Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Malware analysis, Tools and technique

What is Malware Analysis?
Malware analysis is a process analyzing the samples of malware family such as Trojan, virus, rootkits, ransomware, spyware in an isolated environment to understanding the infection, type, purpose, functionality by applying the various methods based on its behavior to understanding the motivation and applying the appropriate mitigation by creating rules and signature to prevent the users.
Malware analysis plays an essential role in avoiding and understanding cyber attacks. When incident response teams are brought into an an incident involving malware, the team will typically gather and analyze one or more samples in order to better understand the attacker’s capabilities and to help guide their investigation.
Type of Malwares:


What It Does

Real-World Example


disables victim's access to data until ransom is paid


Fileless Malware

makes changes to files that are native to the OS



collects user activity data without their knowledge



serves unwanted advertisements



disguises itself as desirable code



spreads through a network by replicating itself



gives hackers remote control of a victim's device



monitors users' keystrokes

Olympic Vision


launches a broad flood of attacks


Mobile Malware

infects mobile devices


How to perform Malware Analysis 
There are various types of analysis and related malware analysis tools that mainly used to break down the malware.
  • Static Malware Analysis
  • Dynamic Malware Analysis
  • Memory Forensics
  • Web Domain Analysis
  • Network interactions Analysis etc
Static Malware Analysis?
This procedure includes extraction and examination of different binary components and static behavioral inductions of an executable, for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.
Any deviation from the normal outcomes are recorded in the static investigation comes about and the decision given likewise. Static analysis is done without executing the malware whereas dynamic analysis was carried by executing the malware in a controlled environment.
1.Disassembly – Programs can be ported to new computer platforms, by compiling the source code in a different environment.
2.File Fingerprinting – network data loss prevention solutions for identifying and tracking data across a network
3.Virus Scanning -Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal, Payload Security
4.Analyzing memory artifacts – During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
5.Packer Detection – Packer Detection used to Detect packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+.
Static Malware analysis Tools
Ghidra and IDA : IDA Pro has been the go to SRE (Software Reverse Engineering) Suite for many years until Ghidra’s release in 2019. Since then Ghidra’s popularity has grown exponentially due to it being a free open-source tool that was developed and is still maintained by the NSA
Websites like : Hybrid-analysis, Virustotal.com
Other tools : Md5deep, PEiD, Exeinfo PE, RDG Packer,D4dot,PEview, WinDbg,Hxd
What is Dynamic Malware Analysis?
The dynamic analysis should always be an analyst’s first approach to discovering malware functionality. in dynamic analysis, will be building a virtual machine that will be used as a place to do malware analysis.
In addition, malware will be analyzed using malware sandbox and monitoring process of malware and analysis packets data made by malware.
Dynamic analysis tools: 
Some common Dynamic analysis are Wireshark, Netcat, Procmon, Process Explorer, Process Monitor,Regshot, ApateDNS Procmon, Procdot, Regshot, , Process Hacker, PeStudio, Fiddler, Wireshark, Cuckoo Sand box, Ghidra.
After you have gather some data its time for analysis:

  • Upload hash data/or file to site such virus total /anyrun / hybrid analysis to get info
  • If IP or domain name available, check DB of known Adversaries.
  • Use packet capture and traffic analysis, if external connection suspected by malware
  • Obtain the malicious file analyze in sandbox to identify indicators.
  • Use 'log s from SIEM and EDR to identify other infected endpoint.
  • Take the identified endpoint of the network, do not power off
  • Use data gathered to setup blocks for future attacks.

SIEM Rules from Event log ID and use cases

 Below are some guidance on rule creation and what event to look for:
Collection - Domain Controller - User Activity - Network Share Accessed
This rule looks for Windows Event ID 5140 which indicates that a network share has been accessed. When on Workstations or Domain controllers, this event can be used to identify access to C$ or Admin$. Common false positives will be IPC$, \Sysvol, \Netlogon.
Credential Access - AD - Account Lockout - Service Account
Event ID 4740
Defense Evasion - Domain Controller - System Change - Event Logs Cleared
Identifies the deletion of event logs from a windows host or domain controller. This may be performed to destroy evidence of malicious activity on a system.
Event ID 1102
Discovery - AD - Account Enumeration - Host
Event ID 4771, 4625,4768
Discovery - AD - Kerberoasting
This rule looks for activity on Active Directory indicative of Kerberoasting attacks. Kerberoasting is where an attacker cracks a Kerberos service ticket and rewrites them in order to gain access to a targeted service.
Event ID 4769
Execution - Network - Access Attempt - Unicode Domain
Identifies web requests where the website domain contains Unicode characters. Unicode allows the display of foreign characters within the URL bar and can be used to attempt to trick users to go to malicious websites.
URL is : *?xn--.*? Log source : web proxy Server and Firewalls
Exfiltration - Email - Auto Forwarding
This rule looks for many emails from a single internal user going to an external email address, indicative of a user forwarding their external mail content to a personal mailbox.
Vendor Msg id is : send , and status is: originating
Initial Access - ADFS - Excessive Login Failures
Identifies a large volume of ADFS failures, which may indicate account enumeration, brute-force login activity or a client misconfiguration.
Event ID 1201,1203,1205
Initial Access - Remote Access - Login Attempt - Different Geos
Identifies VPN login attempts by the same user across geographically distant locations in a short time period. This may indicate account compromise, especially if the user is not traveling.

Lateral Movement - Domain Controller - Login Attempt - Interactive
Identifies a remote interactive login to a domain controller.
Event ID 4624 and Session type is 10,2
Persistence - Domain Controller - System Change - Audit Policy Changed
Identifies system audit policy changes on windows hosts. This represents a change to the type of security events logged by the system and may be a pre-attack activity to avoid detection.
Event ID 4719,4905,4912
Persistence - Domain Controller - System Change - Domain Policy Changed
Event ID 4739
Persistence - Domain Controller - System Change - Multiple Processes Created
Identifies a large number of processes being created in a short time on a monitored windows host. The presence of an abnormal volume of abnormal processes may indicate the host has been compromised or is being misused.
Event ID 4688  Unique value>=10
Persistence - Domain Controller - System Change - Scheduled Task
Identifies the creation of new scheduled tasks as well as changes to existing tasks. The creation of new scheduled tasks or the removal of existing ones may be technique to maintain persistence.
Event ID:4698,4699,4700,4701,4702
Persistence - Domain Controller - System Change - Service Installed
Identifies the installation of unexpected services on a system. The installation of unexpected services may be an indicator of system compromise or misuse.
Event ID: 7045,4697,601
Privilege Escalation - AD - Group Change - Admin
Identifies attempts to change a user's group membership in AD. The high risk associated with delegating certain permissions in AD warrants a high level of scrutiny. For example, the promotion of a domain user to domain admin.
Event ID: 4728,4732,4746,4751,4756,4761
Privilege Escalation - ATP - Golden Ticket
This rule looks for Golden Ticket related activity identified by Azure ATP. See here for more details: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external.
Event ID 2009,2013,2027,2032,2022
Hunting the Fileless Malware & Powershell Activities:
Event IDs (4104, 4103, and 4688)
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands , Hunting these Event ID provides soc operations to record all the obfuscated commands as pipeline execution details under the event ID 4103.It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For Example Obfuscated scripts that are decoded and executed at the run time.This gives additional visibility on remote command.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and Suspicious commands can be observed at the logging level of “warning”.
USE CASE: DNS QUERY Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days

Linux Compromises & Access Tools and Where to Find Them

 Linux compromises 

  • Linux systems are 'occasionally' targeted by actors, especially cryptomining and ransomware crews.
  • This process can be similar to Windows machine compromises but some areas are specific to each flavour
  • The below are a brief overview of the exploitation, protection, detection and remediation processes of Linux operating systems.

    • Same process as windows devices:
    • Exploit external facing service
    • Establish persistence
    • Collect credentials
    • Move laterally
    • Similar to Windows:
    • Patch
    • Including applications
    • Cron job with apt / yum update
    • Limit number of admins with sudo powers
    • Application whitelisting (fapolicyd)
    • ACSC also have a Linux hardening worksheet which could be useful (Hardening Linux Workstations and Servers)

    • Utilising Logs
    • Weblogs
    • Exploitation attempts
    • Webshells
    • Commandline logging
    • SSH logs
    • Memory images (which I don’t think is a viable way for continuous detection, for incident response more likely)
    • Use Yara rules to search for malware; Volatility plugin


Process data:

    • ps -eaf
    • pstree


Get service (cron) data:

    • ls -la /etc/cron*
    • Cron jobs redirecting to "> /dev/null" are worth checking out
    • Change passwords
    • Regenerate keys (e.g. In ssh)
    • Remove added users
    • Clean off malware (webshells, scripts, implants)
    • Remove cron jobs
    • Monitor for reconnection attempts (from known malicious IPs)


Fantastic Access Tools
    •   Attackers are increasingly using remote access tools to gain and maintain access to the network, through the utilisation of either:
    • Tools already deployed (and obtaining creds)
    • Deploying own software

Generic detection to help find these tools in your org
    • Event 4688 - process names
    • Event 4697 - service creation event (if tool was installed as a service)
    • Sysmon - process names, DNS lookups / network traffic to known RMT domains
    • Firewall logs - connections classified as app
    • Can also manually check with a host using:
    • Wmic /node:<target> process list


Tool brief overviews
  • Recent report: Anomali, ‘ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs’
    • DameWare
    • Requires incoming connection from the internet on various ports
    • Connects to IPv6 local host
    • Shodan.io - product:dameware
    • Dwrcs.exe
    • GoToAssist
    • Generates outgoing HTTP/S traffic - look for logmein or gotoassist
    • Gotoassist.exe
    • ConnectWiseControl / ScreenConnect
    • Generates outgoing HTTP/S traffic
    • Screenconnect.clientservice.exe
    • Commonly used for phishing emails with a URL that deploys ScreenConnect directly
    • Keep an eye out for any remote management/access tools
    • Most of them will probably be "legit". If they are, ensure they:
    • Use MFA
    • Turn on logging
    • Manage the users
    • Turn off processes when not in use

  • SDBBot is a remote access trojan identified by Proofpoint in 2019. The ACSC issued an alert in November last year about increased sightings in attacks targeting healthcare. It's often used to drop ransomware.
  • Initial infection is usually via ISO or Excel email attachments. It sends C&C traffic over port 443 in a plaintext protocol. 

    • Microsoft's Attack Surface Reduction rules
    • Block ISO attachments and downloads 
    • Block non-HTTPS traffic over port 443

'Lo-Tech OT hacking'
  • A general primer on finding and securing 'human-machine interfaces', or HMIs - i.e. dashboards for SCADA/OT equipment.
  • Common exposed HMIs include HVACs, fridges, etc. 
  • Cool Shodan search: https://www.shodan.io/search?query=screenshot.label%3Aics
  • HMIs are easy to find and access. Targeted industrial sabotage is unlikely; most hackers are bored and poking at low-hanging fruit. 
  • This maps with OTORIO's report about the Israeli reservoir 'hack' in December. They concluded that the attackers likely 'did not possess any deep industrial capabilities or knowledge' and targeted the system solely because it was unprotected. 
  • Note:  we calle attacks on these devices 'annoying' but 'unlikely to be dangerous'. An attendee pointed out that a hacked fridge could be catastrophic for a hospital or pharmacy storing temperature-controlled medications.

  • Recommendation is network scanning and searching Shodan for modbus and dnp3, plus other common HMI ports and protocols. 
Teamviewer and remote access security
  • In light of the Florida water incident, they added some points about securing remote access/support tools. Nothing too exciting, just 'figure out what tools are in use at your organization' and 'maybe try to secure them?' 
  • Apparently there will be a more detailed brief on this incident later.

Windows Event log for Detection and Best practice

Event log is an important part of cyber investigation we will look into best practice and some important logs that you should look for detection.

Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.


Table 1 – Application Crashes




Event Log

Event Source

App Error




Application Error

App Hang




Application Hang





Microsoft-Windows-WER- SystemErrorReporting





Windows Error Reporting


1 2

Warning Error

Application Application


Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage




Event Log

Event Source

Account Lockouts




Microsoft-Windows-Security- Auditing

User Added to Privileged Group

4728, 4732, 4756



Microsoft-Windows-Security- Auditing

Security-Enabled group Modification




Microsoft-Windows-Security- Auditing

Successful User Account Login




Microsoft-Windows-Security- Auditing

Failed User Account Login




Microsoft-Windows-Security- Auditing

Account Login with Explicit Credentials




Microsoft-Windows-Security- Auditing

High-value assets, like domain controllers, shouldn't be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.



Best Practices

1.Collect Logs in a Single Place
  • If logs are stored in multiple locations then becomes harder to parse and analyze for any investigation. For example, an organization stores log files of its computers and network in archives for regular inspection of possible threats.
  • If these archives are stored in multiple locations then it is much harder to analyze logs from all locations manually.
2.Segment different logs into different files to easily access for researching and reading them
  • This practice means to keep the logs segmented into different categories. For example, keep the Application logs, Security logs, System logs, Network logs in each different segmented archives so that it will be easier to parse through particular logs for threat inspection.


3. Regular Log analysis for Potential Threats

  • Organisations should constantly keep tabs on their archived event logs. The routine check helps in identifying undetected short or long-term threats that may harm the data. This check can be done on the weekly or monthly basis. Big corporations which have a large number of collected logs require daily check up to keep their data integrity.


4. Archive Logs, Do not Overwrite

  • In Windows OS, the default size of the physical log file is 20 Mb which can be sufficient for a single user.
  • For an organization, the default file size is not enough for log management because the older logs get overwritten by new logs. But this can be overcome by archiving the logs. As the new logs enter the system, the older event logs get archived to a secure location which helps in troubleshooting the system if a problem is encountered.


5. Access to limited personnel & accesses should be logged

  • The logs access should be kept limited to authorized personnel only such as the administrator and the log analyst who maintains the integrity of the logs and constantly observe logs for potential threats.


6. Regularly upgrade or update log management infrastructure if there is any

  • Log management is not an easy task. It takes the experience with the proper knowledge to manage logs and to find threats that are critical for compromising the system.
  • Most organizations use log management infrastructure and tool which makes it much easier to handle the event logs. The analyst should constantly look for new upgrades and updates of the tool to keep the system safe from new threats and vulnerabilities.


7. Use copies of logs for Forensic Investigation

  • Event logs are a great help in a Forensic investigation as each and every event is recorded in the log files.
  • Whenever the investigation is being done using event logs make sure to create multiple copies of the acquired logs for maintaining the integrity of log data. This helps in protecting the original logs.


8. Store Multiple Backups

  • Storing multiple backups of logs in a secured place is a great way to protect log data from attackers who can exploit the log infrastructure. If the original log archives are lost or encrypted then backups will help in identifying the root cause of the attack. There are two types of backups:
  • Hot Backup: Backup of most recent logs. (1 to 4 Weeks)
  • Cold Backup: Backup of all logs for a long period of time. (6 to 12 Months)

Twitter Facebook Favorites More