How we use Nix to create a reproducible forensics analysis environment, and how it differs from more traditional methods, such as Docker or manual package installation. We will highlight the challenges of maintaining consistent setups across different machines and analysts, and how we used Nix to fix that. As a bonus, Nix allows us to transfer our forensics environment to untrusted machines easily.

From TTD to malware analysis ⏱️

The write up of the annual Flare-on challenge!!!

We document our journey decompiling eBPF program using Ghidra and Yagi.

This article is about detecting Dirty Pipe exploitation attempts thanks to eBPF.

This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.

This post introduces how to render msticpy’s Process Tree with Sysmon telemetry.

Invoke-Bof, testing Cobalt Strike detections the easy way

The LockBit 2.0 ransomware is pretty aggressive with the extensions it encrypts: you can say goodbye to your user hives and event log. Or do you?

Are you an IDA fan but wish it could decompile more exotic architectures? Are you a student who wants the joy of using a decompiler but can’t afford Hex-Rays? Yagi is the tool for you! Yagi integrates the Ghidra decompiler in IDA, both Free and Pro version, at zero cost.