Sending an entire network through a VPN
For the longest time I’ve run my own Pihole DNS server, with it’s upstream DNS resolvers set to the two OpenDNS anycast IP addresses. I do this because it gives …
Collecting Favicon data
Favicons are the little icon that appears on the tab of your web browser when visiting most websites. They’re small image files, usually .png with the extension ‘.ico’. While generally …
Ransomware over time
I used data from the (now defunct) malware wiki and cyber.nj.gov to create this timeline, which I keep up to date when possible. The timeline is generated using timeline.knightlab.com. The …
Collecting Malware Samples from Malware Bazaar
I’m always looking for IOCs (Indicators of Compromise – domains, IP addresses, and more) in my work. This means I hunt for and download a lot of malware to analyze. …
Installing Cuckoo Sandbox on bare metal VMWare ESX
Cuckoo Sandbox is a fantastic open source tool used to manage virtual machines and analyze malware in bulk, providing easy to understand post-analysis results. However, it’s a bit dated at …
Analyzing Phishing Emails
When looking at phishing emails, I am interested primarily in: To get to those, you have to open the email. This can be done by literally opening it and manually …
Domain Registration Timelines
Let’s say you have a bunch of domains along with their registration date in a text file that looks like this: and you want a way to view that information …
Putting data on a map
When threat hunting, putting information on a map can be useful at times. In most cases, maps are used as eye candy, but provide little valuable information. However, there are …
Hunting for Emotet with URLHaus
Emotet started out as a banking trojan around 2014, but has evolved to (primarily) deliver ransomware via malicious emails (malspam). Infections occur either via malicious scripts in web pages or …
URL Decoding
Some security products that detect phishing URLs in an email modify the URL so it’s not easy to click on. One example of a product that does this is the …