WinRAR split archives – How much data was exfiltrated
The situation and the setup In a recent ransomware engagement we lacked the proper insight on how much data had been exfiltrated. We had artefacts telling us there was 5 …
Alternate Data Streams, DFIR and Mark Of The Web
Enter the Rabbit Hole During an investigation, we came across Microsoft Defender correlating a file to a certain site. We did, however, not find any connections or telemetry that showed …
Disabling legacy authentication in Exchange Online & M365
Intro This post came about after trying to disable legacy authentication for a customer. I know little-to-nothing about M365, other than that I want rid their tenant of legacy authentication. …
Mutexes (mutants) and incident response
What is this post about and what is the point of it? This post is the product of me going “What are these mutexes Cisco is talking about in their …