blue tangle

The only thing I find more fascinating than digital anti-forensics, obfuscation and defence evasion is coming up with ways to thwart those techniques as they are employed by adversaries in the wild. This will be a few posts about ways to detect Windows command line obfuscation using Splunk, but I'm sure that the SPL I'm going to include here could be adapted to create detections for other SIEM tools like elastic or Sentinel with relative ease. Think of this as a chance to look up a magician's sleeve for a little peek at the concealed dove. Before we look at detections though we need to define the problem itself, what is command line obfuscation (or “DOSfuscation”) and why is it a problem for defenders? I would urge anyone who is interested in learning more about this topic in depth to check out Wietze Beukema’s excellent SANS DFIR talk:   If you are following along with ATT&CK I think this technique is best mapped to T1027, Obfuscated Files or Information. One of t

  I'll be presenting at BSides Dundee on August 6th, discussing the entire history of ransomware in only 25 minutes. I've learned a lot doing the research for the talk. So much of what we understand about the history of hacking seems to be the same somewhat random selection of events written up with mistakes and incorrect assumptions then copied and pasted across dozens and dozens of blogs, news articles and academic papers forever, without anyone revisiting the actual primary sources for the events from the time that they happened. What was the first webshell to be written? Who was the victim of the first DDoS? What was the first computer virus discovered in the wild? Look any of this up online and you'll either find wildly conflicting answers or no information at all, we are not good at documenting our own history. Anyway, that's my rant over, look forward to giving this talk and hope to see some of you in attendance!