and Intrusion Investigations

Forensic Thoughts
Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not understand the context because there are not normally other .ru domains found during my investigation.  A little commonsense and research confirmed that “metrika” is Russian for “metric” and that examination of watch.js appears to reveal a web metric monitoring/tracking capability similar to Google’s Analytics reports offered to webmasters via its tracking code (   I…
Read More