Posts Tagged ‘memory forensics’

Mimikatz is a tool that implements the functionality of Windows Credentials Editor and allows you to get the authentication data of a logged-in user in the clear. The method used to detect Mimikatz is referred to as a grouping which consists of taking a group of unique artifacts and identifying. The author guides Cyberwardog to create alerts for detecting Mimikatz using Sysmon and ELK Stask in this article. It should be noted that you must already have ELK Stack installed with the ElastAlert setting. The script is needed to process some logic needed to test a couple of things before we can turn off the alert to get started.

Computer attacks constantly worry administrators and computer users. Earlier we already talked about volatility.

Plugin for the platform Volatility Framework, whose goal is to extract the encryption keys Full Volume Encryption Keys (FVEK) from memory. It works from Windows 7 to Windows 10. Unfortunately, the support for Windows 8 – 10 is very experimental, but it works in most cases with a few quirks.

CVE-2017-11826 is a memory corruption vulnerability that allows a remote attacker to execute arbitrary code by tricking a victim into opening a specially crafted file. The problem affects all supported versions of MS Office.

Encryption was originally used only for the transfer of confidential information. However, subsequently the information was encrypted for the purpose of storing it in unreliable sources.