Sky Blueteam

Microsoft TTD: A Brief History of Time

From TTD to malware analysis ⏱️

Flare-on 9 write-up

The write up of the annual Flare-on challenge!!!

Reversing eBPF using IDA

We document our journey decompiling eBPF program using Ghidra and Yagi.

Detecting CVE-2022-0847 exploitation

This article is about detecting Dirty Pipe exploitation attempts thanks to eBPF.

Delegate to KRBTGT service

This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.

HOWTO use msticpy's process tree with Sysmon?

This post introduces how to render msticpy’s Process Tree with Sysmon telemetry.


Invoke-Bof, testing Cobalt Strike detections the easy way

Recovering some files encrypted by LockBit 2.0

The LockBit 2.0 ransomware is pretty aggressive with the extensions it encrypts: you can say goodbye to your user hives and event log. Or do you?

Welcome Yagi, Yet Another Ghidra Integration for IDA

Are you an IDA fan but wish it could decompile more exotic architectures? Are you a student who wants the joy of using a decompiler but can’t afford Hex-Rays? Yagi is the tool for you! Yagi integrates the Ghidra decompiler in IDA, both Free and Pro version, at zero cost.

Scanning VirusTotal's firehose

We set the crazy objective to extract and push IOC in real-time for a given malware family submitted to VirusTotal. For this blog post, as an example, we will focus on Cobalt Strike.