• All Posts
Data Science
Business and Consulting
Climate and Energy
Cognition and Learning
• Book Notes
• Course Notes
• Other
Contemplations and Society
IT and Technology
• How-Tos
• Scripts
  • Bookmarkletss
  • Linux / Bash
  • Userscripts
Projects
• Android
• Arduino
• Python
• Web
Cyber Security
• Challenges
• Operational Technology (OT)
• Other

Memory Analysis - Ransomware

https://blueteamlabs.online/home/challenge/1 Introduction Questions Run “vol.py -f infected.vmem –profile=Win7SP1x86 psscan” that will list all processes. What is the name of the suspicious process? What is the parent process ID for the suspicious process? What is the initial malicious executable that created this process? If you drill down on the suspicious PID (vol.py -f infected.vmem –profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files Find the path where the malicious file was first executed Can you identify what ransomware it is?

• Blue Team Labs Online

Monday, July 12, 2021 | 5 minutes Read

PHP Backdoor Deobfuscation

Part of my role involves threat hunting on client servers. During one of these hunts I found a PHP backdoor called shell20210526.php. It was obfuscated - challenge accepted! There are a few PHP deobfuscation tools available. Individually they didn’t get the result, but in combination (along with some manual intervention) I was able to get a good result. Contents Tools The .php Stage 1: UnPHP Stage 2: Manual Editing Stage 3: Run the Function Stage 4: PHP Deobfuscator Base64 Variables HTML Front-end Investigation Comments Tools UnPHP - The Online PHP Decoder

• Digital Forensics

Sunday, July 4, 2021 | 92 minutes Read

SANS June 2021 Forensic Contest

Update The answers have been released and are available here: https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest+Answers+and+Analysis/27582/ They said it was hard, and it was. I’m proud of what I found! Reflecting back: For some reason, I thought they meant not all the machines are infected. It turns out all three were! So I skipped over .93 entirely. Similarly, I was thinking each infected machine only had one piece of malware. Wrong again! Because I was looking for the answers and not thinking as if it was a real investigation, I stopped looking too early.

• Digital Forensics

Tuesday, June 29, 2021 | 10 minutes Read

The Planet's Prestige (Email and Attachment Analysis)

https://blueteamlabs.online/home/challenge/10 What is the email service used by the malicious actor? What is the Reply-To email address? What is the filetype of the received attachment which helped to continue the investigation What is the name of the malicious actor? What is the location of the attacker in this Universe? What could be the probable C2 domain to control the attacker’s autonomous bots? What is the email service used by the malicious actor?

• Blue Team Labs Online

Sunday, June 20, 2021 | 3 minutes Read

Sysmon: How to install, upgrade, and uninstall

Introduction Helpful Links Install Upgrade Uninstall The Problem The Investigation The Solution Introduction If you’re on this page you probably don’t need me to explain much about what Sysmon is or why it is an excellent tool for security monitoring. In short: It’s part of Microsoft’s Sysinternals Suite So it should play nice with Windows It can monitor almost anything that happens on a Windows host So it can detect all the most common MITRE ATT&CKs It logs using Windows Event Logs So it’s easy to export to a SIEM etc for analysis However, if you’ve tried rolling Sysmon out to a large number of machines, and then removing or updating it, you may have experienced some issues.

• Security Monitoring

Wednesday, June 2, 2021 | 4 minutes Read

Hammered (Log Analysis)

https://cyberdefenders.org/labs/42 Contents Initial Analysis Initial Findings Manipulating the Logs auth.log - sorted by command then time auth.log - all unique lines sorted by command (excluding timestamp) auth.log - extract commands auth.log - extract IPs www-access.log - extract IPs www-access.log - extract user agents Questions #1 Which service did the attackers use to gain access to the system? #2 What is the operating system version of the targeted system? (one word) #3 What is the name of the compromised account #4 #5 Consider that each unique IP represents a different attacker.

• CyberDefenders

Thursday, May 27, 2021 | 7 minutes Read

Malicious PowerShell Analysis

https://blueteamlabs.online/home/challenge/7 Open the file Decode the file Deobfuscating the script Spacing Fillers Chars Variables Format Strings Replaces Splits Questions What security protocol is being used for the communication with a malicious domain? What directory does the obfuscated PowerShell create? (Starting from \HOME) What file is being downloaded (full name)? What is used to execute the downloaded file? What is the domain name of the URI ending in ‘/6F2gd/’ Based on the analysis of the obfuscated code, what is the name of the malware?

• Blue Team Labs Online

Sunday, May 16, 2021 | 4 minutes Read

MalDoc101 (Document Analysis)

https://cyberdefenders.org/labs/51 Contents Tools Used 1. Multiple streams contain macros in this document. Provide the number of highest one. 2. What event is used to begin the execution of the macros? 3. What malware family was this maldoc attempting to drop? 4. What stream is responsible for the storage of the base64-encoded string? 5. This document contains a user-form. Provide the name? 6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

• CyberDefenders

Monday, April 26, 2021 | 5 minutes Read

SANS April 2021 Forensic Quiz

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/ Introduction Artifacts Excel-related Executables and DLLs Scheduled Task Pcaps Export objects Traffic Summary SHAs Introduction We’re provided with a .pcap and a bunch of artifacts (files). The AD, we’re told, is as follows: LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255) Domain: clockwater.net Domain Controller: 192.168.5.5 - Clockwater-DC LAN segment gateway: 192.168.5.1 LAN segment broadcast address: 192.168.5.255 Artifacts First, let’s inspect the artifacts. $ find . -type f -exec ls -l -- {} + 242176 Mar 29 23:22 .

• Digital Forensics

Thursday, April 22, 2021 | 9 minutes Read

Security Blue Team's Blue Team Level 1 Review

Tl;dr Would I recommend BTL1? 100% yes! Will it help you get your first job in cyber security? 100% yes! Is it worth taking if you already work in cyber security? If you have less than a couple years, it probably is worth it, yes! Ntl;wr Background In 2020 I decided to embark upon a career in cyber security. My background was in electrical engineering and IT sales, among other things, so while I was computer-proficient, I didn’t have specific sysadmin or security skills.

Tuesday, April 6, 2021 | 7 minutes Read

Ignite

Tools and Commands nmap searchsploit python netcat Recon Start with an nmap scan: $ sudo nmap -A -oA nmap 10.10.194.158 The only open port is 80, a Apache/2.4.18 web server. View the web page in a browser and we find it’s the default page for FUEL CMS 1.4, which also gives us some basic info about the CMS. A quick Gobuster scan gives us nothing particularly useful: $ gobuster dir -u http://10.

• TryHackMe

Sunday, January 3, 2021 | 3 minutes Read

Advent of Cyber 2

The first 23 days are simple bullet points describing how to do the task. Day 24 is a more complete write-up, as it was a more complete challenge! Table of Contents [Day 1] Web Exploitation: A Christmas Crisis [encoding] [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] [Day 3] Web Exploitation: Christmas Chaos [brute force] [Day 4] Web Exploitation: Santas watching [brute force / fuzzing] [Day 5] Web Exploitation: Someone stole Santas gift list!

• TryHackMe

Saturday, January 2, 2021 | 13 minutes Read

• ««
• «
• 1
• 2
• 3
• »
• »»