Other

Cyber Security Notes

My notes on Notion (backup link) I take notes using Notion. Lots of commands, tools, hints, and tips. Over 72,000 words so far! Screenshot as of October 2021:

Monday, March 7, 2022 | 1 minute Read

MITRE D3FEND - Security BSides London Talk

Back in November I gave a talk at Security BSides in London about MITRE’s D3FEND framework. Audio is a bit off until 1:27, then it’s fine. Watch it here:

Conference Talk

Monday, January 10, 2022 | 1 minute Read

Six Months as a SOC Analyst - My Top Three Tips

Introduction It’s already been six months since I started my journey as a Security Analyst (time flies!) so I thought I’d share some thoughts to help other aspiring SOC Analysts. I started with no professional IT experience, only a lifelong interest. My background was primarily in engineering. I prepared for an infosec role by doing CompTIA Security+ and Blue Team Level One certifications (review here), playing around on TryHackMe and with Security Onion, and generally learning as much as possible.

Security Monitoring

Sunday, July 25, 2021 | 8 minutes Read

PHP Backdoor Deobfuscation

Part of my role involves threat hunting on client servers. During one of these hunts I found a PHP backdoor called shell20210526.php. It was obfuscated - challenge accepted! There are a few PHP deobfuscation tools available. Individually they didn’t get the result, but in combination (along with some manual intervention) I was able to get a good result. Contents Tools The .php Stage 1: UnPHP Stage 2: Manual Editing Stage 3: Run the Function Stage 4: PHP Deobfuscator Base64 Variables HTML Front-end Investigation Comments Tools UnPHP - The Online PHP Decoder

Digital Forensics

Sunday, July 4, 2021 | 92 minutes Read

Sysmon: How to install, upgrade, and uninstall

Introduction Helpful Links Install Upgrade Uninstall The Problem The Investigation The Solution Introduction If you’re on this page you probably don’t need me to explain much about what Sysmon is or why it is an excellent tool for security monitoring. In short: It’s part of Microsoft’s Sysinternals Suite So it should play nice with Windows It can monitor almost anything that happens on a Windows host So it can detect all the most common MITRE ATT&CKs It logs using Windows Event Logs So it’s easy to export to a SIEM etc for analysis However, if you’ve tried rolling Sysmon out to a large number of machines, and then removing or updating it, you may have experienced some issues. At least, I did. So I’ve collated some of my findings.

Security Monitoring

Wednesday, June 2, 2021 | 4 minutes Read

Security Blue Team's Blue Team Level 1 Review

Tl;dr Would I recommend BTL1? 100% yes! Will it help you get your first job in cyber security? 100% yes! Is it worth taking if you already work in cyber security? If you have less than a couple years, it probably is worth it, yes! Ntl;wr Background In 2020 I decided to embark upon a career in cyber security. My background was in electrical engineering and IT sales, among other things, so while I was computer-proficient, I didn’t have specific sysadmin or security skills. I knew that, before a company would hire me, I’d need to acquire some knowledge. I was working full-time at the time, and I didn’t want to quit to spend thousands of dollars (or pounds) on returning to uni or even on a bootcamp, so I decided I would self-learn.

Tuesday, April 6, 2021 | 7 minutes Read

Splunk BOTSv3 Write-Up

Splunk have several “Boss of the SOC” datasets, simulating a security incident - think of it as a Blue Team/SIEM-based CTF. This is my write-up for BOTSv3, at the time of writing the most recent dataset available. It seems that Taedonggang, a North Korean group, have attacked Frothly, a beer maker… The official BOTSv3 page is here: https://github.com/splunk/botsv3 I wrote this on Notion, and it is best viewed there, as it is always up-to-date and is visually best. See it here:

Tuesday, September 8, 2020 | 41 minutes Read