What is Cyberchef? Cyberchef is a tool I learned about toward the end of 2024. Since then I began using it more and more. CyberChef was developed by GCHQ and is the Cyber Swiss Army Knife web app for encryption, encoding, compression and data analysis. In the end it proved to extremely useful for Forensic Analysis and Incident Response investigations. You can use the free version online but if you want to run it in your environment you can. Read more...

Bsides Austin 2024 This is my talk for BSIDES Austin 2024 Malware Investigations Why do internal malware analysis? Existing tools Virustotal, JoeSandbox, etc. Protect sensitive information from 3rd parties. Freedom from reliance on one tool or platform. Malware is scary and dangerous, put in a box (container). Malware is scary. Malware is dangerous. So it’s best to analyze in a “contained” environment. Virtual Machines Containers (Docker, Podman, etc) Working with Malware Samples Safely moving malware around to later analyze can be daunting. Read more...

Phishing Email Analysis ClamAV ClamAV is great to scan for malware but also can scan eml files including email attachments. Use the --debug flag for more info on the scan. clamscan sample.eml Continued You can also use ClamAV to scan any suspicious file. clamscan sample.zip Investigating a malicious link To investigate a link I use a REMnux container which offers so many awesome tools. I will cover THUG and Automater. Read more...

The basics MFA is basically putting an extra step, an extra barrier to login into an app or website. This extra step is what creates security. It does not prevent attacks or stop attacks. But what it does do is simple: it makes it harder for someone to hack you. The struggle Doing extra work is never fun. No one likes to do the extra work. I don’t like doing extra work. Read more...

Is it DevSecOp, SecDevOps, OpsSecDev? The infosec field is full of buzzword now more so with the explosion of automation and AI. Luckily, I am not easily fooled by the buzzword and look for the real meat and bones. So when I was tasked with automating some tasks at work I jumped into an interesting technology called Ansible. Ansible is a tool for automation that is cross platform. It relies on setting up a secure connection to an endpoint and then Ansible handle executing tasks on the system. Read more...

Learning to Authenticate WinRM has 2 componets: Communication and Authentication. Like with SSH, you establish a connection then you authenticate on the endpoint. In the previous post I wrote about setting up WinRM Listener over HTTPS. Now we have to setup Authentication luckily Windows offers serveral options for Authentication. But keep in mind not all are secure nor are supported with the type of account you would like to use. In other words if you want to authenticate with Kerberos forget about using a Local Account. Read more...

Emacs Multimedia System (EMMS) My preferred media player in Emacs is EMMS. Think of EMMS as a stackable playlist media player. EMMS out of the box does not actually play music. It relies on a “external” player like MPV, VLC, or MPLAYER. This is where this journey takes an interesting turn. Under Linux my EMMS setup is pretty straightforward. Below is my config: (emms-all) (emms-standard) (emms-default-players) (setq emms-player-list '(emms-player-vlc) emms-info-functions '(emms-info-native) emms-show-format "Playing: %s") I call EMMS, state I want to use EMMS standard list of players and include VLC in the list of players installed on my system. Read more...

2024 TAGITM South Texas Regional Summit The Digital Force Awakens: Mastering Threat Hunting in the Cyber Galaxy I had the pleasure of attending the TAGITM Regional Summit on Threat Hunting and Digital Forensics. The Summit focused on enhancing the skills of Texas cybersecurity workforce. The last few years have been rough for many Texas companies and governmental agencies. The rise in ransomware and cyberattacks has increased the need for these type of events. Read more...

Tools make the job Having the right tools at hand can make any job a breeze. It is also helpful to have a good working knowledge of the tools you use. In this case running containers like Docker or Podman are easily deployable in my work environment. So I decided to leverage the fact that REMnux offers Docker containers. This makes running powerful tools for small jobs extremely easy. I have been using this approach recently with much success for analyzing malicious links. Read more...

Emacs + Orgmode + Cybersecurity = Winning I work as a Cybersecurity Analyst and I use Emacs as my primary note taking application. Naturally I have developed some techniques and writing practices around my work and the use of Emacs aids in the process. I think the power of Emacs and Orgmode are a winning combination for the type of work I do. So let me share with you a some of the templates I created that help me in getting work done! Read more...