Long story short, Persistence

December 4, 2023
Shanna Daly
Forensics, Incident Response
ATT&CK: TA0003, Persistence, Defence evasion, webshells, malware, ATT&CK: T1574, ATT&CK: T1505, ATT&CK: T1021

In this post I am pulling parts out of a talk that I did called “Long story short”. I delivered variations of this talk online for NZITF and the ICSL MRE webinar series in 2022 and also in person at CRESTCon 2022 in Canberra. I found these interesting at the time as they were novel to us (back then), and that a lack of detection and response capabilities enabled this threat actor to carry out their activities unhindered. ...

Hunting webshells

November 9, 2023
Shanna Daly
Forensics, Incident Response
webshells, malware, ATT&CK: T1505

In the dynamic field of incident response, the unexpected is the only guarantee. Requiring responders to adapt, utilise diverse skill sets, and employ various tools to achieve our objectives. In this post, I delve into three different webshell investigations that I conducted back in 2020, shedding light on the importance of versatility in digital forensics and incident response (DFIR). We explore the intricacies of DFIR work, the toolbox at our disposal, and the decision-making process behind selecting the right tools for the job. ...

Leveraging SRUM for Incident Response

November 5, 2023
Shanna Daly
Forensics, Windows Artefacts

Back in 2019 when I was running my own consulting gig, Caccia Cybersecurity, I learnt about a new (at the time) artefact that had recently been discovered and ‘decoded’. The SRUM. This blog post is based on a presentation that I gave in 2019 at The 2019 ICSL MRE conference in Sydney, and the Carbon Black Partner IR summit for APAC. In going through my archives of presentations, I decided to write up these presentations into blog posts as the information is still relevant and I can update where needed. ...