Sign in

Windows 10 is equipped with a mechanism to automatically enable Microsoft Defender Antivirus after rebooting, even if it is set to be disabled.

This mechanism generally helps to protect the device, but for security researchers, there are times when they want to disable it, such as when analyzing malware, verifying…

ImHex is a relatively new Hex editor, released in December of 2020, for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM.

Here are some useful sites to get a quick overview of relevant Advanced Persistent Threat Groups (APT) groups from APT group names or malware names.

Threat Group Cards: A Threat Actor Encyclopedia

An APT encyclopedia published by ThaiCERT around 2019/06. It is very useful to get information about APT from APT group names and malware names.

Threat Group Cards: A Threat Actor Encyclopedia

I made a script that automatically installs the cyber threat intelligence aggregation and analyzing system EXIST with MISP.

Introduction

Analysis Article

Effect of activity deletion on ActivitiesCache.db

Tools

Update History

  • 2019/10/05 New.
  • 2020/03/03 Revised.

I made this list from my tweets (April to September 2019).

Photo by Alfons Morales on Unsplash

DFIR

A quick set of anomalies to look for to identify a compromised Linux system

https://www.linkedin.com/pulse/quick-set-anomalies-look-identify-compromised-linux-system-b-/
15 Linux commands ready to try.

Threat hunting using DNS firewalls and data enrichment | blog.redteam.pl

https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html
Useful content based on the author’s experience.

AmCache Analysis | Agence nationale de la sécurité des systèmes d’information

https://www.ssi.gouv.fr/en/publication/amcache-analysis/
ANSSI report on AmCache’s usefulness for forensics.

NTFS Journal Forensics — YouTube

https://www.youtube.com/watch?v=1mwiShxREm8

I used several evidence collection tools for fast forensics to see what the differences were. I check the function mainly from the viewpoint of dumping the file. The following table shows the results in a Windows environment.
(*1, *2, *6).

Result (In the Windows environment)
  • *1: What can be obtained without changing the setting.
  • *2…

Sysmon

Sysmon — Windows Sysinternals | Microsoft Docs

Sysmon now supports logging DNS queries, so I tried to get the logs. I checked this procedure with Windows 10 on VMware.

Sysmon Installation Instructions

  • Download Sysmon from the official site.
  • Extract the files to a folder of your choice.
  • Launch a command prompt with…

Here’s a list of images that might be appropriate for a “I want to learn forensics, but I don’t have an image for analysis.”. I’m preferentially collecting images with scenarios and answers.

The list includes many PC disk images, but also memory images, network packets, mobile phone and drone image…

A vulnerability (CVE-2019–12735) has been found in 2019/06/04 that could allow arbitrary code execution via modeline when vim opens a specially crafted text file. Vim < 8.1.1365 …

soji256

Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256]

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store