Hunting Punycode IDNs Using Carbon Black EDR

Running a “ipport:53” process search in Carbon Black has helped to locate hosts and/or processes performing an abnormal number of DNS queries, however recently I wanted to hunt processes generating punycode IDN DNS queries on a client network. Alerts were triggered by their SIEM, which was ingesting Microsoft Server DNS logs. The Sumo Logic alert […]

Acquiring a Triage Image Using KAPE and Carbon Black Go Live

Before starting, big shout out to Eric Zimmerman ( for creating so many great free DFIR tools. KAPE can be downloaded here: KAPE is a standalone program that does not need to be installed. Decompress the zip file to a directory of your choosing and you are ready to go. KAPE requires administrator rights […]

InfoSec Reading List

I often get asked which books are worth reading for an aspiring InfoSec pro. While there are many great books out there, each serving a unique purpose, here are my general recommendations. The Basics: Wireshark 101: Essential Skills for Network Analysis – Second Edition: Wireshark Solution Series Practical Packet Analysis, 3E: Using Wireshark to Solve […]