Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 3 – Network Analysis and Tooling)

April 25, 2023

Within the first two installments of this series, we identified the key to successful incident preparation starts with making sure a solid incident triage process is in place, centralized analysis documentation is created, and the incident communication cadence has been solidified. This, in conjunction with a well-oiled rapid triage Windows artifact processing plan, allows analysts…


Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 2 – Incident Assessment and Windows Artifact Processing)

April 20, 2023

In Part 1 of this series, we identified that there are three (3) key parts to successful incident preparation: ensuring that a solid incident triage process is in place, creating centralized analysis documentation, and solidifying incident communication. In Part 2 of this series, I will delve into the process of thoroughly evaluating the incident, explore…


Incident Response Rapid Triage: A DFIR Warrior’s Guide (Part 1 – Process Overview and Preparation)

April 18, 2023

In this series, I will be discussing how to handle an incident with the speed and precision of a DFIR warrior. With a rapid triage mindset, you’ll be able to assess the situation quickly and efficiently, just like a Jiu-Jitsu practitioner sizing up their opponent before delivering a devastating submission. You will have the tools…


On the Road to Detection Engineering

April 11, 2023

Introduction People have asked numerous times on Twitter, LinkedIn, Discord, and Slack, “Leo, how do I get into Detection Engineering?” In this blog, I will highlight my unique experience, some learning resources you might want to get your hands on (all free or low cost), and extras that have helped me overall. I’m currently a…


What You Need to Know About SBOM

March 30, 2023

What is an SBOM? A Software Bill of Materials (SBOM) is a hierarchical, itemized list of all dependencies, their version numbers and provenance for a given piece of software. It may also include other data, such as the license type or details about which database to query for vulnerability disclosure. SBOMs are not restricted to…


Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)

March 17, 2023

Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of…


Red vs. Blue: Kerberos Ticket Times, Checksums, and You!

March 14, 2023

This blog post was co-authored with Charlie Clark of Semperis. 1    Introduction At SANS Pen Test HackFest 2022, Charlie Clark (@exploitph) and I presented our talk ‘I’ve Got a Golden Twinkle in My Eye‘ whereby we built and demonstrated two tools that assist with more accurate detection of forged tickets being used. Although we demonstrated…


Getting Analysis Practice from Windows Event Log Sample Attacks

March 7, 2023

Throughout my career as an Incident Responder, one of the most invaluable skillsets I have had to draw on has been analysis of Windows event logs. These event logs are an invaluable source of information to forensic practitioners, as they are crucial in determining the cause of events during computer security incidents. Windows event logs…

BOFs for Script Kiddies on the TrustedSec Blog

BOFs for Script Kiddies

February 16, 2023

Introduction I hope I don’t sound like a complete n00b, but what or who or where is a BOF? All the cool kids are talking about it, and I just smile and nod. Is he the newest Crypto billionaire, or is a meetup for like-minded hackers, or is it some other 1337 slang? I understand…

ESXIArgs ransomware code

ESXiArgs: The code behind the ransomware

February 8, 2023

1 Deep Dive into an ESXi Ransomware TrustedSec’s Nick Gilberti wrote a great blog covering the ESXi ransomware’s shell script here. However, in this blog, we are going to dive a little deeper into the code behind this ransomware. The sample ransomware discussed was acquired from VirusTotal and Bleeping Computers forum. The following is a…

  • Browse by Category

  • Clear Form