Jul 3, 2021

Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious network behaviour

Analysis should not relies only on beautiful dashboards on your SIEM

When you talk about incident response and network analysis, you are often confronted with two approaches (which can be sometimes implemented together) :

IOC analysis based on whitelists,blacklists, indicators of compromise and technical CTI data, you can compare every IP/domain connection to your indicators and try to find what’s wrong…

Golang for infosec — Building an EDR #Part3 — Registry and Startup folder persistence mechanisms hunting.

When we talk about detecting malware on a compromised system, it is most often a question of looking at the most representative behaviours of a malicious binary. All you have to focus on is usually based on tactics, techniques and procedures (TTPs).

TTPs — an acronym that has become THE…

Golang for infosec — Building an EDR #Part2 — YARA rules

In case you missed the first part of this serie, it was to illustrate how to use Go to read in the memory of Windows processes. With the help of Win32 API implementations we now have this valuable content. All that remains is to analyze it. …

Golang for infosec — Building an EDR #Part1 —processes memory

Despite all the difficulties of 2020, I enjoy learning new things every day and that’s why I decided to learn Go this year. …

Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious network behaviour

Analysis should not relies only on beautiful dashboards on your SIEM

Golang for infosec — Building an EDR #Part3 — Registry and Startup folder persistence mechanisms hunting.

Golang for infosec — Building an EDR #Part2 — YARA rules

Golang for infosec — Building an EDR #Part1 —processes memory

Jean-Pierre GARNIER