research blog
Threat hunting.
The most sophisticated actors.
Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.
Detecting Mimikatz Without Signature-Based Rules
Mimikatz has hundreds of variants and most AV signatures fall
behind. Behavioural detection approaches that catch it regardless of version.
→
My Windows DFIR Checklist for Initial Triage
After working through enough incidents and CTF challenges, a checklist that
covers the things that matter most in the first 30 minutes.
→
Setting up a home lab
I bought myself a server to expand my development as the war between gaming and personal development was finally over and you guess it, games won. Instead of simply copying from virtual machines over, I decided to build my lab again from the ground up using new tools and endpoints. This blog will be split […]
→
PersistenceIsFutile | Moderate
Challenge brief Hackers made it onto one of our production servers. We’ve isolated it from the internet until we can clean the machine up. The IR team reported eight different backdoors on the server but didn’t say what they were and we can’t get in touch with them. We need to get this server back […]
→
Obsecure | Easy
Challenge brief An attacker has found a vulnerability in our web server that allows arbitrary PHP file upload to our Apache server. Suchlike, the hacker has uploaded what seems to be an obfuscated shell (support.php). We monitor our network 24/7 and generate logs from tcpdump (we provided the log file for the period of two […]
→
Reminiscent | Easy
Challenge brief Suspicious traffic was detected from a recruiter’s virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. […]
→
Exploring the Top 10 Windows Process Injection Techniques: Detection and Mitigation
Introduction Process injection is a common tactic employed by malicious actors to inject code into a legitimate process, allowing them to evade detection and execute their malicious payloads. In this blog, we will delve into the top 10 Windows process injection techniques used by adversaries. For each technique, we will provide C++ code demonstrating the […]
→
Malicious Adversaries Concealed in Windows Memory: A Cyber Security Digital Forensic Approach
Introduction In the relentless battlefield of cybersecurity, malicious adversaries often resort to advanced techniques to evade detection. One such insidious strategy involves hiding within Windows memory, where they can maintain stealth and perpetrate their malevolent activities undetected. In this blog, we will delve into the realm of memory forensics and explore how cyber security analysts […]
→
Unmasking Malicious Activity with Logman for Windows Event Tracing Analysis
IntroductionIn the realm of computer forensics, detecting and investigating malicious activities is a paramount challenge. Event Tracing for Windows (ETW) serves as a powerful arsenal for digital investigators, allowing them to log crucial events and unravel suspicious behaviors. In this blog, we will explore how to utilize Logman, a command-line tool for managing ETW sessions, […]
→
ScareCrow: Unveiling the Technical Intricacies of an Elusive Cyber Threat
Introduction In the ever-evolving landscape of cyber threats, adversaries continuously hone their tactics to infiltrate and exploit vulnerable systems. Among these advanced threats lurks “ScareCrow,” a stealthy and highly sophisticated malware that targets corporate networks and critical infrastructure. Unlike conventional malware, ScareCrow deploys sophisticated evasion techniques, making it a formidable adversary for even the most […]
→