Andreas Hunkeler

icon company Exeon Analytics icon location #DFIR; author of the incident response card game Defensomania; persistent persistence hunter; see CyberTriad on how to spot Antifragility in cyber security.

Results 26 comments of Andreas Hunkeler

Add Open Source Games

Hi @michelpereira, cool list and will add some security open source games later on. Improvements for your list: * Contribute should be removed from the Contents section (table of content)....

Develop Sigma rules for Lateral Movement in Windows Infrastructure

47: https://github.com/SigmaHQ/sigma/pull/1493 * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml * 5cc2cda8-f261-4d88-a2de-e9e193c86716 47: Two existing rules FTR * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_remote_powershell_session.yml * 13acf386-b8c6-4fe0-9a6e-c4756b974698 * https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_remote_powershell_session_process.yml * 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8

Add WindowsIndexSearch parsing using ESEDatabaseView

I know that it's not ideal... timestamps and other infos are messed up etc. But at least it gives the file/folder information. The other tool I referenced in the doc...

Develop Response Action RA3601: Lock user account

I think keeping lock user account is better than having a lock user account for each service/platform, lock user account on a cloud system is different again from a web...

Connect RE&CT with Threat Detection/Hunting, Detection Rules, etc

I was thinking again about this issue and thought how about making atc-**detect** (aka **DET&CT**) to collect these threat detection activities which are used to prepare, detect, share and communicate...

Add WindowsIndexSearch parsing using ESEDatabaseView

Thanks for bringing this up @randomaccess3 - eventually I find the time at the weekend. If @AndrewRathbun is on it earlier, then go for it :)

Add WindowsIndexSearch parsing using ESEDatabaseView

Hi, thanks for making the module 👍🏽 Regarding the target, there‘s already one: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsIndexSearch.tkape I would omit specifing the file name, so we cover Windows 10 and 11. In 11...

Add WindowsIndexSearch parsing using ESEDatabaseView

Further reference, see section "Changes in Windows 11": https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/. It seems to be the output of the research around Windows Index Search and the Stroz Friedberg's SIDR tool. > Stroz...

Add WindowsIndexSearch parsing using ESEDatabaseView

I close this as we now have the new module for SIDR.

Add Friday Night Funkin' Resources

@lime360 I understood that someone else created that list. To support Sindre a bit, I comment on this issue. As Sindre noted above, for a list to be included in...