Sky Blueteam
From TTD to malware analysis ⏱️
The write up of the annual Flare-on challenge!!!
We document our journey decompiling eBPF program using Ghidra and Yagi.
This article is about detecting Dirty Pipe exploitation attempts thanks to eBPF.
This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.
This post introduces how to render msticpy’s Process Tree with Sysmon telemetry.
Invoke-Bof, testing Cobalt Strike detections the easy way
The LockBit 2.0 ransomware is pretty aggressive with the extensions it encrypts: you can say goodbye to your user hives and event log. Or do you?
Are you an IDA fan but wish it could decompile more exotic architectures? Are you a student who wants the joy of using a decompiler but can’t afford Hex-Rays? Yagi is the tool for you!
Yagi integrates the Ghidra decompiler in IDA, both Free and Pro version, at zero cost.
We set the crazy objective to extract and push IOC in real-time for a given malware family submitted to VirusTotal. For this blog post, as an example, we will focus on Cobalt Strike.