When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine.
It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths.
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Gambian Central Bank says ‘don’t panic’ after data hack
November 18, 2022
The Gambia’s Central Bank says there’s no need to panic after a data hack. Sources allege the hackers managed to access the bank’s most sensitive files, but in a statement the Central Bank said no mission-critical systems were compromised, and that normal operations have continued unabated. It did however say one server was affected, which was promptly ...
- Pro-Russian hackers claim cyber attack on FBI website
November 15, 2022
A group of pro-Russian hackers claimed to hack into the FBI website this week, the latest in a string of supposed attacks on U.S. government websites. The group Killnet took responsibility for infiltrating the website on its Telegram page Monday. It said the group was doing justice and guarding Russian cyberspace, writing “Glory to Russian and ...
- Australia: Government considers making cyber ransom payments illegal after Medibank hack
November 13, 2022
It could soon be illegal for companies that fall victim to data breaches to pay ransoms to the hackers. The home affairs minister, Clare O’Neil, confirmed the government was examining whether new laws were needed to stop ransom payments in the wake of the Medibank and Optus data breaches. O’Neil said while short-term successes were needed in ...
- DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
November 8, 2022
C&C systems are useful collaboration tools for penetration testers and red teamers. They provide a common place for all victim machines to reach out to, be controlled from, and allow multiple users to interact with the same victims. When performing authorized testing, this is very important as logs are kept in a single place to ...
- Defenders beware: A case for post-ransomware investigations
October 18, 2022
Ransomware is one of the most pervasive threats that Microsoft Detection and Response Team (DART) responds to today. The groups behind these attacks continue to add sophistication to their tactics, techniques, and procedures (TTPs) as most network security postures increase. In this blog, DART researchers detail a recent ransomware incident in which the attacker used a ...
- Hospital giant’s IT still poorly a week after suspected ransomware infection
October 12, 2022
Computer systems are still down at CommonSpirit Health – America’s second-largest nonprofit hospital network – more than a week after it was hit by a somewhat mystery cyberattack. The US’s largest Catholic healthcare provider remains very tight-lipped about the root cause of this digital breakdown, and when it expects its systems to come back online. At ...