Jean-Pierre GARNIER

Jul 3, 2021

Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious network behaviour

Analysis should not relies only on beautiful dashboards on your SIEM When you talk about incident response and network analysis, you are often confronted with two approaches (which can be sometimes implemented together) : IOC analysis based on whitelists,blacklists, indicators of compromise and technical CTI data, you can compare every IP/domain connection to your indicators and try to find what’s wrong…

Infosec

6 min read

Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious…

Feb 8, 2021

Golang for infosec — Building an EDR #Part3 — Registry and Startup folder persistence mechanisms hunting.

When we talk about detecting malware on a compromised system, it is most often a question of looking at the most representative behaviours of a malicious binary. All you have to focus on is usually based on tactics, techniques and procedures (TTPs). TTPs — an acronym that has become THE…

Threat Hunting

7 min read

Golang for computer security — Building an EDR #Part3 — Registry and Startup folder persistence…

Jan 6, 2021

Golang for infosec — Building an EDR #Part2 — YARA rules

In case you missed the first part of this serie, it was to illustrate how to use Go to read in the memory of Windows processes. With the help of Win32 API implementations we now have this valuable content. All that remains is to analyze it. …

5 min read

Golang for computer security — Building an EDR #Part2 — YARA rules

Jan 2, 2021

Golang for infosec — Building an EDR #Part1 —processes memory

Despite all the difficulties of 2020, I enjoy learning new things every day and that’s why I decided to learn Go this year. What could be better than a concrete project to embark on such an adventure and if you want to start, you might as well do it with…

Security

5 min read