MAGNET Virtual Summit 2024 Capture the Flag
I’ve been participating in the MAGNET sponsored Capture the Flag (CTF) events since before being happily employed there. In a way you could say that one helped facilitate the other, but that’s a story for another time. This blog actually started back in 2020 to, among other things, share my write-ups of that years CTF.…
CyberPipe version 5.0
The latest update to CyberPipe (the code formerly known as CSIRT-Collect), has been revised to leverage the free triage collection tool, MAGNET Response. As with previous versions it also runs Encrypted Disk Detector, another free tool from MAGNET. Script Functions: * There are collection profiles available for: Prerequisites: The setup is simple. Save the CyberPipe…
Growing Your Malware Corpus
When writing YARA rules or conducting detection engineering, having a test bed (corpus) containing both Goodware and malware files is essential. VX-Underground provides a vast collection of malware samples and papers dating from 2010 to 2023. A Python script helps in recursively extracting and organizing the malware samples for efficient scanning.
Ginsu: A tool for repackaging large collections to traverse Windows Defender Live Response
Enterprise customers running Windows Defender for Endpoint have a lot of capability at their fingertips. This includes the Live Response console, a limited command shell to interact with any managed Defender assets that are online. Besides its native commands you can also use the console to push scripts and executables to endpoints. Note: there is…
Installing REMnux on a MacBook Pro
I had an older MacBook Pro (15-inch, 2.53GHz, Mid 2009) that had been unused for a while as it was no longer getting updates from Apple. It’s one of the Intel chip ones and last ran Monterey. I pulled it out of the closet and decided to give it a refresh by installing REMnux on…
Huntress CTF: Week 4 – Miscellaneous: MFAtigue
MFAtigue For any of these challenges where there’s a download and an online component, I’ll usually start with the files. OK. So how can we get a password if we have access to the ntds.dit and the SYSTEM registry hive? The iredteam.com article looks like a good place to start. There’s a reference to dumping…
Huntress CTF: Week 4 – Forensics: Bad Memory
Bad Memory I spent a bit of time on this trying to get Volatility 2 to work with the Mimikatz plug-in. I was not successful. I was able to run the Volatility hashdump module. I switched to Volatility3 and ran hashdump. For whatever reason the output of Volatility3 was different. The only user besides the…
Huntress CTF: Week 3 – Miscellaneous: Who Is Real?, Operation Eradication
Who Is Real? This was a change of pace from what a lot of the CTF has been; lots of malware and deobfuscation. In this challenge we’re tasked with figuring out which faces are real and which have been AI generated. Before starting the challenge, I familiarized myself with https://whichfaceisreal.com/learn.html It gave me good ideas…
Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift
Rogue Inbox Originally I was looking at this in Timeline Explorer, but decided to switch to Excel. Swimming and scanning through a sea of log entries, an anomaly showed itself. For this one I just copied the values out by hand. Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift The…
Huntress CTF: Week 3 – M Three Sixty Five
This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into. The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation. If I do a search on ‘street’ I…
Loading…
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
Baker Street Forensics 