Matthew Green – Noise

Finding the LNK: Techniques and methodology for advanced analysis with Velociraptor

Matthew Green — Fri, 01 Nov 2024 13:00:00 +0000

In this post, we explore the structure of LNK files using Velociraptor, our open-source digital forensics and incident response (DFIR) tool.

How To Hunt For UEFI Malware Using Velociraptor

Matthew Green — Thu, 29 Feb 2024 17:32:12 +0000

UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing.

With this context, it

Automating Qakbot decode at scale

Matthew Green — Fri, 14 Apr 2023 14:16:44 +0000

This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.