Cyber-defense trainings and certifications are incredibly expensive. In a world where SANS charges thousands of bucks for trainings from world-class professionals, Heath Adam’s work via TCM Security is nothing short of ‘amazing’. I’ve been a personal fan of Heath and his continued promise to help beginners in the field progress…

Cross-references, or more commonly referred to as xrefs, are used to identify references (usage/call or declaration) of a particular function, string, variable, etc. …

Now that the intelligence community is finally reaching its due maturity, advisories shared with fellow organizations often contain useful detection use-cases. If we were to travel back a few years, an average analyst would dread the manual conversion of these use-cases into searchable queries for the logging platform or SIEM…

Attackers have long been searching for ways to meddle with the day-to-day operations of an average computer user. It’s no wonder the Microsoft Office suite has been one of the key targets of adversaries to compromise endpoints. What better than to dispatch a seemingly-harmless office document to a rather naive…

The article is a write-up for challenge number one — the Web Server Case — by Ali Hadi on his blog, ‘ashemery.com’. The premise is set to: A company’s web server has been breached through their website. Questions For this investigation, we’re asked to answer the following questions: What type of…

Sysmon, short for System Monitor, is a utility tool developed by Mark Russinovich, as part of the Sysinternals suite. The utility is registered in a Windows box as a system service and a device driver, which in sync, help log activities across the environment to the Windows Event log. …

It’s unfortunate that the Windows Command Prompt, the descendant of the prehistoric command.com from MS-DOS, has no persistent storage of command execution. It does, however, support temporary storage of commands executed in an active session. So, if an attacker proceeds to enumerate other hosts or ex-filtrate data using a console…

Ah, the sweet days of running your memory sample through volatility. It’s not over yet — but Microsoft has done an amazing job at releasing a new service, which can perform a full-blown volatile memory analysis of a Linux system, with special focus on detecting rootkits. Let’s go in a…

Before you get started with the deployment of QRadar in your infrastructure, you need to understand the several components it makes use of to function properly. IBM QRadar SIEM (Security Information and Event Management) features a modular architecture where you can scale its deployment to add on more devices, endpoints…