B2dfir

In this blog post I will detail how to perform various incident response techniques using native Windows PowerShell functionality. Each method I explain will be able to be executed remotely to allow for efficient investigation and containment of an individual host . For PowerShell response on mass, I recommend familiarising yourself with the Kansa framework . If you follow my github, you may also notice that many of the techniques listed below are built into my remote powershell triage tool, B2Response , which allows you to perform these actions with ease. Please give it a go and provide feedback! The techniques which I will cover include: 1) Issuing remote command/shell 2) Retrieving/downloading files 3) Checking for running processes 4) Query registry keys 5) PCAP collection 6) Blocking a domain 7) Blocking an IP 8) Quarantining a host Prerequisites All of the techniques listed below utilise PowerShell to remotely manage computers within your IT environment. In order...

Oh no! I've got a potential incident unfolding now and I'm struggling keep track of everything? What do you use for incident documentation? A friend posed this question to me a few days ago and my first thought was "I use TheHive ". This response would have been about as useful as a wet fish to my friend, as at that point in time the last thing he had time to do is learn, deploy and configure a new incident management platform. He needed something now. He needed something without a learning curve and something which would free him up to spend valuable time actually investigating a potential incident. To help him out, I turned to the global backbone of information management... Microsoft Excel. Prior to deploying TheHive, I  built and improved upon an Excel incident management and documentation workbook for a number of years. It doesn't have machine learning, AI or even security automation, so it probably isn't much good. Disregarding these shortfalls, ...