=========================
== Eduardo Robles Site ==
=========================
Hola Mundo 🌮

Quick, Easy, Malware Investigations and Threat Hunting

Bsides Austin 2024 This is my talk for BSIDES Austin 2024 Malware Investigations Why do internal malware analysis? Existing tools Virustotal, JoeSandbox, etc. Protect sensitive information from 3rd parties. Freedom from reliance on one tool or platform. Malware is scary and dangerous, put in a box (container). Malware is scary. Malware is dangerous. So it’s best to analyze in a “contained” environment. Virtual Machines Containers (Docker, Podman, etc) Working with Malware Samples Safely moving malware around to later analyze can be daunting. Read more...

Easy DFIR Tools and Methods

Phishing Email Analysis ClamAV ClamAV is great to scan for malware but also can scan eml files including email attachments. Use the --debug flag for more info on the scan. clamscan sample.eml Continued You can also use ClamAV to scan any suspicious file. clamscan sample.zip Investigating a malicious link To investigate a link I use a REMnux container which offers so many awesome tools. I will cover THUG and Automater. Read more...

On the Practice of Multifactor Authentication

The basics MFA is basically putting an extra step, an extra barrier to login into an app or website. This extra step is what creates security. It does not prevent attacks or stop attacks. But what it does do is simple: it makes it harder for someone to hack you. The struggle Doing extra work is never fun. No one likes to do the extra work. I don’t like doing extra work. Read more...

Ansible for Cybersecurity Work - Part 1

Is it DevSecOp, SecDevOps, OpsSecDev? The infosec field is full of buzzword now more so with the explosion of automation and AI. Luckily, I am not easily fooled by the buzzword and look for the real meat and bones. So when I was tasked with automating some tasks at work I jumped into an interesting technology called Ansible. Ansible is a tool for automation that is cross platform. It relies on setting up a secure connection to an endpoint and then Ansible handle executing tasks on the system. Read more...

Ansible for Cybersecurity Work - Part 2

Learning to Authenticate WinRM has 2 componets: Communication and Authentication. Like with SSH, you establish a connection then you authenticate on the endpoint. In the previous post I wrote about setting up WinRM Listener over HTTPS. Now we have to setup Authentication luckily Windows offers serveral options for Authentication. But keep in mind not all are secure nor are supported with the type of account you would like to use. In other words if you want to authenticate with Kerberos forget about using a Local Account. Read more...

Wins and Fails in Streaming Music with Emacs

Emacs Multimedia System (EMMS) My preferred media player in Emacs is EMMS. Think of EMMS as a stackable playlist media player. EMMS out of the box does not actually play music. It relies on a “external” player like MPV, VLC, or MPLAYER. This is where this journey takes an interesting turn. Under Linux my EMMS setup is pretty straightforward. Below is my config: (emms-all) (emms-standard) (emms-default-players) (setq emms-player-list '(emms-player-vlc) emms-info-functions '(emms-info-native) emms-show-format "Playing: %s") I call EMMS, state I want to use EMMS standard list of players and include VLC in the list of players installed on my system. Read more...

TAGITM Regional Summit 2024

2024 TAGITM South Texas Regional Summit The Digital Force Awakens: Mastering Threat Hunting in the Cyber Galaxy I had the pleasure of attending the TAGITM Regional Summit on Threat Hunting and Digital Forensics. The Summit focused on enhancing the skills of Texas cybersecurity workforce. The last few years have been rough for many Texas companies and governmental agencies. The rise in ransomware and cyberattacks has increased the need for these type of events. Read more...

Containers for Malware Analysis

Tools make the job Having the right tools at hand can make any job a breeze. It is also helpful to have a good working knowledge of the tools you use. In this case running containers like Docker or Podman are easily deployable in my work environment. So I decided to leverage the fact that REMnux offers Docker containers. This makes running powerful tools for small jobs extremely easy. I have been using this approach recently with much success for analyzing malicious links. Read more...

Conducting Cybersecurity Investigations in Emacs

Emacs + Orgmode + Cybersecurity = Winning I work as a Cybersecurity Analyst and I use Emacs as my primary note taking application. Naturally I have developed some techniques and writing practices around my work and the use of Emacs aids in the process. I think the power of Emacs and Orgmode are a winning combination for the type of work I do. So let me share with you a some of the templates I created that help me in getting work done! Read more...

Cyber Work Templates by Me!

The obvious approach I use Emacs + Org-mode for my note-taking workflow as a Cybersecurity Analyst. Emacs is my geeky cred at my job, plus it is genuinely useful. So one day when working on taking some repetitive notes on an incident I had a bright idea. Why don’t I just create a few templates that speed up my workflow? A demonstration of my workflow for capturing notes on an incident Incident --> Get Data --> Investigation --> Capture Templates --> Notes Expanding the approach Once I became comfortable with the approach of my capture templates, I expanded them to use the full power of Emacs and Org-mode! Read more...
1 of 4 Next Page