Last update Nov 20, 2017.
Stuff that I'm reading (or saving for later)
Hunting with Splunk: The Basics
At Splunk, you may hear us pontificating on our ponies about how awesome and easy it is to use Splunk to hunt. Why, all you need to do is use X and Y with Splunk to find a Z score (no zombies were injured in the creation of this .conf presentation) and boom!, baddie in your network is detected.
Places of Interest in Stealing NetNTLM Hashes
One day me and @m3g9tr0n was discussing different places where we can use responder in stealing NetNTLM hashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows. SMBRelay attacks are also possible in these scenarios.
osquery Across the Enterprise
Every effective Incident Response team needs the ability to “ask a question” to a single or multiple hosts in the fleet and receive timely and accurate answers.
Shed - Inspect .NET malware like a Sir
When I start to analyze a new malware, there are some initial tasks that provide a lot of useful information to speedup the analysis. Two of them are of particular interest, the extraction of the embedded strings and the dumping of packed binaries.
Lilith is a console-based ultra light-weight RAT developed in C++. It features a straight-forward set of commands that allows for near complete control of a machine. The modularity and expandability of this RAT are what it's been built on.
Building a Better Moat: Designing an Effective Covert Red Team Attack Infrastructure
Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack. Suitable for a home 'blackbox' deployment - it will record everything that happens on your network. Use it to detect threats and/or to provide network forensics to a malware lab.
The Hunt for the Financial Industry's Most-Wanted Hacker
In any global outbreak, it’s important to identify Patient Zero. In the movies, you get a leggy Gwyneth Paltrow. In the nine-year online epidemic that helped create cybercrime as we know it, you get “fliime.” That was the name used by somebody who went on the online forum Techsupportguy.
Intro to ROP: ROP Emporium — Split
I recently discovered the excellent ROP Emporium website, A page filled with return-oriented programming challenges of varying difficulty. I must admit that while i felt i understood ROP in principle, I didn’t really understand it in practice until i started solving these challenges.
Please refer to the dedicated documentation.