avatar

Sky Blueteam

Using Nix to setup a reproducible forensics environment

How we use Nix to create a reproducible forensics analysis environment, and how it differs from more traditional methods, such as Docker or manual package installation. We will highlight the challenges of maintaining consistent setups across different machines and analysts, and how we used Nix to fix that. As a bonus, Nix allows us to transfer our forensics environment to untrusted machines easily.

Microsoft TTD: A Brief History of Time

From TTD to malware analysis ⏱️

Flare-on 9 write-up

The write up of the annual Flare-on challenge!!!

Reversing eBPF using IDA

We document our journey decompiling eBPF program using Ghidra and Yagi.

Detecting CVE-2022-0847 exploitation

This article is about detecting Dirty Pipe exploitation attempts thanks to eBPF.

Delegate to KRBTGT service

This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.

HOWTO use msticpy's process tree with Sysmon?

This post introduces how to render msticpy’s Process Tree with Sysmon telemetry.

Invoke-Bof

Invoke-Bof, testing Cobalt Strike detections the easy way

Recovering some files encrypted by LockBit 2.0

The LockBit 2.0 ransomware is pretty aggressive with the extensions it encrypts: you can say goodbye to your user hives and event log. Or do you?

Welcome Yagi, Yet Another Ghidra Integration for IDA

Are you an IDA fan but wish it could decompile more exotic architectures? Are you a student who wants the joy of using a decompiler but can’t afford Hex-Rays? Yagi is the tool for you! Yagi integrates the Ghidra decompiler in IDA, both Free and Pro version, at zero cost.