b00010111
@b00010111.bsky.social
"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 7, 2025 at 8:34 AM
"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...
github.com/olafhartong/...
Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux
I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit. | Craig Rowland
I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit.
www.linkedin.com
July 29, 2025 at 9:29 AM
Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux
July 18, 2025 at 5:38 AM
shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "
I still in the process to decide which stats do frighten me the most.....
I still in the process to decide which stats do frighten me the most.....
July 11, 2025 at 9:58 AM
shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "
I still in the process to decide which stats do frighten me the most.....
I still in the process to decide which stats do frighten me the most.....
Reposted by b00010111
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.
github.com/Beercow/OneD...
github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log
Fixed
ODL bug fix
FileUsageSynce bug fix
github.com
June 25, 2025 at 12:04 AM
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.
github.com/Beercow/OneD...
github.com/Beercow/OneD...
Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell
GitHub - ekky19/Yara-Standalone-Webshell-Scanner: YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run the scanner, and review the generated HTML and TXT reports.
YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run th...
github.com
June 22, 2025 at 6:16 PM
Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell
Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry
Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage
Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need
www.cybertriage.com
June 4, 2025 at 6:38 AM
Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry
Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
tools/qelp-ir-triage-esxi at master · cudeso/tools · GitHub
Different tools, [email protected]
. Contribute to cudeso/tools development by creating an account on GitHub.
github.com
June 3, 2025 at 7:02 AM
Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
iOS Unified Logs: The Myth of 30 Days Retention
In this article, I explain how to use the log stats command to quickly learn more about a .logarchive and the unified logs it contains. I show how to read the main statistics using the command log stats, what TTL (Time To Live) really means, and why it’s so important for digital forensics. I also highlight a few inconsistencies in how Apple presents these statistics, and how to work around them.
www.ios-unifiedlogs.com
May 6, 2025 at 7:15 PM
"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR
Scouting a Threat Actor
censys.com
May 2, 2025 at 10:36 AM
Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR
"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems
The Impact of Microsoft’s ReFS on DFIR | by Mat Cyb3rF0x Fuchs | Apr, 2025 | Medium
A New File System, New Forensic Challenges
medium.com
April 23, 2025 at 8:44 PM
"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems
Reposted by b00010111
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...
research.checkpoint.com
April 14, 2025 at 6:17 PM
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
Daily Blog #805: Mount That Thing!
|
Hacking Exposed Computer Forensics Blog
A hacking exposed blog about computer and digital forensics and techniques, exposed dfir incident response file systems journaling by David Cowen
www.hecfblog.com
April 12, 2025 at 12:14 PM
Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel
#dfir #threatintel
March 31, 2025 at 8:27 AM
Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel
#dfir #threatintel
Reposted by b00010111
We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
The 2024 Volatility Plugin Contest results are in!
Results from the 12th Annual Volatility Plugin Contest are in! We received 6 submissions, from 6 different countries, that included 7 plugins, a Linux profile generation tool, and 9 supporti…
volatilityfoundation.org
March 28, 2025 at 1:54 PM
We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
Hunting-Queries-Detection-Rules/Entra ID/DetectSuspiciousFociTokenLogins.md at main · HybridBrothers/Hunting-Queries-Detection-Rules · GitHub
The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior - HybridBrothers/Hunting-Queries-Detecti...
github.com
March 28, 2025 at 5:16 AM
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
Detecting Bincrypter Linux Malware Obfuscation
A new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection. It then launches the code in a way to not leave traces on the disk as a fileless attack.
www.linkedin.com
March 27, 2025 at 6:57 AM
Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
Reposted by b00010111
I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.
https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html
https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html
MALoney (It's in the name): OneDrive Microsoft.FileUsageSync.db
I recently started to look into the Microsoft.FileUsageSync.db . The database can be found in %localappdat...
malwaremaloney.blogspot.com
February 21, 2025 at 5:53 PM
I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.
https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html
https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html
Reposted by b00010111
I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR
Pretty much everything except the body. More to come. 🤔 #DFIR
February 19, 2025 at 4:13 AM
I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR
Pretty much everything except the body. More to come. 🤔 #DFIR
I'll definitely have a look at BruteShark.
Seems to be a nice addition to the toolset for network analysis/forensics.
Would be great if the network graphics feature works with filters (it might does, I have not checked yet). graphics for report = win
https://github.com/odedshimon/BruteShark #DFIR
Seems to be a nice addition to the toolset for network analysis/forensics.
Would be great if the network graphics feature works with filters (it might does, I have not checked yet). graphics for report = win
https://github.com/odedshimon/BruteShark #DFIR
GitHub - odedshimon/BruteShark: Network Analysis Tool
Network Analysis Tool. Contribute to odedshimon/BruteShark development by creating an account on GitHub.
github.com
February 3, 2025 at 10:26 AM
I'll definitely have a look at BruteShark.
Seems to be a nice addition to the toolset for network analysis/forensics.
Would be great if the network graphics feature works with filters (it might does, I have not checked yet). graphics for report = win
https://github.com/odedshimon/BruteShark #DFIR
Seems to be a nice addition to the toolset for network analysis/forensics.
Would be great if the network graphics feature works with filters (it might does, I have not checked yet). graphics for report = win
https://github.com/odedshimon/BruteShark #DFIR
More on the update of Event ID 4768,4769 in this post on LinkedIn. Includes examples how these fields are filled by windows,getTGT.py & Rubeus https://www.linkedin.com/posts/odonnell-ryan_the-january-2025-cumulative-update-introduced-activity-7290153947669880832-6ReK
#DFIR #blueteam #threathunting
#DFIR #blueteam #threathunting
Ryan O'Donnell on LinkedIn: The January 2025 Cumulative Update introduced some very interesting…
The January 2025 Cumulative Update introduced some very interesting changes to Event IDs 4768 and 4769. Several new fields were added that provide visibility…
www.linkedin.com
January 29, 2025 at 10:58 AM
More on the update of Event ID 4768,4769 in this post on LinkedIn. Includes examples how these fields are filled by windows,getTGT.py & Rubeus https://www.linkedin.com/posts/odonnell-ryan_the-january-2025-cumulative-update-introduced-activity-7290153947669880832-6ReK
#DFIR #blueteam #threathunting
#DFIR #blueteam #threathunting
Updates for event ID 4768 and 4769 in January cumulative update. See the * Update * section: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-4-%E2%80%93-enforcing-aes-for-kerberos/4114965
#DFIR #blueteam #threathunting
#DFIR #blueteam #threathunting
Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos | Microsoft Community Hub
Disabling Kerberos RC4 is a top priority for many organizations today but identifying devices that don't support AES has been very challenging. In this...
techcommunity.microsoft.com
January 28, 2025 at 11:00 AM
Updates for event ID 4768 and 4769 in January cumulative update. See the * Update * section: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-4-%E2%80%93-enforcing-aes-for-kerberos/4114965
#DFIR #blueteam #threathunting
#DFIR #blueteam #threathunting