BlueteamOpsSpraying the Microsoft CloudAdversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional…4 min read·Jul 9, 2023----
BlueteamOpsSecedit and I know it!First, let’s talk a bit about auditpol.exe, previous occasions of it being misused and how security policies gets applied to Windows hosts.6 min read·Nov 24, 2022----
BlueteamOpsSupercharging Bulk DFIR triage with Node-RED, Google’s Log2timeline & Google’s TimesketchDuring the COVID19 lockdown period, I spent time creating a rule set to get the most of Google’s Timesketch tagging feature. The tagging…3 min read·Sep 26, 2021----
BlueteamOpsRDP GoodiesRemote Desktop Protocol (T1021.001) continues to be one of the most favoured lateral movement techniques used by adversaries. This writeup…4 min read·Jan 31, 2021----
BlueteamOpsNgrok TunnelsFireEye’s blogpost about MAZE group identifies the use of RDP over Ngrok service as an alternative C2 channel. This article describes…2 min read·Aug 19, 2020----
BlueteamOpsExtracting PowerShell Script Blocks Easily via block-parserMicrosoft-Windows-PowerShell%4Operational.evtx can be used to uncover malicious script usage during DFIR investigations. The Scriptblock…1 min read·Aug 19, 2020----
BlueteamOpsShimcache Flush!A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.1 min read·May 27, 2020--1--1