Just Another Geek

I am blogging about Information Security since 2003

12 Nov 2021

What if we used Jupyter as a SOAR?

Would it be crazy to use JupyterHub as a Workbench? Could it replace a SOAR?
14 Jul 2021

Detecting Golden Ticket attacks

In this post, I described a new reliable technique to detect Golden Ticket attacks in Active Directory environments thanks to a recent EventID introduced in Windows 10.
01 Apr 2021

Unit-testing the Splunk Processing Language

In my previous post, I declared my undying love for continuous integration and deployment capabilities applied to Detection Engineering. Now, let's put the theory into practice! Today, this post will address the unit-testing's part, applied to Splunk.
17 Nov 2020

Decoding C2 Traffic in Python, or HOWTO eat 🍿 during an IR engagement?

When you have the chance to catch an attacker live, it is always a delight to monitor 🍿 and dissect their moves in real-time, even a posteriori. To make it happen, you must have some kind of Full Packet Capture in the first place, then, of course, you need a thorough reverse-engineering of the malware will document the encoding, fields, and structures. Ok, you have all the materials needed, now how can we transform the pcap into human transcripts? "You just have to parse the application layer" As usual, while it may seem easy in theory, it is a bit more complicated in real life (especially during an Incident Response engagement, so it is better to be prepared!), this post describes my experience to write such dissector for the last 10 years.
13 Oct 2020

Githubify the SOC

The SOCs are currently suffering from their growth, plagued by bad quality assurance and an extreme fragility to changes. This situation used to be the pain and butter of the developers in the 90s. Fortunately, the Agile manifesto came out and a new way of working took off. This post describes an alternative way to run the detection pipeline.
13 Jul 2020

Is ProcessID recycling ♻️ on Windows over-rated ?

I have always heard that PID recycling was a thing on Windows and they should be taken with a grain of 🧂. Are PID collisions an exception or the rule?
22 Jan 2020

hugo't to know how this blog is setup!

This post describes the "behind this scene" of this blog: a mixture of AWS, hugo and terraform.
06 Jan 2020

Engineering Yara rules

Unless you are an anti-virus vendor, the management of Yara rules quickly become messy in a team environment as everything becomes eventually inconsistent. This post introduces how we tackled these issues...
29 Dec 2019

What has inspired me in 2019?

Last blog post was 8 years ago, I wanted to re-open this blog by giving back to those who had inspired me this year.
24 Jan 2012

Linux security in 2011, or my LKML's yearly digest

This is my bookmarks about Linux kernel security in 2011.