BlueteamOpsSpraying the Microsoft CloudAdversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional…Jul 9, 2023Jul 9, 2023
BlueteamOpsSecedit and I know it!First, let’s talk a bit about auditpol.exe, previous occasions of it being misused and how security policies gets applied to Windows hosts.Nov 24, 2022Nov 24, 2022
BlueteamOpsSupercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s TimesketchDuring the COVID19 lockdown period, I spent time creating a rule set to get the most of Google’s Timesketch tagging feature. The tagging…Sep 26, 2021Sep 26, 2021
BlueteamOpsRDP GoodiesRemote Desktop Protocol (T1021.001) continues to be one of the most favoured lateral movement techniques used by adversaries. This writeup…Jan 31, 2021Jan 31, 2021
BlueteamOpsNgrok TunnelsFireEye’s blogpost about MAZE group identifies the use of RDP over Ngrok service as an alternative C2 channel. This article describes…Aug 19, 2020Aug 19, 2020
BlueteamOpsExtracting PowerShell Script Blocks Easily via block-parserMicrosoft-Windows-PowerShell%4Operational.evtx can be used to uncover malicious script usage during DFIR investigations. The Scriptblock…Aug 19, 2020Aug 19, 2020
BlueteamOpsShimcache Flush!A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.May 27, 20201May 27, 20201
