WinRAR split archives – How much data was exfiltrated
The situation and the setup In a recent ransomware engagement we lacked the proper insight on how much data had been exfiltrated. We had artefacts telling us there was 5 …
Alternate Data Streams, DFIR and Mark Of The Web
Enter the Rabbit Hole During an investigation, we came across Microsoft Defender correlating a file to a certain site. We did, however, not find any connections or telemetry that showed …
Mutexes (mutants) and incident response
What is this post about and what is the point of it? This post is the product of me going “What are these mutexes Cisco is talking about in their …