NerdCulture

7 posts7 participants0 posts today

G0rb<a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> a.k.a. Learning by Burning

cyb_detectiveDIGITAL FORENSICS GUIDELong and detailed guide for beginners:- Digital Forensics Tools, Libraries, and Frameworks- Virtualization- File systems- Security Tools and Frameworks- Networking<a href="https://github.com/mikeroyal/Digital-Forensics-Guide" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/mikeroyal/Digital-Forensics-Guide</a>Contributor x.com/MikeR256 <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a>

Alexis Brignoni :python: :donor:The buttons have to be pressed but that is just the start, not the end.Trust no tool. Thinking is a non optional requirement.Great read: <a href="https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.dutchosintguy.com/post/the-slow-collapse-of-critical-thinking-in-osint-due-to-ai</a><a href="https://infosec.exchange/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://infosec.exchange/tags/MobileForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MobileForensics</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:What do you look for to investigate whether an incident occurred and its extent?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Volexity :verified:In the course of its investigations, <a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@volexity</a> frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.   Today, <a href="https://infosec.exchange/@volexity" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@volexity</a> is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. <a href="https://infosec.exchange/@r00tbsd" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@r00tbsd</a> & Killian Raimbaud presented details at INCYBER Forum earlier today.   GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!   Check out the blog post on how GoResolver works and where to download it: <a href="https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/</a>   <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/reversing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#reversing</a> <a href="https://infosec.exchange/tags/malwareanalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malwareanalysis</a>

13reak :fedora:Security tips of the day:<ul><li>logs only need to be stored 3 days, that's enough to cover a weekend</li><li>if you don't store backups, you also don't need to restore them</li><li>having less internal defenses decreases how long an attack takes, so you're back online faster</li><li>domain-join everything (especially firewalls and backups) to decrease dwell time of attackers</li><li>antivirus logs should never be monitored to reduce workload of analysts</li><li>never publish vulnerabilities: if no one knows about them, no one can exploit them ever.</li></ul>For more security tips, follow my Tesla account.<a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/aprilfools" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#aprilfools</a> <a href="https://infosec.exchange/tags/april1" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#april1</a> <a href="https://infosec.exchange/tags/april1st" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#april1st</a>

G0rbEs gibt einfach eine negative Korrelation zwischen der Größe des "Vertraulich"-Schriftzugs auf dem Cover und der Qualität des selbigen Forensikreports.<a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

RDP Snitch2025-03-28 RDP <a href="https://infosec.exchange/tags/Honeypot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Honeypot</a> IOCs - 181569 scans Thread with top 3 features in each category and links to the full dataset <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a>Top IPs: 138.199.24.6 - 91545 156.146.57.110 - 42849 156.146.57.52 - 10716Top ASNs: AS60068 - 93561 AS212238 - 64269 AS135161 - 10653Top Accounts: hello - 181455 Test - 33 eltons - 15Top ISPs: DataCamp Limited - 93561 Datacamp Limited - 64269 GMO-Z.COM PTE. LTD. - 10653Top Clients: Unknown - 181569Top Software: Unknown - 181569Top Keyboards: Unknown - 181569Top IP Classification: hosting & proxy - 160374 hosting - 10710 Unknown - 10440Pastebin links with full 24-hr RDP Honeypot IOC Lists: <a href="https://pastebin.com/BiF6s8Jh" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://pastebin.com/BiF6s8Jh</a><a href="https://infosec.exchange/tags/CyberSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSec</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a> <a href="https://infosec.exchange/tags/Blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Blueteam</a> <a href="https://infosec.exchange/tags/SecOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SecOps</a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Security</a>

Mike ShewardMini Blue Team Diaries story: There was a break-in over the weekend at one of our US offices. We occupied one floor of a shared office building, and two crooks managed to get in by going to an open floor above ours and breaking a lock on the fire escape.Rather brilliantly, a building security guard was doing rounds and actually caught the pair stuffing iPads from conference rooms into a rucksack. However, when challenged they claimed to be employees and were left alone.Anyway they ended up with about a half dozen iPads from Zoom rooms. Annoying but not the end of the world.Those iPads were clearly sold on, as they were connected to an MDM server and started to pop up in locations all over the city over the course of the next week.One of them was especially interesting. Because it was connected to our MDM Apple ID, it was syncing files to iCloud. This included photos. We noticed a lot of selfies of one particular dude show up. The dude looked a lot like one of the guys who we’d seen in our office on our security cameras. Yup.We of course passed on all the information, including the location of the selfie generating iPad, to law enforcement.I wish there was a more interesting ending - but they never followed up on the lead, of course. So the iPads lived on, slowly filling up with various photos and memories from the crook and the people they’d been sold on to.Read more, slightly less mini stories, at infosecdiaries.com<a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/InfoSecDiaries" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSecDiaries</a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a>

G0rb<a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> Webserver-Logs of Edge-Devices are really helpful sometimes.Same with SMB-Server-Security Logs and EventID 551.

Chris Sanders 🔎 🧠Investigation Scenario 🔎You’ve received an alert derived from a Sigma rule indicating a short name path was used in the command line.Sigma Rule Source: <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml</a>What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

G0rbGot my first Thai-Massage. Best 50€ investment since purchasing a <a href="https://infosec.exchange/@malcat" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@malcat</a> Full-License.<a href="https://infosec.exchange/tags/selfcare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfcare</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a>

EastySeen a lot of hype about this Trend Micro blog, but im not sure I can get on board with it. The whole thing seems a bit of a stretch. Whether there are blank characters or line breaks doesn't change how the technique works, its only prevents a user easily spotting it via the lnk file The push on zero day, vulnerability, 1000s of instances across multiple 'APTs' is a bit much and comes across as marketing hype too. <a href="https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html</a><a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#incidentresponse</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a>

Hal PomeranzFun Linux DFIR question for you! You're looking at your SSH logs and you find a root login using pubkey auth:2025-03-20T07:44:00-0400 labpc sshd[15420]: Accepted publickey for root from 10.1.1.5 port 46698 ssh2: ED25519 SHA256:6ynkM0+FOrHtoQlkPOOQ415tvRGdBaBEMs2KWtGB1BoThere are multiple keys in /root/.ssh/authorized keys. How can you tell which one was used for this login?<a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Linux</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a>

G0rbI hope all these european <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> Teams start analyzing all these american APTs. Could get interesting pretty fast :ablobcatlurk: Especially when virustotal belongs to an american company.

Forensic FocusHow can we create a healthier, more supportive environment for DFIR professionals handling difficult content every day? <a href="https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/</a> <a href="https://dfir.social/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://dfir.social/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://dfir.social/tags/mentalhealth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mentalhealth</a>

Niels HeinenIt's just crazy how phpmyadmin mass exploitation remains popular (read: effective) to this day. The only developments I have seen in these exploit attempt is that the list of locations that are checked for phpmyadmin installations gets longer and more creative. Other than that: pretty boring stuff<a href="https://infosec.exchange/tags/honeypot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#honeypot</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Forensic FocusSupporting DFIR professionals helps retain talent and avoids the high cost of turnover. <a href="https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/</a> <a href="https://dfir.social/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://dfir.social/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://dfir.social/tags/mentalhealth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mentalhealth</a>

Forensic FocusHow can we proactively support mental resilience in DFIR before challenges take a toll? <a href="https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/</a> <a href="https://dfir.social/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://dfir.social/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://dfir.social/tags/mentalhealth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mentalhealth</a>

Forensic FocusHeavy cases? Try closing your DFIR workday with lighter tasks to protect your mental health. What’s your go-to routine? <a href="https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.forensicfocus.com/podcast/protecting-investigators-dr-michael-bourke-on-building-a-healthier-dfir-community/</a> <a href="https://dfir.social/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://dfir.social/tags/DigitalForensics" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DigitalForensics</a> <a href="https://dfir.social/tags/mentalhealth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mentalhealth</a>

Recent searches

Search options

Administered by:

Server stats:

#dfir