Just Another Geek

I am blogging about Information Security since 2003

13 Mar 2023

Investigation scenario: New SQLServer on an AWS Webserver

Chris Sanders proposed the following scenario: One of your web servers hosted in the Amazon cloud launched a new process named sqlserver.exe. What do you look for to investigate whether an incident occurred?
04 Mar 2023

Investigation scenario: No User-Agent in the proxy logs

Chris Sanders proposed the following scenario: Proxy logs indicate a host on your network made a few HTTP requests with no User Agent string (field is empty). What do you look for to investigate why this is happening and whether an incident has occurred?
16 Dec 2022

HOWTO build a robust CLI application using Cookiecutter, click and Nix

TIL how to build a CLI tool that won't break at next upgrade
12 Nov 2021

What if we used Jupyter as a SOAR?

Would it be crazy to use JupyterHub as a Workbench? Could it replace a SOAR?
14 Jul 2021

Detecting Golden Ticket attacks

In this post, I described a new reliable technique to detect Golden Ticket attacks in Active Directory environments thanks to a recent EventID introduced in Windows 10.
01 Apr 2021

Unit-testing the Splunk Processing Language

In my previous post, I declared my undying love for continuous integration and deployment capabilities applied to Detection Engineering. Now, let's put the theory into practice! Today, this post will address the unit-testing's part, applied to Splunk.
17 Nov 2020

Decoding C2 Traffic in Python, or HOWTO eat 🍿 during an IR engagement?

When you have the chance to catch an attacker live, it is always a delight to monitor 🍿 and dissect their moves in real-time, even a posteriori. To make it happen, you must have some kind of Full Packet Capture in the first place, then, of course, you need a thorough reverse-engineering of the malware will document the encoding, fields, and structures. Ok, you have all the materials needed, now how can we transform the pcap into human transcripts? "You just have to parse the application layer" As usual, while it may seem easy in theory, it is a bit more complicated in real life (especially during an Incident Response engagement, so it is better to be prepared!), this post describes my experience to write such dissector for the last 10 years.
13 Oct 2020

Githubify the SOC

The SOCs are currently suffering from their growth, plagued by bad quality assurance and an extreme fragility to changes. This situation used to be the pain and butter of the developers in the 90s. Fortunately, the Agile manifesto came out and a new way of working took off. This post describes an alternative way to run the detection pipeline.
13 Jul 2020

Is ProcessID recycling ♻️ on Windows over-rated ?

I have always heard that PID recycling was a thing on Windows and they should be taken with a grain of 🧂. Are PID collisions an exception or the rule?
22 Jan 2020

hugo't to know how this blog is setup!

This post describes the "behind this scene" of this blog: a mixture of AWS, hugo and terraform.