Hunting Punycode IDNs Using Carbon Black EDR

Running a “ipport:53” process search in Carbon Black has helped to locate hosts and/or processes performing an abnormal number of DNS queries, however recently I wanted to hunt processes generating punycode IDN DNS queries on a client network. Alerts were triggered by their SIEM, which was ingesting Microsoft Server DNS logs. The Sumo Logic alert […]

Acquiring a Triage Image Using KAPE and Carbon Black Go Live

Before starting, big shout out to Eric Zimmerman ( for creating so many great free DFIR tools. KAPE can be downloaded here: KAPE is a standalone program that does not need to be installed. Decompress the zip file to a directory of your choosing and you are ready to go. KAPE requires administrator rights […]