drive, Dropbox, and Box  has introduced n ew security risks and forensic challenges . Investigators must now determine: ✅ What cloud applications are installed on a system ✅ Which user accounts were used for authentication ✅ What files exist locally and in the cloud ✅ How files have been uploaded, downloaded, or shared ✅ Whether deleted files can be recovered Why Cloud Storage Forensics Is Important Cloud storage services are often under-audited in enterprise environments , making them a prime target  for: 🚨 Insider threats  – Employees using personal accounts to exfiltrate company data 🚨 Cybercriminals  – Hackers leveraging cloud storage for data theft or malware distribution🚨 Accidental data leaks  – Sensitive files mistakenly shared or synced to personal devices ------------------------------------------------------------------------------------------------------------ Key Forensic Data from Cloud Storage Applications Cloud storage applications leave behind substantial forensic evidence  on a user’s system. Below are the most critical artifacts to analyze: 1️⃣ Identifying Installed Cloud Applications & User Accounts The first step in an investigation is determining: Which cloud storage applications are installed Which user accounts are logged in Where cloud files are stored locally 💡 Why This Matters: Many organizations fail to monitor unauthorized cloud apps , allowing employees or attackers to store data outside of approved platforms . 2️⃣ Files Available Locally & in the Cloud Cloud storage services maintain databases  that track: ✅ Files stored locally ✅ Files available only in the cloud ✅ Deleted files  (sometimes recoverable) ✅ Files shared with the user  from other accounts 💡 Why This Matters: These records can reveal data exfiltration attempts , hidden documents , or deleted evidence  that might not be visible through normal file system analysis. 3️⃣ File Metadata (Timestamps, Hashes, & Paths) Most cloud storage applications track: ✅ File creation & modification times ✅ File size ✅ Full path location ✅ Cryptographic hashes (MD5, SHA1, or SHA256) 💡 Why This Matters: Tracking file metadata helps investigators identify when files were created, modified, or moved , even if they no longer exist on the local system. 4️⃣ File Transfer Logs (Uploads, Downloads & Synchronization) Cloud storage services track how files are transferred between devices . These logs help answer questions like: Was a file uploaded from this system to the cloud? Was a cloud-only file downloaded to this device? Was a file moved between different cloud folders? 💡 Why This Matters: This information is crucial in data breach investigations  or insider threat cases  to track file movements. 5️⃣ User Activity & Account Logs Some business-grade c loud storage applications provide detailed activity logs , including: ✅ When users log in & from what IP addresses ✅ What files they access, edit, or delete ✅ Which files were shared externally 💡 Why This Matters: This can reveal unauthorized access, suspicious downloads, or attempts to erase evidence . ------------------------------------------------------------------------------------------------------------ Forensic Challenges in Cloud Storage Investigations 🔴 1. Limited Local Evidence Many cloud files exist only in the cloud  and are not stored locally  unless synced . Investigators must rely on: Cloud provider logs (if accessible) Database files that track cloud-stored files "Files on Demand" cache (if available) 🔴 2. Data Commingling Between Personal & Business Accounts U sers often log into both personal and business cloud accounts  on the same device, leading to data mixing . This complicates: Determining which account uploaded a file Investigating unauthorized transfers between accounts 🔴 3. Selective Sync & "Files on Demand" Features Newer cloud storage services do not automatically sync all files  to a device . Instead, they provide on-demand access , meaning: The file is only downloaded when accessed Some files may never have existed locally Investigators must determine whether a file was ever present on the system  or only stored in the cloud. 🔴 4. Remote Deletion of Evidence Cloud-stored files can be deleted remotely , meaning: The file is no longer accessible from the local system Investigators may need to request logs or backups from the cloud provider 🔴 5. Encryption & Secure Cloud Storage Some cloud storage solutions offer: ✅ End-to-end encryption  (making file contents inaccessible to forensic tools) ✅ Zero-knowledge storage  (where even the provider cannot access files) In such cases, investigators may need user credentials  or court-ordered access to provider logs . ------------------------------------------------------------------------------------------------------------ Upcoming Cloud Storage Forensic Series In our next articles, we will deep-dive into forensic investigations  for the most popular cloud storage platforms: 🔹 OneDrive Forensics 🔹 Google Drive Forensics 🔹 Dropbox Forensics 🔹 Box Cloud Storage Forensics ------------------------------------------------------------------------------------------------------------ Final Thoughts: Why Cloud Storage Forensics Matters Cloud storage has become a critical blind spot in forensic investigations . As more businesses and individuals move data to OneDrive, Google Drive, Dropbox, and Box , forensic professionals must adapt their techniques to: ✅ Track cloud-stored files, even if they are not locally available ✅ Investigate deleted cloud files & remote evidence ✅ Identify unauthorized cloud activity & data exfiltration attempts 🚀 Stay tuned for our next deep-dive article on OneDrive forensics!  🔍 ----------------------------------------------Dean----------------------------------------------------

Over the 3 years period , I’ve created numerous articles on forensic tools and incident response (IR). This time, I want to take a step back and focus on how to handle an incident investigation. This guide will specifically highlight incident response workflows using Velociraptor  and KAPE . If you're looking for the forensic part of investigations, check out my other articles —or let me know, and I’ll create one soon! For those unfamiliar , I’ve written a series of articles  diving deep into Velociraptor: from configuration to advanced usage. You can find those articles https://www.cyberengage.org/post/exploring-velociraptor-a-versatile-tool-for-incident-response-and-digital-forensics https://www.cyberengage.org/post/setting-up-velociraptor-for-forensic-analysis-in-a-home-lab https://www.cyberengage.org/post/navigating-velociraptor-a-step-by-step-guide Now, let’s dive into incident response without overcomplicating things ------------------------------------------------------------------------------------------------------------- Why Velociraptor’s Labels Matter One of Velociraptor's standout features is Labels , which play a critical role in investigations. They help you categorize, organize, and quickly identify relevant endpoints. While I can’t show you live client data due to privacy reasons , I'll provide detailed examples to help you understand the process. Remember, this article assumes you’ve read my previous Velociraptor articles; they provide the foundational knowledge you'll need here. ------------------------------------------------------------------------------------------------------------- Scenario: Investigating a Phishing Attack Imagine you’re responding to an incident involving a client with 100 endpoints. Attack Overview: The client fell victim to a phishing email. An attachment in the email was opened, initiating the attack. The client has isolated the environment by cutting off external connectivity. Their key questions are: (Before forensic) How many users opened the attachment? What files were created, and where? Which endpoints were infected? The client doesn’t have EDR or SIEM tools. Yes, it’s not ideal, but in the real world, this happens more often than you’d think. ------------------------------------------------------------------------------------------------------------- Deploying Velociraptor Agents First, configure your Velociraptor server (refer to my previous articles for detailed steps). Provide the client with the necessary token and instructions to roll out Velociraptor using GPO (Group Policy Objects). Key Points: Velociraptor isn’t a typical agent-based EDR. It doesn’t modify the system drastically, making it less intrusive and easier to handle. Once the client deploys the agents across endpoints, all devices will begin appearing in your Velociraptor console. ------------------------------------------------------------------------------------------------------------- Automating Labels for Large Environments Let’s say the client has rolled out Velociraptor to 100 endpoints . Manually assigning labels to each endpoint is impractical . Instead, you can automate this process: Click the eye icon  in Velociraptor. Search for Server.Monitor.Autolabeling.Clients. Launch the rule. With this rule enabled, Velociraptor will automatically assign labels to new clients as they connect, streamlining your workflow. ------------------------------------------------------------------------------------------------------------- Investigating the Malicious Attachment The client informs you of the attachment name (e.g., 123.ps1) . Your goal is to determine: How many endpoints have this file. The file's location on each endpoint. Here’s how to proceed: Step 1: Create a Hunt Navigate to the Hunts  section. Use the FileFinder artifact to configure the hunt. Configuration Example: If you’re looking for 123.ps1, set the search parameter as: Step 2: Launch the Hunt Once launched, Velociraptor will search for the specified file across all endpoints. You can view the results under the Notebook  tab. Output: Improving Readability of Results By default, the output may not be user-friendly, especially if it contains 20-30 artifacts. To make the data more readable: Click t he edit icon  in the Notebook. Paste the following query : SELECT Fqdn, OSPath, BTime AS CreatedTime, MTime AS ModifiedTime FROM source(artifact="Windows.Search.FileFinder") LIMIT 50 Run the query, and you'll see a neatly formatted output. Now after this see below screenshot (How good and easy view it have become right?) ------------------------------------------------------------------------------------------------------------- Labeling Infected Endpoints Let’s say you identify 20 infected endpoints out of 100. To make tracking easier, label these endpoints as Phishing . Here’s the query to do so: SELECT Fqdn, OSPath, BTime AS CreatedTime, MTime AS ModifiedTime, label(client_id=ClientId, labels=['Phishing'], op='set') AS SetLabel FROM source(artifact="Windows.Search.FileFinder") This automatically assigns the label Phishing  to all infected devices(20 device), simplifying your investigation. Example: In my case Before running automate query: After running the note book: After Running query in notebook Once you have identified 20 endpoints that have opened the file or downloaded the attachment , the next step is to determine which users these endpoints are associated with for further investigation. There are multiple ways to accomplish this. Like: Asking Client each endpoint belong to which user or using velociraptor live query method: Running live query: Create hunt for only endpoint which label is phishing or crowdstrike previously (This is where label become more useful instead of running hunt to all endpoint we can run hunt on only labelled endpoints to get data see how useful label become) Select Hunt you want to run in this case Windows.sys.allusers Launch the hunt and you will get the endpoint belong to which user( this user information will be usefull in our next hunt) Once you run this hunt, use a notebook to extract a list of all affected users and their respective laptops. This initial step helps you identify around 20 laptops belonging to users who potentially acted as "patient zero." ------------------------------------------------------------------------------------------------------------- Tracing Lateral Movement Next, we investigate whether these 20 users logged into other laptops beyond their assigned ones . To do this: Launch a hunt using Windows Event Logs: RDP Authentication . While configuring the hunt, use a regular expression (regex) to include the usernames of the 20 suspected users. For example: Above example(Screenshot) is for single user If you want to add multiple users use below regex .*(Dean\.amberose|hana\.wealth|Chad\.seen|jaye\.Ward).* This pattern helps track these users across multiple endpoints . However, this step may produce a large dataset with many false positives . To refine the results, analyze the output in a notebook. Output Before running notebook As u see screenshot when i run the query I got 60 result u can see why we need to minimize it(Because if u run same query on 20 endpoints in real scenario output will be very intense) Minimizing False Positives To reduce noise, use a carefully crafted query. For example: SELECT EventTime, Computer, Channel, EventID, UserName, LogonType, SourceIP, Description, Message, Fqdn FROM source(artifact="Windows.EventLogs.RDPAuth") WHERE ( (UserName =~ "akash" AND NOT Computer =~ "Akash-Laptop") OR (UserName =~ "hana.wealth" AND NOT Computer =~ "Doctor") ) AND NOT EventID = 4634 -- Exclude logoff events AND NOT (Computer =~ "domaincontroller" OR Computer =~ "exchangeserver" OR Computer =~ "fileserver") ORDER BY EventTime This query excludes routine logons to systems like domain controllers or file servers, focusing on suspicious activity. Modify it further based on your environment to suit your needs. Output After running the notebook If needed, run additional hunts, such as UAL (User Access Logs)  for servers . You can use below hunt from velociraptor. By analyzing these logs, you can map which accounts accessed which systems, providing insights into lateral movement. for server as well. Use this information to update labels, marking new suspected endpoints for further investigation. If you want to learn more about UAL how to parse and analyse it, check out my article below: https://www.cyberengage.org/post/lateral-movement-user-access-logging-ual-artifact ------------------------------------------------------------------------------------------------------------- Hunting for Suspicious Processes and Services To understand the attack's scope and detect malicious activities, examine the processes and services running across all endpoints. For service use below hunt and for processes i will show practice: Let start with processes: Automated Process Hunting We will run this Process hunting in two way First without using notebook hunt itself: Run a hunt using Windows.System.Pslist . When configuring parameters, check the option to focus on "untrusted authenticated code. " This will flag processes not signed by trusted authorities , providing their hash values. Second running hunt first (without untrusted authenticated code box check) and then using Notebook : Lets run same hunt as previously without untrusted authenticated code  box check As soon as i run the hunt i got 291 processes on one endpoint lets suppose if u run this hunt on 100 endpoints how many processes u will get damn analysis will be worst: Worry not if used second method, I have a notebook for you to make analysis easy Query: For a more detailed approach, use this query in a notebook: SELECT Name,Exe,CommandLine,Hash.SHA256 AS SHA256, Authenticode.Trusted, Username, Fqdn, count() AS Count FROM source(WHERE Authenticode.Trusted = "untrusted" // unsigned binaries // List of environment-specific processes to exclude AND NOT Exe = "C:\\Program Files\\filebeat-rss\\filebeat.exe" AND NOT Exe = "C:\\Program Files\\winlogbeat-rss\\winlogbeat.exe" AND NOT Exe = "C:\\macfee\\macfee.exe" AND NOT Exe = "C:\\test\\bin\\python.exe" // Stack for prevalence analysis GROUP BY Exe // Sort results ascending ORDER BY Count O utput after running above notebook Only 3 detection's with clean output ------------------------------------------------------------------------------------------------------------- Hunting for Suspicious Processes with automated Virus total Scan Imagine you've scanned 100 endpoints and discovered 50 untrusted Processes . Checking their hashes manually would be frustrating and time-consuming. Here's how to simplify this: Output before Virus total automation: Before this keep in mind first you have to run hunt like above once you get output after that use below query or notebook to automate analysis with Virustotal. Use the following query to cross-reference file hashes with VirusTotal, reducing manual overhead(Using note book) // Get a free VirusTotal API key LET VTKey <= "your_api_key_here" // Build the list of untrusted processes LET Results = SELECT Name, CommandLine, Exe, Hash.SHA256 AS SHA256, count() AS Count FROM source() WHERE Authenticode.Trusted = "untrusted" AND SHA256 // only entries with SHA256 hashes // Exclude environment-specific processes AND NOT Exe = "C:\\Sentinelone\\sentinel.exe" GROUP BY Exe, SHA256 // Combine with VirusTotal enrichment query SELECT *, {SELECT VTRating FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256)} AS VTResults FROM foreach(row=Results) WHERE Count < 5 ORDER BY VTResults DESC Outcome: A fter running the query, you get VirusTotal results with file ratings , making it easier to prioritize your efforts. No more manual hash-checking! ------------------------------------------------------------------------------------------------------------ Tracing Parent Processes Once y ou’ve identified malicious processes, the next step is to trace their origins . Here’s how: Set Up a Parent Process Hunt: Suppose you’ve identified these malicious processes: IGCC.exe WidgetService.exe IGCCTray.exe Use the Generic.System.PsTree hunt to map their parent processes. Configure the parameters Configure the parameters by adding the malicious processes in a regex format like this: .*(IGCCTray.exe|WidgetService.exe|IGCC.exe).* In our case Outcome: The output will show the process call chain, helping you identify the parent processes and their origins. This insight is crucial for understanding how attackers gained initial access and their lateral movement within the network. ------------------------------------------------------------------------------------------------------------ Investigating Persistence Mechanisms Persistence is a common tactic used by attackers to maintain access. Let's focus on startup items. Startup Items Hunt: Running this hunt on 100 endpoints can generate a huge amount of data. Use hunt ( Windows.Sys.Star tupItems) For instance, a single endpoint yield 22 startup items (Screenshot below) , and across 100 endpoints, the dataset becomes unmanageable. Filter Common False Positives: Narrow down results what we do is create a notebook or a query which will exclude the files or path client is using in their environment or they aware about or we can assume that those are mostly legit like macfee, ondrive, vmware right. LET Results = SELECT count() AS Count, Fqdn, Name, OSPath, Details FROM source(artifact="Windows.Sys.StartupItems") // Exclude common false positives WHERE NOT OSPath =~ "vmware-tray.exe" AND NOT OSPath =~ "desktop.ini" AND NOT (Name =~ "OneDrive" AND OSPath =~ "OneDrive" AND Details =~ "OneDrive") // Stack and filter results GROUP BY Name, OSPath, Details SELECT * FROM Results WHERE Count < 10 ORDER BY Count O utput after running above notebook: Outcome The refined output is structured, significantly reducing the data volume and allowing you to focus on potential threats . For example, the filtered results might now show only 15 entries instead of hundreds. (You can narrow those down) ------------------------------------------------------------------------------------------------------------ Documentation Is Key Throughout the process: Document all malicious processes, paths, infected endpoints, and related findings. Organize your notes for efficient forensic investigation and reporting. ------------------------------------------------------------------------------------------------------------ Investigating Scheduled Tasks Scheduled tasks often serve as a persistence mechanism for attackers. Here's how to efficiently analyze using velociraptor: Use the hunt Windows.System.TaskScheduler /Analysis artifact to collect scheduled task data. Once the data is collected, run the following query to exclude known legitimate entries from your environment: Query: LET Results = SELECT OSPath, Command, Arguments, Fqdn, count() AS Count FROM source(artifact="Windows.System.TaskScheduler/Analysis")WHERE Command AND Arguments AND NOT Command =~ "ASUS"AND NOT (Command = "C:\\Program Files (x86)\\Common Files\\Adobe\\AdobeGCClient\\AGCInvokerUtility.exe" OR OSPath =~ "Adobe") AND NOT Command =~ "OneDrive" AND NOT OSPath =~ "McAfee" AND NOT OSPath =~ "Microsoft" GROUP BY OSPath, Command, Arguments SELECT * FROM Results WHERE Count < 5 ORDER BY Count // sorts ascending Outcome: By running this query, you’ll exclude known false positives (e.g., ASUS, Adobe, OneDrive), significantly reducing the dataset and narrowing your focus to potentially suspicious tasks. Environment-Specific Adjustments: Tailor the query to your specific environment by adding more exclusions based on legitimate scheduled tasks in your network. ------------------------------------------------------------------------------------------------------------ Analyzing Using Autorun tool Autorun tools is another common tool which can identify attackers seeking persistence . Here's how to analyze them efficiently: Use the hunt Windows.Sysinternals.Autoruns  artifact in Velociraptor to gather autorun data across endpoints. Refine Results with a Notebook Query: Autorun entries often generate a large amount of data . Use the following query to focus on suspicious entries (In notebook) : Query: LET Results = SELECT count() AS Count, Fqdn, Entry, Category, Profile, Description, `Image Path` AS ImagePath, `Launch String` AS LaunchString, `SHA-256` AS SHA256 FROM source() WHERE NOT Signer AND Enabled = "enabled" GROUP BY ImagePath, LaunchString SELECT * FROM Results WHERE Count < 5 // return entries present on fewer than 5 systems ORDER BY Count Outcome: This query filters out signed entries and narrows the results allowing you to focus on anomalies while discarding likely false positives. Customization: Like the scheduled task query, modify this query to include exclusions specific to your environment for more accurate results. ------------------------------------------------------------------------------------------------------------ Document Everything Keep a record of all suspicious entries, including file paths, hashes, and endpoints where they were found. This documentation is essential for both immediate remediation and forensic reporting. Iterate and Adjust Each organization has unique software and configurations. C ontinuously refine your queries to adapt to legitimate processes and new threats. ------------------------------------------------------------------------------------------------------------ So far, we’ve gathered substantial data from scheduled tasks, autorun entries, and identified potential malicious artifacts. Now, let’s take it a step further to ensure that no other endpoints in the environment are compromised Identifying Additional Compromised Endpoints Once we have identified malicious files or processes from our analysis , the next step is to ensure they aren’t present on any other endpoints. We’ll use the Windows.Search.FileFinder  artifact to search for malicious file names across all endpoints. This is the same artifact we’ve used previously, but now we’ll populate it with the suspicious file paths or names identified in the earlier stages . Example paths (for demonstration purposes): Launch the Hunt Run the hunt across 100 endpoints or more to check if the identified malicious files exist elsewhere. Reviewing the Output: Once the hunt completes, you’ll see a detailed list of endpoints where these files are found. If the files are present on other endpoints, label those endpoints as “compromised” or “attacked” for further investigation. Labeling Compromised Endpoints: Use the following query to label endpoints automatically: Query: SELECT Fqdn, OSPath, BTime AS CreatedTime, MTime AS ModifiedTime, label(client_id=ClientId, labels=['Phishing'], op='set') AS SetLabel FROM source(artifact="Windows.Search.FileFinder") ------------------------------------------------------------------------------------------------------------ Next Steps Based on Findings: If no additional compromised endpoints are found, you can move forward with the analysis of the initially identified endpoints. If more compromised endpoints are identified, label them and consider i solating or rebuilding them to eliminate the risk of reinfection. ------------------------------------------------------------------------------------------------------------ YARA Scans for Advanced Threat Detection Once you’ve identified the potentially malicious files and endpoints, the final step is to run a YARA rule scan across the environmen t. This helps detect specific malware families or identify links to Advanced Persistent Threat (APT) groups. Running a YARA Hunt Use the Windows.Detection.Yara.Process  artifact for this hunt. Configuring Parameters: If you don’t provide a custom YARA rule, Velociraptor will default to scanning for Cobalt Strike indicators. To run a specific YARA rule (e.g., for detecting APT activity), upload the rule or provide its URL in the configuration. Example of adding a custom rule URL: Launching the YARA Scan: Once configured, launch the hunt. Velociraptor will scan all endpoints and flag any files or processes matching the specified YARA rules. Reviewing the Results: If hits are detected, you can identify the malware family or APT group involved based on the rule triggered. If no hits are found, you can confirm that the environment is clean for the specified indicators. ----------------------------------------------------------------------------------------------------------- Now that you’ve identified infected endpoints and labeled the “patient zero,” it’s time to move to the triage, containment, and recovery phases. KAPE Triage Imaging The next logical step is to capture a triage image of the compromised endpoints . This allows you to collect crucial artifacts for further investigation. Triage Imaging via Velociraptor: Velociraptor simplifies this process by allowing you to run KAPE (Target Filed) directly on the infected endpoint. Create a hunt to initiate KAPE (Target) collection, targeting the relevant artifacts needed for forensic analysis. Collect key forensic artifacts such as registry hives, event logs, and file system metadata. Ensure the image is stored securely for further examination. Manual Imaging (Optional): If Velociraptor isn’t an option , you can run KAPE manually on the infected machine to create a comprehensive triage image. Quarantining Infected Endpoints Once the imaging process is complete, it’s critical to keep isolated the compromised systems or if not done yet isolate endpoints from the network to prevent further spread or communication with potential Command and Control (C2) servers. Using Velociraptor for Quarantine: Velociraptor can quarantine endpoints by blocking all network communications except to the Velociraptor server. Create a hunt to execute the quarantine action. This ensures the endpoint is unable to communicate externally while still being accessible for analysis. Benefits of Quarantine: Prevents lateral movement within the network. Ensures minimal disruption to the ongoing investigation. Recovery and Reimaging After quarantining the compromised endpoints: Reimage the Systems: Reimaging cleans the endpoint, restoring it to a known good state. Deploy it back into the production environment only after ensuring the threat is eradicated. Forensic Analysis (Optional): If deeper investigation is required, forensic specialists can analyze the collected artifacts. Velociraptor for Forensics:   Velociraptor supports advanced forensic capabilities, allowing you to parse and analyze collected data. Manual Analysis:   Some professionals like me prefer using tools like KAPE, parsing artifacts manually for an in-depth understanding of the attack. Additional Hunting (Optional) Before wrapping up, you can perform further hunting on the infected endpoints to gather more details about the attack. For example: Command History: Identify commands executed on the endpoints, such as psexec or PowerShell commands, to understand the attacker's actions. Network Activity: Investigate network connections to detect communication with suspicious IPs or domains. Persistence Mechanisms: Look for persistence techniques like registry changes or scheduled tasks. Velociraptor offers an array of artifacts and queries for such investigations. Explore these capabilities to uncover additional insights. ----------------------------------------------------------------------------------------------------------- Final Thoughts With the steps outlined, you’ve gone through a comprehensive process to identify, contain, and recover from an endpoint compromise. From advanced hunting to quarantining infected systems, Velociraptor proves to be a powerful tool for incident response. While this article doesn’t delve into detailed forensic analysis, it’s worth noting that Velociraptor can handle a wide range of forensic tasks. You can collect, parse, and analyze artifacts directly within the platform, making it an all-in-one solution for responders. For those who prefer hands-on forensic work, tools like KAPE and manual parsing remain excellent options. What’s Next? This article is just the beginning. Velociraptor offers many more possibilities for proactive hunting and investigation. Experiment with its capabilities to uncover hidden threats in your environment. Stay tuned for the next article, where we’ll dive deeper into another exciting topic in cybersecurity. Until then, happy hunting! 🚀 Dean

Windows Prefetch  is a critical forensic artifact that helps track program execution history . While Prefetch files can be manually analyzed, forensic tools like PECmd  (by Eric Zimmerman) and WinPrefetchView  (by NirSoft) simplify and enhance the analysis process. We will cover: ✅ How PECmd extracts and formats Prefetch data ✅ How to analyze Prefetch files using WinPrefetchView ✅ Best practices for interpreting Prefetch execution timestamps ------------------------------------------------------------------------------------------------------------- Using PECmd to Analyze Prefetch Files PECmd  is a powerful command-line tool for parsing Prefetch files, extracting valuable metadata, and generating structured reports. 1️⃣ Analyzing a Single Prefetch File (-f option) To extract detailed metadata from a single .pf file, run: PECmd.exe -f C:\Windows\Prefetch\example.exe-12345678.pf This outputs: Executable Name & Path Prefetch Hash & File Size Prefetch Version Run Count  (how many times the application was executed) Last Execution Timestamp(s) Windows 7 and earlier:  1 timestamp Windows 8+:  Up to 8 execution timestamps 💡 Timestamp Validation: The last run time  should match the last modified timestamp  of the .pf file. Subtract ~10 seconds  for accuracy when using file system timestamps. ------------------------------------------------------------------------------------------------------------- 2️⃣ Batch Processing: Parsing an Entire Prefetch Folder (-d option) To process all  Prefetch files in a directory: PECmd.exe -d G:\G\Windows\prefetch --csv "E:\Output for testing" --csvf Prefetch.csv ' This generates two output files :1️⃣ CSV Report: Contains execution details for all  parsed Prefetch files. Useful for filtering by run count  or searching for specific applications . 2️⃣ Timeline View: Extracts all  embedded execution timestamps from Prefetch files. Provides a chronological list  of program executions, helping correlate events . ------------------------------------------------------------------------------------------------------------- Using WinPrefetchView for GUI-Based Analysis WinPrefetchView  (by NirSoft) provides a graphical interface  for analyzing Prefetch data. How to Use WinPrefetchView 1️⃣ Open WinPrefetchView 2️⃣ Go to Options > Advanced Options 3️⃣ Select Prefetch Folder  (C:\Windows\Prefetch\ or a forensic image) 4️⃣ Click OK  to parse Prefetch files 📌 Key Features: ✅ Displays Run Count, Last Run Time, and File References ✅ Extracts up to 8 execution timestamps ✅ Lists files accessed by the application within the first 10 seconds 🚀 Takeaway:  Prefetch file references can reveal hidden malware, deleted tools, or important user actions  that might otherwise go undetected. ------------------------------------------------------------------------------------------------------------- Best Practices for Prefetch Analysis 🔍 1. Prioritize Prefetch Collection Running forensic tools on a live system creates new Prefetch files , potentially overwriting older evidence. Collect Prefetch files before executing forensic tools. 🔍 2. Cross-Reference Prefetch Data Combine Prefetch analysis with: UserAssist  (tracks GUI-based program executions) AmCache  (records detailed program metadata) BAM/DAM  (tracks recent executions) 🔍 3. Look for Anomalous Prefetch Files Multiple Prefetch files for the same executable but with different hashes  may indicate: Malware running from multiple locations Renamed executables attempting to evade detection 🔍 4. Ensure Timestamps Are Interpreted Correctly Convert Windows FILETIME timestamps  properly. Keep your forensic VM in UTC time  to prevent automatic time conversions by analysis tools. ------------------------------------------------------------------------------------------------------------- Final Thoughts: Mastering Prefetch Analysis with PECmd & WinPrefetchView PECmd and WinPrefetchView are essential tools for extracting, organizing, and analyzing Windows Prefetch data. 💡 Key Takeaways: ✅ PECmd is ideal for batch processing and timeline analysis. ✅ WinPrefetchView provides a user-friendly interface for reviewing Prefetch files. ✅ Prefetch timestamps help reconstruct program execution history—even for deleted applications. ✅ File references inside Prefetch files can reveal hidden malware or deleted forensic evidence. 🚀 If you're investigating program execution on a Windows system, Prefetch analysis should be one of your first steps!  🔍 -----------------------------------------Dean-----------------------------------------------

Windows Prefetch  is one of the most valuable forensic artifacts for tracking program execution history . By analyzing Prefetch files, investigators can determine which applications were run, when they were executed, how often they were used, and even which files and directories they accessed . We’ll explore: ✅ What Prefetch is and how it works ✅ Where to find Prefetch files ✅ How to extract and interpret Prefetch data ✅ Best practices for forensic investigations ------------------------------------------------------------------------------------------------------------- What Is Prefetch and How Does It Work? Windows Prefetching  is a performance optimization feature that preloads frequently used applications into memory  to speed up their execution . When a program is launched for the first time, Windows creates a .pf (Prefetch) file  for it. Each .pf file  contains: ✅ The name and path of the executed application ✅ How many times it has been executed ✅ The last execution time ✅ Up to 8 previous execution timestamps (Windows 8 and later) ✅ Referenced files and directories the application accessed 💡 Key Insight:  If a Prefetch file exists for an application, it proves that the program was executed at least once  on the system. ------------------------------------------------------------------------------------------------------------- Where Are Prefetch Files Stored? On Windows workstations (not servers) , Prefetch files are stored in: C:\Windows\Prefetch\ 📌 File Naming Format: 7ZFM.EXE-56DE4F9A.pf The ApplicationName  is the name of the executable The HASH  is a hexadecimal representation of the executable's full path . 💡 Pro Tip:  If you find multiple Prefetch files with the same executable name  but different hashes , i t means the program was executed from multiple locations —potentially indicating malware or unauthorized software. ------------------------------------------------------------------------------------------------------------- How Many Prefetch Files Are Stored? Windows 7 and earlier  → Stores up to 128  Prefetch files Windows 8, 10, and 11  → Stores up to 1,024  Prefetch files 📌 Important Note:  Older Prefetch files are deleted as new ones are created , meaning execution history may be lost over time. ------------------------------------------------------------------------------------------------------------- Understanding Prefetch Execution Timestamps 💡 How to determine the first and last execution time: Timestamp Type Meaning Accuracy Considerations File Creation Date First recorded execution of the application Only accurate if the .pf file was never deleted due to aging out File Last Modified Date Last recorded execution of the application Subtract ~10 seconds for accuracy Embedded Timestamps (Windows 8+) Last 8 execution times Most reliable for tracking multiple executions 📌 Important Note: If an application was executed before its Prefetch file aged out , a new .pf file is created, making it look like the application was first executed at a later date  than it actually was. ------------------------------------------------------------------------------------------------------------- Why Prefetch Files Are Crucial in Digital Forensics ✅ 1. Tracking Program Execution Prefetch proves a specific application was run on the system . Even if an application was deleted , its Prefetch file may still exist   as evidence. ✅ 2. Identifying Suspicious Activity If you find a Prefetch file for malware or hacking tools  (mimikatz.exe, nc.exe), it indicates they were executed . Finding multiple Prefetch files for the same executable in different locations  suggests a renamed or relocated executable , which is common for malware evasion techniques . ✅ 3. Detecting Unauthorized Software & Insider Threats If a user claims they never used a VPN , but a Prefetch file for NordVPN.exe exists , this contradicts their claim. ✅ 4. Establishing a Timeline of Events Prefetch timestamps can help reconstruct a timeline  of when  certain applications were executed relative to an incident . ------------------------------------------------------------------------------------------------------------- Limitations of Prefetch Analysis ⚠️ 1. Prefetch Is Disabled on Some Systems Windows Server OS  does not use Prefetch. Some Windows 7+ systems with SSDs  may have Prefetch disabled . 📌 Check Registry Settings to See If Prefetch Is Enabled: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters Audit the EnablePrefetcher  value: 0 → Disabled 1 → Application launch prefetching enabled 2 → Boot prefetching enabled 3 → Both application launch & boot prefetching enabled (default) ⚠️ 2. Prefetch Does Not Prove Successful Execution A .pf file is created even if the program failed to execute properly . Cross-check with other artifacts  ( UserAssist, BAM/DAM, AmCache ) for confirmation. ⚠️ 3. Prefetch Files Are Limited in Number Older Prefetch files are deleted  when the limit is reached. If an app was used long ago , its Prefetch file may no longer exist . ------------------------------------------------------------------------------------------------------------- Best Practices for Prefetch Analysis 🔍 1. Prioritize Prefetch Collection Live response tools create new Prefetch files —potentially overwriting older forensic evidence. Collect Prefetch data before running analysis tools . 🔍 2. Cross-Reference Other Execution Artifacts Compare Prefetch data with: UserAssist   AmCache   BAM/DAM 🔍 3. Look for Anomalous Prefetch Files Multiple Prefetch files for the same application  but with different hashes  may indicate suspicious execution paths . ------------------------------------------------------------------------------------------------------------- Final Thoughts: Prefetch Is an Essential Artifact for Execution Tracking Windows Prefetch files are one of the most reliable ways to track program execution . They provide timestamps, execution counts, and file access details  that are crucial in forensic investigations. 💡 Key Takeaways: ✅ Prefetch proves an application was executed —even if it was later deleted. ✅ Windows 8+ Prefetch files store up to 8 execution timestamps , making them invaluable for tracking repeat usage . ✅ Prefetch files can reveal unauthorized or malicious software execution . ✅ Cross-check Prefetch data with other execution artifacts (UserAssist, BAM/DAM, AmCache) for accuracy . 🚀 If you're investigating program execution on a Windows system, Prefetch analysis should be at the top of your forensic checklist!  🔍 -------------------------------------------------Dean-----------------------------------------------

In this article, we continue exploring the power of SentinelOne’s custom detection rules to enhance control over your environment's security. Below are more custom detection rules tailored for advanced threat detection, covering various scenarios like remote desktop activity, SMB connections, PowerShell misuse, and suspicious file transfers. 21. RDP Session Start Events with Non-Local Connections Rule : event.type == "Process Exit" AND src.process.cmdline contains:anycase("mstsc.exe") OR (event.type == "Process Creation" AND src.process.cmdline contains:anycase("mstsc.exe") AND !(src.ip.address matches:anycase("0.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16"))) Description : Detects RDP session initiation using the mstsc.exe process from non-local IP addresses, highlighting potential unauthorized remote connections. 22. Creation of Processes Related to Remote Desktop Tools and Protocols Rule : event.type == "Process Creation" AND !(src.ip.address matches:anycase("0.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16")) AND src.process.cmdline contains:anycase("mstsc", "vnc", "ssh", "teamviewer", "anydesk", "logmein", "chrome remote desktop", "splashtop", "gotomypc", "parallels access") Description : Monitors the creation of processes linked to remote access tools while excluding certain IP ranges, which could indicate suspicious remote activity. 23. SMB Connections Indicating Lateral Movement Rule : event.type == "IP Connect" AND event.network.direction == "INCOMING" AND event.network.protocolName == "smb" AND dst.port.number == 445 Description : Flags SMB connections over port 445, commonly used for lateral movement in network compromises. 24. BitsTransfer Activity Rule : event.type == "Process Creation" AND tgt.process.cmdline contains:anycase("BitsTransfer") AND tgt.file.extension in:anycase("ps1", "bat", "exe", "dll", "zip", "rar", "7z", "tar") Description : Monitors the use of BitsTransfer to download or upload files, a technique often used to evade detection in malicious activities. 25. PowerShell Web Request Rule : event.type == "Process Creation" AND tgt.process.displayName == "Windows PowerShell" AND (tgt.process.cmdline contains:anycase("Invoke-WebRequest", "iwr", "wget", "curl", "Net.WebClient", "Start-BitsTransfer")) Description : Detects PowerShell commands that perform web requests, which may indicate data exfiltration or malicious script downloads. 26. Suspicious File Uploads to Cloud Services Rule : event.category == "url" AND url.address matches("https?://(?:www\\.)?(?:dropbox\\.com|drive\\.google\\.com|onedrive\\.live\\.com|box\\.com|mega\\.nz|icloud\\.com|mediafire\\.com|pcloud\\.com)") OR (event.category == "url" AND event.url.action == "PUT" AND url.address matches("https?://(?:www\\.)?(?:dropbox\\.com|drive\\.google\\.com|onedrive\\.live\\.com|box\\.com|mega\\.nz|icloud\\.com|mediafire\\.com|pcloud\\.com)")) Description : Detects upload attempts to cloud storage platforms, which could signify data exfiltration efforts. Share your email and details, and I’ll help craft the perfect rule for your needs. See you soon! 👋 Thank you so much for staying with me throughout this complete series on SentinelOne. It has always been a pleasure writing and sharing knowledge so others can benefit. With this final article, I wrap up my coverage on SentinelOne—until I receive further requests to explore more on this topic. For now, I'll be shifting my focus to other articles and new areas of research. Stay curious, keep learning, and as always, take care. See you soon! 🚀

In this article, we continue exploring the power of SentinelOne’s custom detection rules to enhance control over your environment's security. These rules allow you to define specific conditions for detecting and responding to potential threats, giving you the flexibility to act beyond built-in detections. 11. Mimikatz (Reg Add with Process Name) Rule : tgt.process.name == "powershell.exe" AND (registry.keyPath == "SYSTEM\\CurrentControlSet\\Services\\mimidrv" OR tgt.process.cmdline contains:anycase("MISC::AddSid", "LSADUMP::DCShadow", "SEKURLSA::Pth", "CRYPTO::Extract")) AND (file.name in:anycase("vaultcli.dll", "samlib.dll", "kirbi")) Description : Detects malicious registry modifications associated with Mimikatz. The rule identifies suspicious PowerShell activity and DLL manipulations indicative of credential dumping or lateral movement. 12. MimikatzV (Behavior-Based) Rule : event.type == "Behavioral Indicators" AND indicator.name in:matchcase("Mimikatz", "PrivateKeysStealAttemptWithMimikatz") OR (event.type == "File Creation" AND tgt.file.path matches(".*\\mimikatz.*", ".*\\sekurlsa.*", ".*\\mimidrv.*", ".*\\mimilib.*")) OR (event.type == "Threat Intelligence Indicators" AND tiIndicator.malwareNames contains:anycase("Mimikatz")) Description : A behavior-based rule for detecting Mimikatz activity by monitoring file creation, threat intelligence indicators, and behavioral signs linked to credential theft. 13. Disable Veeam Backup ServicesV2 Rule : tgt.process.cmdline contains:anycase("net.exe stop veeamdeploysvc", "vssadmin.exe Delete Shadows", "vssadmin.exe delete Shadows /All /Quiet", "wmic shadowcopy delete") Description : Flags attempts to disable Veeam Backup services, commonly used by attackers to disrupt data recovery processes during ransomware campaigns. 14. Mimikatz Executables Rule : tgt.file.path contains:anycase("mimikatz.exe", "mimikatz", "mimilove.exe", "mimilove", "mimidrv.sys", "mimidrv", "mimilib.dll", "mimilib", "mk.7z") Description : Detects the presence of Mimikatz executables or libraries, identifying potential tool deployment for credential harvesting. 15. Rclone (You can other tool like mega.io or Filezilla as well) Rule : src.process.name in:matchcase("rclone.exe", "rclone.org", "Rclone.exe") AND event.dns.request == "rclone.org" OR tgt.process.cmdline contains:anycase("rclone") OR src.process.displayName contains:anycase("rclone") OR src.process.cmdline contains:anycase("rclone") Description : Monitors activity related to Rclone, a legitimate tool often abused for exfiltrating data to cloud storage services. 16. NTDSUtil Rule : event.type == "Process Creation" AND ((tgt.process.cmdline contains:anycase("copy ") AND (tgt.process.cmdline contains:anycase("\\Windows\\NTDS\\NTDS.dit") OR tgt.process.cmdline contains:anycase("\\Windows\\System32\\config\\SYSTEM "))) OR (tgt.process.cmdline contains:anycase("save") AND tgt.process.cmdline contains:anycase("HKLM\\SYSTEM "))) OR (tgt.process.name == "ntdsutil.exe" AND tgt.process.cmdline contains:anycase("ac i ntds")) OR (tgt.process.name == "mklink.exe" AND tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy"))) AND !(src.process.cmdline contains:anycase("Get-psSDP.ps1")) OR (src.process.cmdline contains:anycase("ntdsutil") AND src.process.cmdline contains:anycase("ifm")) OR (tgt.process.cmdline contains:anycase("ntdsutil") AND tgt.process.cmdline contains:anycase("ifm")) Description : Targets suspicious usage of NTDSUtil to access Active Directory databases and other sensitive registry keys, a technique used in domain compromises. 17. CURL Connecting to IPs Rule : src.process.cmdline contains:matchcase("curl.exe") AND event.network.direction == "OUTGOING" AND dst.ip.address matches("^((?!10\\.).)*$") AND dst.ip.address matches("^((?!172\\.1[6-9]\\.).)*$") AND dst.ip.address matches("^((?!172\\.2[0-9]\\.).)*$") AND dst.ip.address matches("^((?!172\\.3[0-1]\\.).)*$") Description : Detects CURL network connections to non-local IP addresses, helping to identify potential data exfiltration attempts. 18. Admin$hare Activity (Cobalt Strike - Service Install Admin Share) Rule : src.process.cmdline contains:matchcase("\\127.0.0.1\\ADMIN$") AND src.process.cmdline contains:matchcase("cmd.exe /Q /c") Description : Identifies suspicious activity targeting the ADMIN$ share, often used by tools like Cobalt Strike for lateral movement. 19. RDP Detection (Any Port) Rule : event.type == "IP Connect" AND event.network.direction == "INCOMING" AND src.process.cmdline contains:anycase("-k NetworkService -s TermService") AND src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND src.ip.address != "127.0.0.1" Description : Monitors incoming RDP connections, highlighting unusual or unauthorized attempts to access the environment. 20. RDP Detection (Port 3389) Rule : dst.port.number == 3389 AND event.network.direction == "INCOMING" AND src.ip.address matches("\\b(?!10|192\\.168|172\\.(2[0-9]|1[6-9]|3[0-1])|(25[6-9]|2[6-9][0-9]|[3-9][0-9][0-9]|99[1-9]))[0-9]{1,3}\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") AND src.ip.address != "127.0.0.1" Description : Focused detection of RDP activity on the standard port 3389, which is commonly targeted in brute-force attacks. Share your email and details, and I’ll help craft the perfect rule for your needs. See you soon! 👋

In this three-part series, we’ll explore custom rules for enhanced threat detection and hunting in SentinelOne . These rules leverage STAR (SentinelOne Threat Analysis Rules)  to proactively identify malicious activities and enhance security posture. If you need any rules tailored to your environment, feel free to email me via the Contact Us  page with your requirements, and I'll be happy to create them for you! Part 1: Top 10 Must-Have Rules for Threat Hunting 1. Delete Shadow Volume Copies Purpose : Detects attempts to delete shadow copies, a common tactic used by ransomware operators to prevent file recovery. Rule : tgt.process.cmdline matches("vssadmin\\.exe Delete Shadows","vssadmin\\.exe delete Shadows /All /Quiet") 2. Suspect Volume Shadow Copy Behavior Detected Purpose : Identifies attempts to access sensitive files from shadow copies. Rule : tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy") AND ( tgt.process.cmdline contains:anycase("ntds\\ntds.dit") OR tgt.process.cmdline contains:anycase("system32\\config\\sam") OR tgt.process.cmdline contains:anycase("system32\\config\\system")) AND !( src.process.name == "windows\\system32\\esentutl.exe" OR src.process.publisher in:matchcase("Veritas Technologies LLC", "Symantec Corporation")) 3. Impact - Shadow Copy Delete Via WMI/CIM Detected Purpose : Flags deletion of shadow copies using WMI or CIM commands. Rule : tgt.process.cmdline contains:anycase("win32_shadowcopy") AND ( tgt.process.cmdline contains:anycase("Get-WmiObject") OR tgt.process.cmdline contains:anycase("Get-CimInstance") OR tgt.process.cmdline contains:anycase("gwmi") OR tgt.process.cmdline contains:anycase("gcim")) AND ( tgt.process.cmdline contains:anycase("Delete") OR tgt.process.cmdline contains:anycase("Remove")) 4. Suspect Symlink to Volume Shadow Copy Detected Purpose : Detects creation of symlinks to shadow copies for unauthorized access. Rule : tgt.process.cmdline contains:anycase("mklink") AND tgt.process.cmdline contains:anycase("HarddiskVolumeShadowCopy") 5. Disable/Delete Microsoft Defender AV Using PowerShell Purpose : Monitors attempts to disable Microsoft Defender via PowerShell commands. Rule : tgt.process.cmdline contains:anycase("powershell Set-MpPreference -DisableRealtimeMonitoring $true") OR tgt.process.cmdline contains:anycase("sc stop WinDefend") OR tgt.process.cmdline contains:anycase("sc delete WinDefend") 6. Disable Windows Defender Purpose : Detects various attempts to disable Microsoft Defender features. Rule : tgt.process.cmdline contains:anycase("Set-MpPreference") AND ( tgt.process.cmdline contains:anycase("-DisableArchiveScanning") OR tgt.process.cmdline contains:anycase("-DisableAutoExclusions") OR tgt.process.cmdline contains:anycase("-DisableBehaviorMonitoring") OR tgt.process.cmdline contains:anycase("-DisableBlockAtFirstSeen") OR tgt.process.cmdline contains:anycase("-DisableCatchupFullScan") OR tgt.process.cmdline contains:anycase("-DisableCatchupQuickScan") OR tgt.process.cmdline contains:anycase("-DisableEmailScanning") OR tgt.process.cmdline contains:anycase("-DisableRealtimeMonitoring")) 7. Disable Windows Defender Via Registry Key Purpose : Flags registry key changes disabling Defender. Rule : tgt.process.cmdline contains:anycase("reg\\ add") AND tgt.process.cmdline contains:anycase("\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") AND ( tgt.process.cmdline contains:anycase("DisableAntiSpyware") OR tgt.process.cmdline contains:anycase("DisableAntiVirus")) 8. Disable Windows Defender Signature Updates Purpose : Detects attempts to disable Defender signature updates. Rule : tgt.process.cmdline contains:anycase("Remove-MpPreference") OR tgt.process.cmdline contains:anycase("set-mppreference") AND ( tgt.process.cmdline contains:anycase("HighThreatDefaultAction") OR tgt.process.cmdline contains:anycase("SevereThreatDefaultAction")) 9. SVCHOST Spawned by Unsigned Process Purpose : Flags instances of svchost.exe being launched by unsigned processes. Rule : src.process.publisher == "Unsigned" AND tgt.process.name == "svchost.exe" 10. Mimikatz via PowerShell Purpose : Detects the execution of Mimikatz scripts or commands using PowerShell. Rule : src.process.parent.cmdline contains:anycase("Invoke-Mimikatz.ps1", "Invoke-Mimikatz") AND tgt.process.name == "powershell.exe" Closing Note Stay tuned for more custom threat-hunting rules and best practices in the next articles of this series! If you have specific rule requirements or ideas, feel free to reach out through the Contact Us  section. Share your email and details, and I’ll help craft the perfect rule for your needs. See you soon! 👋 Dean

Identifying and analyzing USB device details can be a tedious and time-consuming task. It often requires combing through various system registries and logs to gather information about connected USB devices. As a cybersecurity professional, having an efficient way to automate this process can save valuable time and reduce errors. In this blog, I will share a script that simplifies the task of identifying USB device details. This script gathers all necessary information in one go, making the process more efficient. Additionally, you can find this script integrated into my endpoint data capture tool, which is detailed in my previous blog. The script is also available on the resume page of my portfolio. USB Device Information Before diving into the script, let’s look at the kind of information we aim to extract: Serial Number : Unique identifier for the USB device. Friendly Name : User-friendly name of the USB device. Mounted Name : Drive letter assigned to the USB device. First Time Connection : Timestamp of the first connection. Last Time Connection : Timestamp of the last connection. VID : Vendor ID of the USB device. PID : Product ID of the USB device. Connected Now : Indicates if the device is currently connected. User Name : The username that initiated the connection. DiskID : Unique identifier for the disk. ClassGUID : Class GUID of the device. VolumeGUID : Volume GUID of the device (if available). If you run the script in Powershell you will get out like below: If you run my script which you can find under resume page. you will get output like below Update on Script: https://www.linkedin.com/feed/update/urn:li:activity:7284276306349871106/ Conclusion Identifying USB details can indeed be a hectic task when done manually by digging through system registries. However, with the help of automation scripts like the one shared above, the process can become much more manageable and efficient Akash Patel

As promised, let’s dive into the new SentinelOne console and its features. Here's an overview of what the updated interface looks like: Dashboard The front-page dashboard in the new console is intuitive and visually appealing. While it doesn’t require much explanation, I highly encourage you to explore it . Even if you don’t end up using SentinelOne, experiencing this console once will showcase how flawlessly it operates—with proper configuration, of course. Purple AI Tab This tab is dedicated to Purple AI , a feature aimed at enhancing automation and operational efficiency. Alerts Tab In the updated console, t he Alerts  tab combines the previously separate Alerts  and Threats  tabs . You now get all alert details in one place, simplifying threat management. Exposure Tab The Exposure  tab now includes: ISPM (Identity Security Posture Management)  details under the Misconfiguration  section. Application vulnerabilities listed under the Vulnerabilities  section, providing a centralized view of risks. Event Search Tab This tab provides Deep Visibility , a feature carried over from the previous console, enabling you to dive deep into historical event data for advanced investigations. Inventory Tab Assets:  Displays endpoints with SentinelOne installed. Identity Endpoints:  If you’ve configured Active Directory (AD) as part of ISPM, domain controllers or identity endpoints should appear here. Applications:  Houses the application inventory, listing all apps detected within the environment. New Graph Query Feature A notable new addition is the ability to build custom graphs: Custom Queries:  Build your own queries for tailored insights. Query Builder Examples:  Use pre-designed examples as starting points. Library:  Access a library of prebuilt queries for quicker analysis. Activities Tab This tab contains the Activity Log , which records everything that happens in the console—a carryover from the previous logs feature. RemoteOps Tab This tab is similar to the Automation  feature from the older console, allowing remote operations and task execution. Agent Management Tab The Agent Management  tab replaces the old Sentinels  tab and provides similar functionalities, along with additional sub-tabs for more granular management. Reports and Policies Tabs The final two tabs: Reports:  For generating and viewing detailed reports. Policy and Settings:  Offers comprehensive configuration options for policies and other settings. Conclusion That wraps up the overview of the new SentinelOne console. It’s packed with updates and improved functionality. "Thanks for sticking with me on this journey through SentinelOne! It’s truly an incredible platform that combines power, simplicity, and innovation. Whether you're new to it or a seasoned user, SentinelOne has something to wow everyone. Stay tuned for more updates as we continue exploring its awesome features together!"

Hey there! If you’ve been following my articles, you might already know the answer to this question. But let me ask it again: If we have $MFT, why do we need $UsnJrnl? Understanding the Difference Between $MFT and $UsnJrnl $MFT vs. $UsnJrnl While the $MFT (Master File Table)  gives you a snapshot of the file system at specific points in time, the $UsnJrnl ($J)  keeps a detailed record of file system changes over time. Tracking Subtle Changes Example Exfiltration often involves small but significant actions—modifying, renaming, or deleting files. These actions may not always be captured by the $MFT, but $UsnJrnl logs them in detail, which is crucial for uncovering sophisticated exfiltration techniques. Example : Let’s say an attacker creates a ZIP file to exfiltrate data. The $MFT will log the creation of the ZIP file. The $UsnJrnl, however, will document every step: adding files to the ZIP, zipping the data, renaming the file, and moving it. ------------------------------------------------------------------------------------------------------------ This answers the initial question, but let’s raise a new one. What Happens When MFT Entries Are Reused? Here’s the scenario: A file is created, and its details are stored in the $MFT with a sequence number or file record. The file is deleted, and while $UsnJrnl logs this event, the $MFT entry becomes available for reuse. When a new file is created, it might reuse the same MFT sequence number or file record. As $UsnJrnl/$J doesn’t track full file paths but instead logs file names, entry numbers, and sequence numbers, a question arises: If a file's $MFT record is removed or reused by another file, how can you reconstruct the original file path using $MFT and $J? Screenshot of $J Forensic tools often correlate $UsnJrnl with $MFT to reconstruct file paths, but reused MFT entries can complicate this process. ------------------------------------------------------------------------------------------------------------ Okay, Lets give you practical example so u can understand easily Example: Recovering the Path Files Used: $MFT parsed file : mftOutput.csv $UsnJrnl parsed file: j Output.csv Observations: Lets choose a file name creds.txt.txt In the $UsnJrnl:$J file, creds.txt.txt was identified with: Entry Number:  1124 Sequence Number:  4 Update Reason:  File Delete | Close(This update reason means file was deleted correct and $mft file record available for reuse) Searching with file name in the $MFT file revealed no file with the name( creds.txt.txt) exits . Now Searching for Entry Number 1124  in the $MFT file revealed that the entry had been reused . The sequence numbers confirmed it had been overwritten four times, with the current file being log.old. This reuse makes it impossible to locate the deleted file's path directly in the $MFT. (Correct) ------------------------------------------------------------------------------------------------------------ Solution: Using CyberCX UsnJrnl Rewind Research and tools from CyberCX  come to the rescue. They d eveloped a script called UsnJrnl Rewind , which correlates $MFT and $UsnJrnl:$J data to reconstruct deleted file paths, *********even for entries that have been reused************. Steps to Use: Clone the tool from the GitHub repository: CyberCX UsnJrnl Rewind Set up the environment (e.g., WSL or Linux). Run the script with the $MFT and $UsnJrnl parsed files as inputs: python usnjrnl_rewind.py -m MFT_Output.csv -u UsnJrnl_Output.csv output-path The tool produces two outputs: NTFS.sqlite USNJRNL.fullpath ------------------------------------------------------------------------------------------------------------ Verifying the Results Open the USNJRNL.fullpath file to locate the path of creds.txt.txt. Additionally, you can trace the (File record) file's lifecycle: Sequence 1: Overflowset → Deleted Sequence 2: NewTextDocument.txt → Deleted Sequence 3: log.old~rf14 → Deleted Sequence 4: log → Currently active on the system. And there you have it! This research has taught us valuable insights into forensic investigations. With that, we wrap up this article. See you in the next one—until then, take care and goodbye! ----------------------------------------------Dean----------------------------------------------------

A few days ago, I received a request through my website from someone working on an incident response case. He mentioned a situation involving 20 endpoints and asked if there was a quicker way to identify lateral movement —specifically, whether users on those endpoints had attempted to log in to other systems and whether those attempts were successful. He was manually analyzing logs from all 20 endpoints , which was understandably time-consuming and inefficient. Around the same time, another cybersecurity professional with more t than 20 years of experience reached out, seeking an easy way to identify lateral movement and asking me to teach him how to analyze it. Frankly, I was surprised. With such extensive experience and a high-level role, I didn’t expect lateral movement analysis to be a pain point for him. This got me thinking: while most professionals understand what lateral movement is, identifying it during an investigation remains challenging. Lateral movement analysis requires a deep understanding of logs, artifacts, and various attack vectors, which can seem daunting, even for seasoned Incident Response (IR) and Digital Forensics & Incident Response (DFIR) practitioners. Inspired by these requests, I decided to simplify things with this article. Today, I'll discuss three tools that make lateral movement analysis much easier: Chainsaw Hayabusa LogParser If you're unfamiliar with these tools, I’ve already written detailed guides explaining how they work, which commands to use, and what to expect from them . You can check out the following posts: Hayabusa: A Powerful Log Analysis Tool for Forensics and Threat Hunting Chainsaw: Streamlining Log Analysis for Enhanced Security Insights Microsoft’s Log Parser (Bonus File Included) However, today we’ll focus solely on using these tools for lateral movement analysis . ------------------------------------------------------------------------------------------------------------- What Is Lateral Movement? I won’t delve too much into the basics since most of you already know what lateral movement is. If you don’t, I recommend checking out my articles: Understanding Lateral Movement in Cybersecurity . This articles *** covers everything you need to know about manually analyzing lateral movement, using registry , Event IDs, and filesystem****. It’s a great foundation to build your skills before diving into automated tools. ------------------------------------------------------------------------------------------------------------- Chainsaw: Simplifying Lateral Movement Analysis Let’s dive into the first tool, Chainsaw , and see how it simplifies log analysis for lateral movement. I’ll demonstrate how to run a single command in PowerShell and let Chainsaw do the heavy lifting. Command: PS E:\Log Analysis Tools\chainsaw_all_platforms+rules+examples\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe hunt -r rules\ "E:\Output for testing\logs 123\log123" Chainsaw immediately starts hunting through the logs, isolating critical events that may indicate lateral movement. Below are some screenshots and insights from my analysis. Screenshot 1: User Remote Access Chainsaw identified that the user remotely accessed a system (XSPACE2197) using the IP 192.168.30.1. While this could be legitimate, you’d need to verify it by asking the user or checking the context. What’s impressive here is how easily Chainsaw pinpoints such activities, saving you time compared to manual log analysis. Screenshot 2: RDP Logoff Events Chainsaw highlights RDP logoff events. Although these don’t directly indicate lateral movement, they’re worth noting when attackers move between systems via RDP and log off after completing their actions. Screenshot 3: Potential RDP Attack In this example, Chainsaw identified events showing successful RDP logins, session connections, and disconnections. Here’s what stood out: The user is Jean-Luc, and the IP 192.168.30.1 suggests activity within a trusted network. While these behaviors may seem normal, it’s crucial to confirm whether this activity aligns with the user’s routine. Chainsaw’s ability to filter relevant data means you don’t need to sift through mountains of logs manually . It automates the heavy lifting, allowing you to focus on deeper investigation and validation. ------------------------------------------------------------------------------------------------------------- A Word of Caution While tools like Chainsaw automate much of the analysis, *** manual log analysis remains an essential skill for any cybersecurity professional **. Automated tools like Magnet Axiom and FTK are great, but understanding the underlying artifacts (e.g., $J, $MFT) and how to analyze them manually is what truly sets you apart as a forensic investigator ------------------------------------------------------------------------------------------------------------- Hayabusa Tool : Lateral Movement Analysis Made Easy Hayabusa has quickly become one of the most reliable tools in my log analysis arsenal . It’s versatile, efficient, and saves an incredible amount of time—especially when detecting lateral movement. Let’s dive into how you can leverage Hayabusa specifically for lateral movement detection. Highlights of Hayabusa in Action 1. When you feed your logs to Hayabusa, it doesn’t just dump all events on you . Instead, it filters and categorizes them into a manageable set of results . For instance: Input Logs : 12,776 events. Filtered Suspicious Events : 1,338 events. 2. H ayabusa categorizes the events by their severity: Critical High Medium Low Each category is color-coded, making it visually intuitive to spot critical issues at a glance. Detecting Lateral Movement Hayabusa flagged potential lateral movement activities. Here’s how it looked: In the screenshots below, I’ve highlighted key areas you should focus on when looking for lateral movement indicators . While there are other important artifacts, such as service installations, I’m providing a basic overview of what to watch for when analyzing logs for lateral movement. At start we had 12,776 events after running hayabusa we only have hits—1339. If you take a look at the output in the command prompt, you might think, "This analysis isn't for me. How can I make this more manageable and effective?" Don’t worry—I’ve got you covered!. There’s a streamlined way to analyze this data, and I’ll show you exactly how to make sense of it more efficiently. Simplifying the Analysis Process Analyzing these hits manually through the command prompt can quickly become cumbersome. So, let me share a personal method I use to simplify the process: First, I extract all the data from Hayabusa into a CSV file , using the following command: PS E:\Log Analysis Tools\hayabusa-2.17.0-win-x64> .\hayabusa-2.17.0-win-x64.exe csv-timeline -d "E:\Output for testing\logs 123\log123" -o output.csv Next, I use Timeline Explorer to open the CSV file. It’s a fantastic tool for navigating through the extracted timeline data and helps you easily pinpoint areas of interest . Let’s say I want to focus on a specific lateral movement indicator, like "PSExec Lateral Movement." Simply search for it in the Excel file, and you’ll get the results—just like the screenshot below. Suppose I want to investigate "Logon (Network)" events. I can search for that in the CSV and quickly get all the details I need, including the type of logon, user, source computer, and source IP. The ease of this process cannot be overstated. Why Hayabusa Is My Tool of Choice If I had to choose one tool for Log Analysis, it would always be Hayabusa . Its seamless integration with timeline data and ability to quickly filter through vast amounts of log data makes it the best choice for me. Much like KAPE, Hayabusa has become an indispensable part of my inventory. I’ve been using it for the past three years, and it has come a long way, becoming more efficient and accurate with each iteration. A big thank you to Yamato Security Group in Japan for creating a tool that truly makes the work of forensic and IR professionals much easier. ------------------------------------------------------------------------------------------------------------- Log Parser: Building Precise Detection Queries Recently, I was reflecting on tools like Hayabusa  and Chainsaw  and wondered: "Is it possible to build custom queries with exceptions to make detections more precise?" While these tools are fantastic, they don’t offer much flexibility for creating or applying exceptions directly. That sparked a thought: why not explore Log Parser  for this purpose? Log Parser uses SQL-like language, which makes it different from other tools. It provides the flexibility to build highly tailored queries, including exceptions, which can significantly enhance detection precision. A Quick Note on Log Parser If you're unfamiliar with Log Parser, I’ve written a complete article detailing its features, commands, and use cases. The link is available at the top of this post—feel free to check it out! Objective: Detecting Lateral Movement For this experiment, I’ll focus on detecting lateral movement  using logs. The primary log source will be security.evtx. There are already commands created to run with logparser and these commands are attached in my article itself. Microsoft’s Log Parser (Bonus File Included) I felt the need to create new, customized ones. Let’s get started! Setup and Approach I’ve collected the logs from one endpoint into a single directory. We’ll primarily work with SQL queries to parse and analyze the data. Below is the commands I crafted as a starting point: (Worry not at end I will attach text file containing all the query so u can modify as per your need ) 1. Query to Detect RDP Logins (Event ID 4624) Purpose: RDP is frequently used for lateral movement by attackers to access remote systems. You can use Event ID 4624 (successful logon) to track RDP logins Usage: This query will show when a user logs in via Remote Desktop, which can be indicative of lateral movement across machines. 2. Query to Detect Lateral Movement via SMB (Event ID 5140) Purpose: Lateral movement often involves SMB (Server Message Block) to access shared resources across systems. Event ID 5140 indicates that a network share was accessed. Monitoring this can help detect unauthorized lateral movement attempts. Expected Output: The query will show network share access by users, which could be an indicator of lateral movement. 3. Query to Detect Credential Dumping Tools (Event ID 4688) Purpose: Malicious actors often use tools such as Mimikatz or LaZagne to dump credentials during lateral movement. Monitoring process creation events (Event ID 4688) for signs of such tools is important. Expected Output: This query will help detect the execution of credential dumping tools used for lateral movement. 4. Query to Detect Abnormal WMI Activity (Event ID 5858) Purpose: WMI (Windows Management Instrumentation) is commonly used by attackers for lateral movement. Event ID 5858 represents successful WMI operations. Monitoring this can help detect malicious use of WMI for lateral movement. Expected Output: This query will show WMI operations initiated by users, which could indicate lateral movement across systems. 5. Query to Detect Multiple Failed Logins (Event ID 4625) Purpose: When attackers attempt to move laterally, they often try brute-forcing credentials. Monitoring for multiple failed logon attempts can help detect these attempts. Expected Output: This query will show multiple failed logon attempts, which may indicate brute-force or credential stuffing attacks. 6. Logon and Logoff Activity (Event IDs 4624 and 4634) Purpose: These queries track user logons and logoffs, filtering by remote logon types like RDP (Logon Type 10), network logons (Logon Type 3), and other types like unlocking workstations or batch jobs. The goal is to detect unauthorized access or lateral movement, including identifying unusual source IPs and workstations. 7. Process Creation (Event ID 4688) : Purpose: This query identifies the creation of processes that may be indicative of malicious activity, such as cmd.exe, powershell.exe, wmic.exe, and net.exe. These processes are frequently used for lateral movement, privilege escalation, and other post-exploitation activities. Analyzing the associated command lines and parent processes can reveal suspicious actions. 8. Remote and Network Logons : Purpose: Remote and Network Logons : This query monitors network logons (such as those using SMB) and RDP logons (Logon Type 10). It helps track remote access, particularly focusing on user-driven activities and excluding system accounts. This is particularly useful for detecting lateral movement and unauthorized logins from unexpected locations. 9. Service Creation : Purpose: This query tracks suspicious service installations that could indicate malicious activity. For example, the creation of services associated with tools like PsExec, powershell.exe, and cmd.exe may point to attackers maintaining persistence or executing lateral movement within a network. While the rules mentioned earlier offer a great starting point for detecting suspicious behavior using LogParser, you can further fine-tune these queries to create more customized detections. As you can see, it’s quite simple to adapt and refine these rules to better fit your needs. With the combination of LogParser, process creation analysis, and remote logon detection, you have a powerful toolset to detect lateral movement in your environment. I've added the rules in a text file and attached it for you . You may notice that some rules appear to be duplicates . If these aren’t relevant to your needs, feel free to leave them out or modify them to suit other detections . I’ve provided them just for your reference— please don’t get upset with me!LOL Also, keep in mind that due to Windows updates, some rules might stop working after a few months . Make sure to double-check andtest the rules before running them against your logs. ------------------------------------------------------------------------------------------------------------- Managing Logs from Multiple Workstations Now, let’s take this to the next level. Imagine you have 10 workstations, each generating their own security logs, and you collect these logs into separate folders . Instead of manually running the same command for each folder, which can be time-consuming and inefficient, I’ve got a solution that will make your life easier. Here’s how it works: The script I’ve developed will automatically scan multiple folders or subdirectories in a specified root path. It will identify the Security.evtx logs within each folder, apply your customized detection rules, and generate the output, all with minimal effort on your part . This method streamlines the process and significantly reduces the complexity of manually executing commands for each log file. A Simple, Effective Approach This approach ensures that you can scale your detection efforts across many workstations without being bogged down by repetitive tasks. It’s quick, efficient, and easy to implement—exactly what you need when working with large datasets or multiple machines. ------------------------------------------------------------------------------------------------------------- Get Involved! If you have any queries, suggestions, or additional detection methods you'd like to share, feel free to reach out! I’m always looking for ways to improve and collaborate. Your ideas could be featured in a future post, and you’ll be credited as the creator! See you in the next one, where we’ll dive deeper into more exciting techniques and tools. Stay tuned! -------------------------------------------Dean-----------------------------------------------------

The Settings  section in the SentinelOne Console is your central hub for configuration and management. Here's a detailed breakdown of its features with examples and practical insights: 1. Configuration The Configuration  tab provides an overview of licenses and key settings. Licenses : See which features you have paid for, such as Remote Ops Forensic  or Network Discovery . Other Settings : Adjust session timeouts, password expiration policies, and more. 2. Notifications As the name suggests, this feature allows you to set up alerts. Example: You can configure an email notification to be sent whenever a threat is detected or if someone uninstalls an agent. Customizable Events : Alerts for detection, policy violations, and endpoint changes. 3. Users Here, you can create and manage users with specific roles. Example: SOC Team Role : Restrict permissions to prevent them from uninstalling agents. IR Team Role : Allow broader control, such as agent uninstallation. 4. Integrations This section enables the setup of third-party integrations for SMTP , Syslog , or SSO (Single Sign-On) . Features : View and edit integrations. Add or delete integrations to streamline your workflow with external tools. 5. Policy Override This feature lets you temporarily override security policies for specific endpoints. Real-Life Scenario : A new testing agent triggered false positives, quarantining files (e.g., Excel files). The SOC team was overwhelmed by the alerts. Solution: The policy was switched to "Detect Only" mode, stopping file quarantine. SentinelOne support provided a policy override , resolving the issue without reverting the agent. 6. Accounts Manage accounts for different clients, ensuring flexibility in a multi-client environment. 7. Sites Create and organize Sites  within your account hierarchy for better management. 8. Locations Dynamic Policy Application  adjusts protection based on network location. Example Features : Stricter policies on untrusted networks (e.g., public Wi-Fi). Define trusted networks by IP ranges, DNS servers, or gateway IPs. Pro Tip: SentinelOne’s flexibility in settings  allows organizations to adapt quickly to unique challenges, such as managing alerts, integrating external tools, or handling network-based policies. The Policy Override  feature, in particular, can be a lifesaver during unexpected situations like false positives. ------------------------------------------------------------------------------------------------------------- Wrapping Up SentinelOne: Transitioning to the Newer Console That’s a wrap for exploring SentinelOne’s older console! As a heads-up, SentinelOne has rolled out a newer console with updated features and a refreshed UI. While the newer version offers more functionalities, it might feel slightly more complex initially. My Advice: If you’re just starting out with SentinelOne: Begin with the older console : It’s simpler and provides a solid foundation. Transition to the newer console  once you’re comfortable. Stay Connected: Thanks for sticking around! If you found this guide helpful and want to stay updated: Bookmark this website  for easy access to more articles. Sign up for notifications  on my website to get updates on the latest guides, tips, and tutorials. More insights on SentinelOne’s newer console and advanced features are coming in the next article—stay tuned! 🚀