b00010111
@b00010111.bsky.social
A community database, API and collaboration platform to help identify and protect against open-source malware -> opensourcemalware.com #DFIR #blueteam
OpenSourceMalware.com - Community Threat Intelligence
Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.
opensourcemalware.com
February 10, 2026 at 9:09 PM
A community database, API and collaboration platform to help identify and protect against open-source malware -> opensourcemalware.com #DFIR #blueteam
Strange, I cannot create a post in bluesky which contains a URL via @openvibe@mastodon.social . Not sure what is causing this.
December 18, 2025 at 7:25 PM
Strange, I cannot create a post in bluesky which contains a URL via @openvibe@mastodon.social . Not sure what is causing this.
Test to check if bluesky is still working
December 18, 2025 at 6:12 PM
Test to check if bluesky is still working
"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 7, 2025 at 8:34 AM
"A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes" #dfir # eventlogs
github.com/olafhartong/...
github.com/olafhartong/...
Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux
I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit. | Craig Rowland
I wrote up a quick article on the Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit.
www.linkedin.com
July 29, 2025 at 9:29 AM
Medusa stealth rootkit on Linux and how to work around and investigate this style of LD_PRELOAD rootkit: www.linkedin.com/posts/craigh... #dfir #linux
July 18, 2025 at 5:38 AM
shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "
I still in the process to decide which stats do frighten me the most.....
I still in the process to decide which stats do frighten me the most.....
July 11, 2025 at 9:58 AM
shodan@mastodon.shodan.io: "Check out our new Data Status page for an overview of what Shodan crawlers have collected the past day: data-status.shodan.io "
I still in the process to decide which stats do frighten me the most.....
I still in the process to decide which stats do frighten me the most.....
Reposted by b00010111
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.
github.com/Beercow/OneD...
github.com/Beercow/OneD...
Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub
Change Log
Fixed
ODL bug fix
FileUsageSynce bug fix
github.com
June 25, 2025 at 12:04 AM
Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.
github.com/Beercow/OneD...
github.com/Beercow/OneD...
Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell
GitHub - ekky19/Yara-Standalone-Webshell-Scanner: YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run the scanner, and review the generated HTML and TXT reports.
YARA Standalone WSS is an offline webshell scanning tool that uses YARA rules to detect malicious or suspicious files in webroot directories. No installation required — just drop your files, run th...
github.com
June 22, 2025 at 6:16 PM
Offline webshell scanning tool, based on YARA rules github.com/ekky19/Yara-... #DFIR #yara #webshell
Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry
Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage
Save. This. Post. Our expert staff has compiled an up-to-date and comprehensive Windows Registry forensics cheat sheet, and it might be just what you need
www.cybertriage.com
June 4, 2025 at 6:38 AM
Windows Registry Forensics Cheat Sheet 2025 by Cyber Triage. Potentially worth a look to check your docu against it. www.cybertriage.com/blog/windows... #DFIR #Registry
Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
tools/qelp-ir-triage-esxi at master · cudeso/tools · GitHub
Different tools, koen.vanimpe@cudeso.be
. Contribute to cudeso/tools development by creating an account on GitHub.
github.com
June 3, 2025 at 7:02 AM
Tool for triage & analysis of ESXi logs:
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
- Combined timeline of Bash activity, logons and user activity
- Timeline of logon events by type, along with a user/IP logon timeline
- Summary of Bash history, network-tool usage and newly created users
github.com/cudeso/tools... #DFIR #Logs #esxi
"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
iOS Unified Logs: The Myth of 30 Days Retention
In this article, I explain how to use the log stats command to quickly learn more about a .logarchive and the unified logs it contains. I show how to read the main statistics using the command log stats, what TTL (Time To Live) really means, and why it’s so important for digital forensics. I also highlight a few inconsistencies in how Apple presents these statistics, and how to work around them.
www.ios-unifiedlogs.com
May 6, 2025 at 7:15 PM
"iOS Unified Logs: The Myth of 30 Days Retention - Analysis of TTLs and log stats Command" ->
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
www.ios-unifiedlogs.com/post/ios-uni... #DFIR #iOS #logs
Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR
Scouting a Threat Actor
censys.com
May 2, 2025 at 10:36 AM
Censys on C2 server called the “SCOUT PROJECT,” censys.com/blog/scoutin... #DFIR
"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems
The Impact of Microsoft’s ReFS on DFIR | by Mat Cyb3rF0x Fuchs | Apr, 2025 | Medium
A New File System, New Forensic Challenges
medium.com
April 23, 2025 at 8:44 PM
"The Impact of Microsoft’s ReFS on DFIR" -> comparing NTFS evidences with ReFS. What stays, what changes and what will be gone. Recommended read! medium.com/@mathias.fuc... #DFIR #ReFS #NTFS #FileSystems
Reposted by b00010111
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...
research.checkpoint.com
April 14, 2025 at 6:17 PM
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
Daily Blog #805: Mount That Thing!
|
Hacking Exposed Computer Forensics Blog
A hacking exposed blog about computer and digital forensics and techniques, exposed dfir incident response file systems journaling by David Cowen
www.hecfblog.com
April 12, 2025 at 12:14 PM
Sounds very handy:
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
"Mounting disk images (E01 or raw)
Handling LVM volumes
Automatically identifying and mounting partitions
...
All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity."
www.hecfblog.com/2025/04/dail... #DFIR #Linux
Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel
#dfir #threatintel
March 31, 2025 at 8:27 AM
Next noteworthy #breach incoming? Reading some chatter that there are claims of #checkpoint being breached by #coreinjection .
#dfir #threatintel
#dfir #threatintel
Reposted by b00010111
We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
The 2024 Volatility Plugin Contest results are in!
Results from the 12th Annual Volatility Plugin Contest are in! We received 6 submissions, from 6 different countries, that included 7 plugins, a Linux profile generation tool, and 9 supporti…
volatilityfoundation.org
March 28, 2025 at 1:54 PM
We are excited to announce that the @volatilityfoundation.org #PluginContest First Place winner is:
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Valentin Obst for btf2json
Read the full Contest Results:
volatilityfoundation.org/the-2024-vol...
Congrats to all winners & thank you to all participants!
#DFIR #memoryforensics
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
Hunting-Queries-Detection-Rules/Entra ID/DetectSuspiciousFociTokenLogins.md at main · HybridBrothers/Hunting-Queries-Detection-Rules · GitHub
The purpose of this repository is to share KQL queries to help identify security misconfigurations, hunt for specific patterns, or detect malicious behavior - HybridBrothers/Hunting-Queries-Detecti...
github.com
March 28, 2025 at 5:16 AM
Detect suspicious foci token logins:
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
The in cluded description includes an explanation what foci tokens are and why a hunt might be useful. Nice work!
https://github.com/HybridBrothers/Hunting-Queries-Detection-Rules/blob/main/Entra%20ID/DetectSuspiciousFociTokenLogins.md
#DFIR #BlueTeam #KQL
Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
Detecting Bincrypter Linux Malware Obfuscation
A new Linux script from THC will encrypt and obfuscate any executable or script to hide from on-disk detection. It then launches the code in a way to not leave traces on the disk as a fileless attack.
www.linkedin.com
March 27, 2025 at 6:57 AM
Detecting Bincrypter Linux Malware Obfuscation
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam
https://www.linkedin.com/pulse/detecting-bincrypter-linux-malware-obfuscation-craig-rowland-dzewc #DFIR #Linux #BlueTeam