• PowerShell Command History Forensics

    Contents:

    - Overview

    • Powershell and Windows Events
    • Get-History
    • Console History File

    - Adversarial Tactics

    • Clear-History
    • Backup/Restore Histroy
    • Delete File History
    • Change PSReadline Configuration

    - Investigation Tips

    Overview

    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions…

    • 26 Aug 2020
  • Malicious DNS Queries by APT - A Case Study

    Hello Everyone,

    Ever got any malicious URLs? Couldn’t figure out what’s going on?

    This email documents suspicious DNS query attempts which were allegedly malicious according to an Advisory shared by the Australian Government.

    Background: 

    The Australian Govt. shared an advisory with a customer which has a very competent team of IT security experts.

     

    The only SHA value mentioned in their advisory was a DLL which…

    • 8 May 2020
  • Decoding Malicious PowerShell Activity - A Case Study

    IT Administrators and Security Specialists often run into a suspicious looking PowerShell command; sometimes they succeed in decoding them but often, they are reliant on researchers. This blog should serve as a guidance to identify the purpose of suspicious entries found in:

    • Scheduled Tasks
    • RUN Keys in the Registry
    • Static PowerShell Scripts
    • Proxy Logs if a Web Server is exploited for a Remote Code Execution

    powershell…

    • 14 Feb 2020
  • Requests to re-categorize by third parties for PUA/Adware detections (possible Deceptor component)

    Hi Everyone, 

    The below article provides details about how we categorize PUA/Adware detections and how to provide us with the information we need to determine if a re-categorization is required.

    • 23 Oct 2019
  • Watch Locky Ransomware in action and learn how Sophos stops it

    Hi everyone,

    We have just published a new video taking a look at how ransomware works. You can find it here: https://www.youtube.com/watch?v=ajTcYRIwoqU 

    In this video we are going to show you what happens when Locky Ransomware attacks a computer. You will see what a typical user would see if they were the victim of such an attack. We will then show you several scenarios demonstrating how Sophos protects the computers and…

    • 23 Jan 2017