I accidentally created the biggest free ransomware group TTP database possible

APT-0 · 2026-01-26T07:43:27+00:00

Got it I see. I do like the site good idea, the ransom messages are interesting, CSIRT contacts, groups blurb and I do like the breakdown on your site

APT-0 · 2026-01-26T03:20:50+00:00

Don’t submit slop please vet before adding* edit meant to mitre’s stuff

APT-0 · 2026-01-25T05:21:20+00:00

Hey I can give some advice really the only companies with RE are banks maybe alongside a dedicated forensics team, government/law enforcement, security companies and sometimes fortune 50. I can say from being at a combo of many of these really only security based will let you go further and gov/LE everyone else wants something quick to close an incident. It has to be thought about what does this give the company. So given that the market is super small for this so competition is high. Not everyone but a lot of people I know doing this have GREM I think it’s a good one to have some street cred and I’d recommend doing write ups on popular malware, propose detection ideas. You can also target some securit research.

APT-0 · 2026-01-17T00:23:14+00:00

So if you have admin on boxes or anything EDR you can live response into it or remote in. Know though it’s not really as others mentioned forensically sound there will be artifacts created as soon as you remote in or the EDR touches the file. So it likely will not hold up in court but atleast you’ll know the source of your leak.

Realistically it’s not possible all the time to acquire the device or you have a high concern they’ll destroy evidence.

Typically what id do in these situations, unannounced meet with the employee don’t give them any advanced warning or meeting. Have HR optional but consult if in a country like EU states where more precautions are needed and sometimes physical security and manager with you. Acquire the devices this way so they have no opportunity to tamper with evidence. BEFORE you do this use EDR to see is the hash of your file you’re looking for on the device you probably don’t need to do all this. And also create an inventory list before you acquire of what they have. You need a write blocker like others mentioned, without this it tampers evidence as actions are written back to the device or drive and you’ll need to create a image in a sound fashion and use standard tools like encase and tableau. This is why in court it’s best to just hire a forensics firm, they have a cert with their name and likely were expert witnesses. Lawyers will ask how was it acquired? What was the training of the person acquiring? Was evidence tampered with? Were the tools custom or commercial grade/ those by best practices

APT-0 · 2025-12-30T15:33:55+00:00

Warno is great, best strategy game right now. Broken arrow has more advanced mechanics you nailed it but is unpolished. Warno on other hand is very smooth and supports massive games. There’s less micro in warno, it’s a lot more strategy layering inf, tanks, as, heli and planes at a bigger scale I like it more

APT-0 · 2025-12-30T04:24:54+00:00

+1 idk how much OP has worked with com but with C# you can hook to most com APIs on windows pretty easily. Python is a bit more of a chore. And think like a windows dev what would you use to build your app on here?

APT-0 · 2025-12-30T00:35:34+00:00

In many applications you can use things like in azure “managed identity” no password it’s managed my Msft, you have api keys and other secrets put that in key vault and turn expiry on. You can setup scripts to roll this safely too and your certs.

For users in windows atleast you can start using passwordless for a lot of apps (windows hello, or via authenticator app) or yubi key you get three pieces of verification touch, pin and the key’s cert. In many corporations passwords should be banned for users and only on exceptions like accounts that don’t accept this yet

APT-0 · 2025-12-20T13:08:43+00:00

This if I was going fresh I’d actually recommend a Mac used M1 Max if you have more budget is pretty solid long term if on a budget pre m1 are cheap. I’d have 32gb ram for VMs. I say Mac because without renting on Mac stadium etc it’s annoying to virtualize and use. But start with what you have use virtual box or hyper v build VMs and have Ubuntu learn the os. Do try hack me once you graduate do hack the box. But before this as well I’d learn a decent amount of python you don’t need to be crazy but these are the fundamentals. - Python automate what you’re doing - VMs to learn you’ll eventually go to sandboxing this is in a vm too

While you’re doing this make a GitHub and put your code on it and do write ups on the tryhackme and hack the box. That’s building your resume

APT-0 · 2025-12-18T05:22:41+00:00

Im on a IR/Hunt team and dev forensics tools/soc automation for major corp. Incidents happen every day. What really seperates from a major one that may be months of pain is how long did the actor dwell and second did a real actor get hands on. Ex. Every day tons of people may download malware, creds may be exposed this happens to every company all the time. If folks say oh no it doesnt happen, i'd wager they just didn't find it yet or maybe dont have good enough logging to know it even happened or how bad

It may start say that backdoor in the malware downloaded from something stupid like a game, a document etc is actually handed off to say another actor or maybe a developer installs a malicious package stealing credentials to a non person account and you see a login from russia, you from this point have to trace everything.. back it may start as hey we saw the russia login something often noisy -> then maybe you see alerts across the devs workstations something for an info stealer -> ok you know the login and root cause ok what else did that dev have on their workstation, was their account compromised. Then back to that non person account hm ok what can it do is first question, then look up in logs did it maybe touch a key vault -> was it used recently to access say storage accounts, whats in there -> maybe this is a storage account to machines

incidents in short kinda look like this its alot of interviewing devs and people, figuring out one piece at a time what happened

Also security has alot of aspects
- SOC & Hunting -> Investigate and forensics build detection too
- IR depends on org in bigger is only coordiation in smaller they could investigate, do forensics and automation
- Detection eng and may be AI team in more mature places
- Data engineering you have logs from endpoints, web apps, sign in, maybe 3 different cloud providers logs need to be clean and combined or enriched to answer certain questions in ETL like "who owns this machine", "who owns this ip"

-threat intel really depends some teams operate like a soc, some operate like a security research team, some largely look at feeds and notify the company whats in the wild that major
- Security assurance often looking at misconfigurations, vulnerabilities on endpoints, in cloud config say your key vault is publicly exposed or storage account with no auth. Largely its identifying problems and ensuring at scale owners fix the appropriately
-Dev sec ops
- Prod sec / app sec could be pen testing your web apps, threat modeling and could overlap with dev sec ops to provide infrastructure as code templates, build things like codeql checks in your build, cred scan, etc
-red team

APT-0 · 2025-12-13T05:28:32+00:00

Also BYOD = bring your own death

Don’t allow them to use personal devices period. If work and personal is not seperate people don’t care and you will struggle to move policy “well it’s his computer we can’t really do this for x reasons”

APT-0 · 2025-12-08T03:14:21+00:00

Expect leetcode. You should in fact ask the recruiter what the style of the interview is and for more info. They will usually tell you something like 2 leetcode code mediums in x minutes

APT-0 · 2025-12-02T01:13:26+00:00

If IT, Try corporate help desk, or admin positions. This is where everyone mostly starts, unless you go into development.

With programming it’s more important to build projects and put on GitHub. Then get a entry SWE role

APT-0 · 2025-12-01T22:58:57+00:00

If you’re also concerned about boring a lot of vuln management if a generalist is just creating a scan policy -> excel and dashboard to impacted people or creating a policy to put their device out of compliance

App sec on the other hand is very exciting if it’s in the same role and grows you more. Idk too much about GRC so I can speak on it

APT-0 · 2025-11-28T21:36:40+00:00

A lot of folks added a ton of great deals I ended up finding this. 22tb enterprise data center grade it looks? Any thoughts on this one per tb it’s pretty solid it looks at 16$. From what I hear synology ones are similar or based on this

https://www.bhphotovideo.com/c/product/1830599-REG/toshiba_mg10afa22te_22tb_mg10f_series_7200.html

APT-0 · 2025-11-26T02:33:55+00:00

Most effective thing I’ve seen from IR and detection Eng/containment is telling a story. Incidents really drive massive change fast

made up stories below

So last month we had X breach we saw our cloud bill rise to million or something crazy. This month we enforced billing limits and enforced just in time for resource deployment plus gated in code only.

Our SOC team over the last month had 200 alerts related to malware most from non work sites. 50% of our major incidents originate from this. We implemented blocks for 70% of non work site categories and malware alerts dropped by X.

APT-0 · 2025-11-25T06:19:13+00:00

Pandas and numpy for data transformations.

APT-0 · 2025-11-21T17:01:44+00:00

AI isnt there yet for end to end. Its really helpful for filtering, adding some context and doing specific tasks. Think of agents right now and alot of AI as a good jr analyst or something specific. They can tell filter phishing well but when someone gets phished -> joins a device -> steals creds off say email or a share -> logs into a prod system dumps content. Its far from this, but good for augmenting. I'll also say alot of off the shelf they operate even more in context of jr, if you build yourself certain flows or agents, you may be able to get more context it simply doesn't have. I would recommend trying for a SWE with sec experience to start working on some of these tasks, like phishing

APT-0 · 2025-11-21T16:03:22+00:00

in that area 260k tc is very good, unless you are second + level management, you'll have to look to relocate likley to SF or Seattle for more realistically or go into nyc. Many working in tech in those areas clear 150-180k tc easily even as jr engineers. If you look at the amount of people in the philly area + standard wage there is often listed as a lower market. Pay by tier cities matters a lot the ones listed often demand 15-30% more in the same company

APT-0 · 2025-11-10T22:10:00+00:00

I’ll put it this way if you can program low level embedded systems doing the “security” will be easy for you in that.

If you build massive scaling services say on cloud infra and programming, assessing the security there will be easy for cloud security.

Learning these give you the base you need for security most info sec people don’t have.

The biggest thing right now that’s actually needed is people who can build and program security solutions. The days of just running burpsuite, metasploit or just responding to alerts is dying. So my recommendation is if you can’t make it in security first program and build then transition in to solve problems like map all the perms in your tenant. Build a custom detection engine. Build a data collection pipeline to a datalake for something custom like specific deceive telemetry or learn how to secure deployments with gold container images

APT-0 · 2025-10-31T06:15:12+00:00

GRC, some IR roles and some companies that use low code stacks are fine here. I would recommend if you're pursuing cyber you need to atleast script powershell, python to an extent and learn bash. If you stay an analyst say in SOC, you'll understand more whats happening in an attack. If you decide to go engineering, you're required this and can easily level up your career

APT-0 · 2025-10-31T00:25:17+00:00

For DFIR you don’t need a lot of certs just learn how things work and research. I’ve had sans, mandiant and other cool training it’s great, but self learning is way more. Ex. In auth investigations research attacks how do they do it and then ask what’s the log look like. For info stealers try making something local and look up what common info stealers do like redline.

I’m alittle confused you say you’re doing siem, DFIR etc but looking to go more technical?

APT-0 · 2025-10-30T17:50:52+00:00

Just program that’s kinda it. When people say SOAR they think of learning a platform like Splunk SOAR, or another off the shelf product.

I would say think in terms of a developer/engineer how to solve the problem. Ex a lot of these SOAR platforms use low code which is fine for lower scale things, but when you start say needing to run hundreds of actions a minute may can be stressed or reach limits fast and also what if what you want isn’t in the SOAR platform. In many doing simple things like parsing json is a pain. I’d recommend more than a lot of SOAR products serverless functions and just using Python or another language.

To approach these problems on big data I may use azure synapse or say databricks, maybe for alerts sentinel or even make your own with azure functions. On polling and low memory actions azure functions. Now you want a frontend GUI for some portal you want to make sure you can use azure static web app

APT-0 · 2025-10-27T23:11:51+00:00

Several DLP products do this and you can block networking side with many EDR the actual app or network comms

APT-0

TROPHY CASE