This Week's/Trending Posts

Hand-Picked/Curated Posts

Most Popular/Amcache

Hand-Picked/Weekly News

The Most/Recent Articles

Daily Blog #779: Sunday Funday 3/16/25

 


Hello Reader, 

We've been bouncing around topics a lot and I realized I haven't had a Linux challenge in quite some time.  This week let's see your work as you document all of the logs and artifacts left behind not just from SSH'ing into a linux system but also create a tunnel between the two systems.

The Prize:

$100 Amazon Giftcard


The Rules:

  1. You must post your answer before Friday 3/21/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

What are all of the artifacts left behind on a Linux system (both server and client) when someone authenticates via SSH and creates a SSH Tunnel.

Daily Blog #778: Solution Saturday 3/15/25

 


Hello Reader,

I guess 'Vibe Coding' isn't a thing for all of you! No winners this week. I'll get tomorrow's challenge back to the blog's regular focus and look forward to seeing your contributions.

 

The Challenge:

 Pick an unsupported DFIR project of your choice and bring it back to life! Add new features and make it work on modern systems. While you are not required to 'vibe code' (AI coding) in this instance it's fully encouraged! Send me links to writeups or github repo's when your done!

 

The Winning Answer:

None


Daily Blog #777: Forensic Lunch Test Kitchen 3/14/25

 


Hello Reader,

Tonight Evan and I tried to fix the workflow and fix some bugs in our CloudTrail log explorer. We had some successes and some failures and ended with the idea that we need a better set of prompts to redefine the problem. We rolled back some changes but made some progress in the end. 

 

Daily Blog #776: Forensic Lunch Test Kitchen 3/13/25

 


Hello Reader,

Tonight on the 'vibe stream' Evan and I added AWS SSO credential support to our AWS CloudTrail explorer script. It lead us into some interesting rabbit holes and ended with us realizing we should get Github commits ready before trying to tweak our workflow. 

 

You can watch it here:

 

Daily Blog #775: An Azure log entry to look for when a threat actor is in

 




Hello Reader,

 One of the trends I've been noticing when a threat actor first gets into Azure or Microsoft 365 accounts is they will immediately look to see how many other third party services they can access from that account. This allows them to expand their reach into additional services, clouds and systems without needing any additional credentials. Within Azure this is called 'My Apps' and you can reach it by click on your user profile picture in the upper right hand corner and then clicking on My Apps on the bottom left as shown below.


 When you click on 'My Apps' you'll then see the list of integrated apps your user has been provisioned for:


 As you can see here my user has been provisioned for SSO access into AWS, which means with this one compromise account I could pivot into AWS with the same credentials. For larger enterprises there can be a large number of these applications available all allowing authentication with my existing credentials. 


To see this in the logs go to Entra ID and then Signin Logs and you can see the user accesses to My Apps as shown below.


So the next time you are working an Azure incident, make sure to keep an eye out for My Apps access and then you can begin the long process of determining how many apps you are going to have to review to determine total impact.

 

 

Daily Blog #774: Forensic Lunch Test Kitchen 3/11/25

 


Hello Reader,

Tonight Evan and I were 'vibe debugging', trying to get the models to fix their own code. We were successfully able to get it to fix issues with the storage of the configuration file, but we left the stream being unable to start a memory capture process. Tune in tomorrow for more!

 

 

Daily Blog #773: Sandpiper Trade Secrets and Cyber Dallas 2025

 


Hello Reader,

Just an announcement that I'll be moderating a panel on legal cybersecurity issues on March 26, 2025. I'll be joined by my colleague Jonathan Rajewski and a host of inside and outside counsels as well as the Honorable Ada Brown. If you are interested or just want to learn more please click this link to read about it and register. 


https://www.crai.com/insights-events/events/49021/

Daily Blog #772: Sunday Funday 3/9/25


 

Hello Reader,

It's Sunday! This week's challenge is vibing. If you haven't heard about 'vibe coding' it's what Evan and I have been doing in our streams, letting the AI do all the coding and just 'vibing' along. This week I want to see you resurrect old unmaintained tools and see what you can do with them!


The Prize:

$100 Amazon Giftcard


The Rules:

  1. You must post your answer before Friday 3/14/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

 Pick an unsupported DFIR project of your choice and bring it back to life! Add new features and make it work on modern systems. While you are not required to 'vibe code' (AI coding) in this instance it's fully encouraged! Send me links to writeups or github repo's when your done!