Digital First Response

Read Time: 10 Minutes Recently,  Catalin Cimpanu  released a article  about a new Process Hollowing Technique named Doppelgänging.  The highlights of the article include undocumented features of the Microsoft Windows operating system, antivirus inability to scan NTFS transactions, and  "...cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows".  The article further discloses that BlackHat EU would be releasing the presentation. So I found the  powerpoint of the presentation, titled Lost in Transaction: Process Doppelgänging , which  reveals the API Calls and some interesting assertions by the researchers.  You can find additional information about NTFS Transactions on Microsoft Developer Network (MSDN) shows some basic information regarding the API Calls referenced in the presentation.  The sequence of API calls according to the presentation is as follows:  Create a transaction Open a "clean&qu

Read Time: 5 Minutes Welcome to my first blog post!  I thought I would start off the blog by sharing thoughts on content that is publicly available on security topics that are of interest.  Recently I viewed Andrew Case's  The Need for Pro-active Defense and Threat Hunting Within Organizations  posted by Adrian Crenshaw  from the archive of recordings of presentations performed at BSides Tampa in 2015.   This video highlights contemporary considerations with respect to hostile third parties, comprised of professionals that operate with a thought-out trade-craft, who are motivated to break into an organization via their IT infrastructure.  Generally speaking the modern enterprise is faced with the Defender's Dilemma , blogged about by Richard Bejtlich, in which alert-centric security analytics fails to address in a timely manner the risk posed by these hostile third parties.  Andrew Case's presentation addresses this by delving into Threat Hunting as a mitigating control.