1/ I find the analysis of the MFT in an incident, especially from a key system, extremely valuable. In today's ManageEngine investigation, for example: narrowing down the birth time and filtering for EXE files - within a short time, such a file as simple.exe stands out. 🧵
3
27
111
2/ But the best part was: the file was not an executable at all! The proxy prevented the download due to the "Malicious Websites" category. Within the error message from the proxy, the malicious domain was visible. Another easy gained IOC to hunt for 🤠

Jan 28, 2023 · 12:09 AM UTC

1
3
1
17