Posts

The ability to conduct forensic operations at scale is often a challenge. The traditional approach consists of loading a disk image into a tool such as The Sleuth Kit or Plaso and using the tool’s interface to analyse a single evidence file. That works fine, but what about 50 machines? 200? Or even just 10 when you are working alone? Just as a SOC must feed all logs into its SIEM, forensic operators need to centralise all data into a tool that lets them run searches, build dashboards, and so on. ...

In part one, we looked at the technical setup needed to approach this kind of analysis. This time, we are going to walk through the investigation itself, with a question that is a bit more serious than it sounds: did an attacker manage to steal the secret of the famous Szechuan sauce? ...

This is serious: someone may have stolen the secret of Szechuan sauce - a millennia-old mystery, very well kept. What does it taste like? I have no idea, but we’ve been tasked with finding out whether that secret was compromised or not. Let’s put ourselves in the shoes of a detective for this investigation. One constraint for us: we’ll use only the network capture to conduct our investigation. In this article we’ll see how crucial network observation is for understanding an attack, and we’ll learn how to extract and load data with Zeek and Python. ...

DCE/RPC (Distributed Computing Environment / Remote Procedure Call) is a protocol that is often used in the enterprise. And with good reason: it’s at the heart of Active Directory and Microsoft environments. The extensions added by Microsoft form MSRPC. How DCE/RPC works Note that there are other well-known remote procedure call systems, such as gRPC (Google implementation) - which is based on a modern stack (HTTP/2 + Protobuf). ...

Having your own lab, whether at work or at home, is the promise of progress: being able to break things and start again, train, develop, and test attacks and tools. However, setting up a lab can be long and tedious. It can take several months to reach a satisfactory result-and it will still be hard to reproduce. Ludus solves this problem: this Ansible-based tool makes it relatively easy to deploy complex labs on hypervisors. ...

Welcome to NobisD, a little blog where you can share technical ideas and resources about cybersecurity. There’s no strict editorial line here, just the desire to offer technical, concrete articles, with no bullshit. We’ll be covering topics related to labs, infrastructure, Active Directory, both offensive and defensive, always with a view to learning and progressing. Feel free to use the RSS feed if, like me, you use it for monitoring ;) The rest is coming soon. NobisD