Tech Help

Lets Talk Hacking First Hacking comes in many shapes colors and sizes these days. It could be a single system being taken over by malware, or it could be a cloud account that has access to 20 systems, development keys, and ability to reset other users credentials. There is a wide range of ways to gain access to information in today's modern infrastructure landscape. Some of the more common types is system and account compromise. Both can lead to each other given the right scenarios, and sometimes neither is necessary for compromise of information. Such as a website that has an exploit which leaks information it shouldn't. Finding evidence of these may come in various flavors as well. Such as an antivirus detection alerting but not quarantining, or a network detection tool flagging a suspicious pattern of callback-like activity. In both of these example cases, you'd want to further investigate. In this post, we'll walk through doing this under the system compromise persp...

GCFE I often see where people took or are taking certifications and list how they went through the materials. So lets do one of those posts. Here's the latest thing I'm working on passing. I already have worked in DFIR (Digital Forensics & Incident Response) and have other GIAC Certifications (GREM), but I found many people don't find that suitable for evidence of forensic capabilities and have since started demanding certifications such as GCFE and GCFA. As google show it 'GCFE is often seen as intermediate, while GCFA is considered advanced or the "gold standard"'. That said, reviewing older versions of Sans500 course work, I think there's some nuances that trip me up and I definitely got caught up with while taking the practice tests.  So basically, when you sign up for course and test together (like $10k USD, its insanely expensive that companies expect you to already have this instead of being willing to fund someone getting it) you get the ab...

Defense Penetration Testing (Pentests)      Many pentesting firms have done this for a while now so there's nothing new here, but I'd like to show you why and how pentests can be performed by shipping a raspberry pi (small, single board computer) and letting your staff power it on or setting it up to be left there. But before we do that, lets discuss why this would ever be a thing. There is a number of problems that arise that merit this sort of working as a defacto/standard operating mechanism and it only makes sense to offer the same.  Problem 1: "Scheduling/We can't perform testing during work hours"      Often employers won't have a way to get people to unlock the doors for you after hours and stay with you to perform testing, including wifi, physical, or internal pentesting techniques. This is the most common reason to say "okay well we can setup a laptop and leave it there".  This would work great for many reasons, because then they have all...

     When casually doing what I like to do and scanning the open air for fun and profit, I found something rather peculiar.       In today's world an unencrypted wireless network is pretty rare as it allows risks of spoofing, mitm, and various exploitation techniques which may be hard to defend against in courts. Many businesses offering wifi to it's customers stopped doing so because they couldn't maintain appropriate logging to prove when someone did something they shouldn't or which user it was. Captive portals weren't very affective and that was before iam services like keycloak were popular. So to see one in 2026 seemed a little bit wild.     When anything is "open" the data is shared unencrypted over the air. This can be sniffed and accessed by anyone passing by, and in the right, or I guess wrong, scenarios it can actually be mitm or spoofed without actually associating to the wifi network. This was the premise that created wep, then w...

  Much props to ImHex (https://imhex.werwolv.net/) for the awesome tool. Thanks for reading Watching! If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at  FeemcoTechnologies .

Introduction I found that with the 1001 options for "SOC As A Service" companies, and "contract incident response", many client companies still don't understand why use them outside of a compliance check. Some companies seem to have them on retainer but refuse them any ability to act, just to notify and it may or may not be dealt with ever. It's really weird when companies want to secure their data and do secure business using that data, but not actually do the work around securing their data. I think it's the age old adage with IT that "passing the buck" is the default, then only with training and awareness do people want to take responsibility for their own security.  Then on the other side, these soc as a service companies themselves don't always provide training, understanding, or really anything more than a templated write up of the incident back to the company. That write up may contain details and even actions around what needs to ha...

     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...