Tech Help

Introduction I found that with the 1001 options for "SOC As A Service" companies, and "contract incident response", many client companies still don't understand why use them outside of a compliance check. Some companies seem to have them on retainer but refuse them any ability to act, just to notify and it may or may not be dealt with ever. It's really weird when companies want to secure their data and do secure business using that data, but not actually do the work around securing their data. I think it's the age old adage with IT that "passing the buck" is the default, then only with training and awareness do people want to take responsibility for their own security.  Then on the other side, these soc as a service companies themselves don't always provide training, understanding, or really anything more than a templated write up of the incident back to the company. That write up may contain details and even actions around what needs to ha...

     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...

Introduction      I recently asked what tutorials I should do, and the first response that made sense to do was to write a how-to for making a lab environment. Because this is a tech blog, I think it's safe to assume this meant tech lab, or even hacking lab, not like science lab or something too crazy like that, though those are also things that probably could use a how-to these days. Generally, labs like this would be made to test new ideas, technologies, or techniques. When used for hacking labs, its usually the same with a gearing towards exploitation, with malware analysis, the same geared towards understanding the malware. So, lets go through some basic setups, the requirements for them, then follow that up with a dive into ways we can expand on that as well for different variations.       To do this, we're going to be using virtualization and containers, as this will provide us the widest range of capabilities for what we want to do. I'm going to...

Introduction      I recently found myself in need of a live wordpress system to install and test various tools against, as well as test for and validate exploits. So as part of my lab setup series, I'm going through a quick step-by-step version of configuring a quick wordpress lab.     This lab uses containers to make this an easily followed process and simplicity sake. If your specific lab needs a virtual or dedicated machine to run your testing, this may not be the ideal place to start. Either way, challenging myself to do some tutorials, so lets get into this!  Requirements:      So, there are a few requirements expected before this lab can be ran, though this should be generally cross platform: docker (or docker desktop) docker-compose an attacker system/container (in my example, I had curl, wpscan and greenbon/openvas installed on a separate container that I used to test against this) Steps: 1. To start with, just simple docker-compose f...