Mark R - you sneakymonkey!

Mark R

OSCP 2020 Tips

Completed it mate! 269 days later.... dump of my notes and tips from my recent experience after passing the OSCP exam.

Excel 4.0 Macros - So hot right now...🔥🔥🔥

Excel 4.0 Macros - So hot right now...🔥🔥🔥

Analysis of Excel 4.0 macros and how to triage these .XLS files to gather IOCs from recent ITW samples such as ZLOADER, TRICKBOT and URSNIF.

TRICKBOT - Analysis Part II

trickbot Featured

TRICKBOT - Analysis Part II

Some further TTPs used by TRICKBOT [1] from an infected host that I thought was interesting to share. The sample used here is from an EMOTET to TRICKBOT infection "GTAG:mor14" courtesy of Malware-Traffic-Analysis. 👏👏 Samples Used * C:\Users\AUSER\AppData\Roaming\netcloud\բնութագրվում է.exe * C:\Users\AUSER\AppData\Roaming\

TRICKBOT - Analysis

TRICKBOT - Analysis

Research into how to decode the TRICKBOT config, quickly analyse to provide context and help incident response/blue teams.

blueteam Featured

Blue Team Tips

What are the best recommendations to a completely vulnerable, easily pwnable network? Where do you start? what tools? what logging? #DFIR #BlueTeamTips

Blue Team Basics - Local Admin Password Administration

Blue Team Basics - Local Admin Password Administration

I used to be a Domain Administrator for a large AD deployment. Centralised account and access management was always a struggle so any solution to aid the manageability of administrative credentials is a massive security bonus. I've had several people recommend this solution over the last few months so I'll

GrrCon 2017 DFIR write up - Level 1

GrrCon 2017 DFIR write up - Level 1

#GrrCon 2017 #DFIR #CTF challenge. Several host images and memory dumps need to be analysed and investigated. Submit IOCs as you progress...

CTF / Boot2Root / SickOS 1.2

CTF / Boot2Root / SickOS 1.2

If you've not figured out, this is a write-up and will contain spoilers NOTES Part of my OSCP pre-pwk-pre-exam education path, this is one of many recommended unofficial practice boxes. SickOs 1.2 details (https://www.vulnhub.com/entry/sickos-12,144/). I'm not a professional penetration tester and I'll probably

CTF / Boot2Root / Sick Os 1.1

CTF / Boot2Root / Sick Os 1.1

If you've not figured out, this is a write-up and will contain spoilers NOTES Part of my OSCP pre-pwk-pre-exam education path, this is one of many recommended unofficial practice boxes. SickOs details (https://www.vulnhub.com/entry/sickos-11,132/). I'm not a professional penetration tester and I'll probably fall down

Infosec Newbie

[Updated 20/07/2018] I have recently started a career in Cyber Security / Information Security. My path, somewhat recent might be useful for those just starting out. A few of these guides have cropped up but everyone has a unique path or story. I've met like minded individuals along the

Blue Team Basics - PCAP File Extraction

Blue Team Basics - PCAP File Extraction

A few methods of how to carve data out of PCAPs. Whether this be a single analysis of some network traffic or part of a malware analysis lab. Using Wireshark Ideal for investigating smaller PCAPs but you tend to see a performance slip off after anything over 800MB. 1. Run

GrrCon 2016 DFIR Write up - Part 3

GrrCon 2016 DFIR Write up - Part 3

Level 3 Question 16) What is the maldoc md5hash? Start by using FILESCAN and searching for documents .rtf, .doc, .docx etc... root@ubuntu:~# python volatility/vol.py -f /mnt/hgfs/Shared/Part3/ecorpwin7-e73257c4.vmem --profile=Win7SP1x64 filescan > files.txt root@ubuntu:~# more part3/files.txt | grep .rtf 0x000000007d6b33c0 1 0

GrrCon 2016 DFIR Write up - Part 2

GrrCon 2016 DFIR Write up - Part 2

Level 2 Question 5) What is the password the malware used to enable remote access to the system? From the community Volatility section, download and call the 'editbox' plugin. Also, I didn't know, this is now included by default :) ./volatility_2.5_mac -f win7ecorpoffice2010-36b02ed3.vmem --profile=Win7SP1x64 --plugins=/volplugins/

GrrCon 2016 DFIR Write up - Part 1

GrrCon 2016 DFIR Write up - Part 1

CTF HOMEPAGE https://ir.e-corp.biz/home To start off, get Volatility or a prebuilt vm like SANS SIFT Workstation, they've recommended using the provided Security Onion image. Also, check out the community plugin repo for Volatility. Download CTF files - specifically NSM.zip ** SPOILER ALERT ** Level 1 Question 1)

RaspberryPi NSM

RaspberryPi NSM

Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack. Suitable for a home 'blackbox' deployment - it will record everything that happens on your network. Use it to detect threats and/or to provide network forensics to a malware lab. Primarily

Multi-phish!

Social engineering is a massive attack vector for both enterprise and home users. A friend received this crafty looking email this morning. Normally, I would just get them to check the link URL, then delete but this phish had used/guessed my name as the purchaser which was even more

Blue Team Basics - Honeynets

Blue Team Basics - Honeynets

Creating a honeynet "All warfare is based on deception....when we are near, we must make the enemy believe we are far away" Sun Tzu, The Art of War Introduction A honeypot or numerous honeypot's (a honeynet) purpose is to gather threat intelligence (TTPs), divert attack efforts and fundamentally detect