Have you ever responded to an incident where you are required to look for sticky notes attached to your computer? Limited documentation was maintained for Windows Sticky Notes artifacts. …

HoneyPot attempts to offer a reliable indicator of compromise with little to no setup or maintenance costs. It could also provide a wealth of data in terms of the TTPS of the attackers which could be used for further data analysis. There are tons of honeypot options out there, most…

A systematic way of identifying clear text password in Windows Share Drive — Clear text password stored in your enterprise environment is always one of the biggest enemies to internal IT security team. …

This is my first-time on SANS Holiday Challenge. Thank you SANs team giving us such a fun and enjoyable challenges in xmas. I have learnt a lot from different objectives and here is the summary of the challenges. Santa’s Castle in North Pole In this year Kringlecon, we were brought to Santa’s Castle in North…

A real-life use case of local administrative activities monitoring by applying TF-IDF on char extraction — Introduction Monitoring of user activities performed by local administrators is always a challenge for SOC analysts and security professionals. Most of the security framework will recommend the implementation of a whitelist mechanism. However, the real world is often not ideal. You will always have different developers or users having local administrator…

A use case of detecting abnormal user login via machine learning — SOC analysts are often the first responder to cyber threats. The day to day job of a soc analyst is to hunt the malicious events from thousands of legit events. However, most of us, like myself, are often struggling with “what” we should start with once after we have used…

A use case of how we could enable machine learning in cyber security — This article is a record that documents the use cases I developed to enable anomaly detection via Machine Learning which could aid the incident response/blue team analysis. For the background of this research, you could take a look here. The first use case I will illustrate here is to detect…

Having started the role as a incident responder/SOC analyst for quite a while now, I have read a lot of blue team blog to learn how to be a better threat hunter and decided I should setup this blog to share my 2 cent to the community as well. As…