This week: investigation, KQL, Windows, OpenCTI, VirusTotal, job search
KC7 platform #
This week I dived into the learning platform KC7. I really enjoyed the format A little bit too guided for me. And would like a mode with less questions maybe. Let's dig fully KC7: it's a fantastic resource where they go through the entire investigation ! It gives a big picture idea. Instead of just: phishing = compromise ok but how do you do then ? I remember being at this CTF and we were supposed to explain how we were going to compromise a host with phishing but I wasn't able to explain because it wasn't clear for me how you went to phishing to the rest. But just the case Scandal in Valdoria makes it very clear.
I completed the following investigations and learn a lot along the way.
- KC7 - Scandal in Valdoria
- KC7 - Jojo's hospital
- KC7 - Silvo Systems
- KC7 - VirusTotal
- KC7 - Azure Crest Hospital
- KC7 - French socksess
I learned a lot with the Virus Total course, it's a super good introduction to the tool, with a lot of tips.
Investigation #
The KC7 platform even though it takes you by the hands with the questions, made me realize that when you don't have guidance, what do you look for. I don't have solid methodology. As a junior I'd probably follow playbooks but still, it's an area I want to improve in.
So I made some research and found some resources, amongst which this one a Splunk course - The art of investigation.
There is no one right answer to "investigating" an event. There isn't a single methodology or tool that answers all the questions for any possible scenario. Instead, analysts must rely on different tools, methodologies, investigative skills, and even instincts as they encounter new attacks and threat actors.
The video talk Deconstructing the Analyst Mindset by Chris Sanders.
This paper by Joe Slowik Formulating a robust pivoting methodology
A lot of material to dig in :) I'll gather resources and notes on [Investigation resources](link to page)
CTI #
Explored the OpenCTI platform
- THM: OpenCTI
Windows #
- [x] THM - 2 last rooms to finish Endpoint Sec Monitoring
- [x] Monday Monitor
- [x] Retracted
Technical writing #
I began reading Google Technical Writing course. My background at university gave me solid fundamentals but this is a good refresher.
Videos, podcasts, talks #
- Attended online webinar by Presentation NotPetya, which was also a meta presentation about presentation skills. Super interesting for both aspects.
The Microsoft Threat Intelligence Podcast
TIL #
31/03/2025 #
-ExecutionPolicy Bypass- A parameter that bypasses the PowerShell execution policy restrictions, allowing any script to run regardless of signing or other restrictions- Syntax for scheduled task:
schtasks /create /sc hourly /mo 5 /tn "Hacktivist Manifesto" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1"
02/04/2025 #
Any file in this file path will be executed when the user logs onto the device.
%APPDATA%\microsoft\windows\start menu\programs\startup\
03/04 #
- Dnscat2 Dnscat2 is a tool that can be used for command and control (C2) via the DNS protocol.
- Background Intelligent Transfer Service (BITS) jobs
- reconnaissance command: wmic product get name
- Refreshed memory on credentials dumping tool LaZagna
- KQL lookup command
04/04 #
KQL parse_path() and tostring()
- extend
- project
06/04 #
Want to learn more about #
- What are the differences between the types of ransomwares ? Why are there so many ? Are there so many ?
- Volume Shadow Copies