security

Collections

Hunting for Persistence in Linux

Data Analysis for Cyber Security 101

Blog Posts

Nov 15, 2025 | APPLESCRIPT, MACOS, MALWARE, MALWARE ANALYSIS
Script Confusion: Playing with AppleScripts hidden in Named Forks

Exploring how we can use a legacy feature of AppleScript to hide payloads in other AppleScripts, images, and files.
Nov 11, 2025 | APPLESCRIPT, MACOS, MALWARE
MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper

A look at how threat actors are abusing AppleScript .scpt files to deliver macOS malware, from fake documents to browser update lures, and how these scripts can still run despite Gatekeeper protections.
Feb 7, 2022 | MITRE, PERSISTENCE, THREAT HUNTING, SYSMON, AUDITD
Hunting for Persistence in Linux (Part 5): Systemd Generators

How attackers can insert backdoors early in the boot process using systemd generators
Feb 6, 2022 | MITRE, PERSISTENCE, THREAT HUNTING, SYSMON, AUDITD
Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration

How attackers create can maintain persistence by inserting scripts and executables in special locations that will run on boot or logon
Jan 30, 2022 | MITRE, PERSISTENCE, THREAT HUNTING, SYSMON, AUDITD
Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron

How attackers use newly created and existing accounts for peristence and how to detect them.
Nov 23, 2021 | MITRE, PERSISTENCE, THREAT HUNTING, SYSMON, AUDITD
Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation

How attackers use newly created and existing accounts for peristence and how to detect them.
Nov 22, 2021 | MITRE, PERSISTENCE, THREAT HUNTING, SYSMON, AUDITD
Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)

An introduction to monitoring and logging in linux to look for persistence. With examples how to setup and detect web shell backdoors.
Aug 10, 2021 | SUPPLY CHAIN ATTACK, RED TEAM, DEFCON
DEFCON 29 Red Team Village CTF Writeup: Supply Chain Attack

Writeup of the supply chain attack portion of the Red Team Village Finals CTF of DEFCON 29
Jun 5, 2021 | CVE, AIRFLOW, EXPLOITDB
POC Exploit from a CVE: Apache Airflow 1.10.10 RCE

This is a quick overview of the process of how to write a POC exploit from reported RCE vulnerability in Apache Airflow
Aug 11, 2020 | BLUE TEAM, THREAT HUNTING, DEFCON
DEFCON 28 OpenSOC Blue Team CTF: Lessons and Tips

Review of the DEFCON 28 OpenSOC Blue Team CTF Finals and some tips and lessons for future participants and beginners
Jun 12, 2020 | PHISHING, U2F, AUTHENTICATION
U2F with Duo Web Phishable by default

Without changes to evilginx, we can bypass U2F on Duo with default configurations. This is an analysis of how implementation and configuration of U2F can lead to a scenario where U2F/WebAuthn does not protect you against phishing attacks (until hostname whitelisting is enabled)
May 28, 2020 | PHISHING, CRYPTO
Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack

How to deploy a phishing attack on LastPass users, even when they are protected with Yubikey physical keys. This is to appreciate what is U2F and why it is important. I will also give an overview of how LastPass encrypts and handles your vault
Apr 26, 2020 | NETWORK MONITORING, SECURITY-101
Data Analysis for Cyber Security 101: Detecting Lateral Movement

Use network flow logs to detect lateral movement. An introduction to lateral movement and outlier detection for cybersecurity.
Oct 8, 2019 | NETWORK MONITORING, SECURITY-101
Data Analysis for Cyber Security 101: Detecting Data Exfiltration

Using network flow data to create basic alerts to detect data theft