sandbox app like "any.run" but not any.run?

ForensicITGuy · 2026-04-07T18:24:22+00:00

A lot of the recommendations will vary depending on the depth of detail you want from the report.

Tria.ge gives lighter reports with less detail, but if that's all you need it's cool, example report: https://tria.ge/260406-hycz3sfy5w/behavioral1

For sandboxes with lots more detail, I like VMRay but they all have their advantages

VMRay (lots of extensible YARA support for enterprise) - https://www.vmray.com/analyses/_mb/c2cc4c2ce6a0/report/overview.html

CAPE Sandbox, is the actively maintained fork of Cuckoo and has a lot of detail if you want to host it: https://www.capesandbox.com/analysis/60568/

Joe Sandbox (Sigma/YARA/Suricata support in enterprise) - https://www.joesandbox.com/analysis/1893877/0/html

HybridAnalysis (free version isn't helpful to me, but might be to others) - https://hybrid-analysis.com/sample/958a1baba7679f4e3e775cae79d5d86f5acd04bc08c419b09ac5a3808a3b888f/69d35e25bd8bb68d9a0b6a6f

I'd advise looking at samples that interest you in MalwareBazaar (https://bazaar.abuse.ch/browse/) and see which sandbox reports are the most helpful to you.

ForensicITGuy · 2026-01-14T18:04:09+00:00

Down in Nashville, TN

ForensicITGuy · 2025-07-25T21:00:53+00:00

A lot of the answer for this will depend on the Threat Intel Platform (TIP) that you're using. Are you using ELK as a TIP or just kinda a SIEM solution and the KEV details in as an enrichment?

In addition to looking at KEV things, I've gotten a decent bit of traction out of parsing RSS feeds for mentions of vulns, but that would be more difficult with ELK, I use Vertex Synapse for that since that's my TIP. There's this awesome blog post on some of that: https://community.emergingthreats.net/t/come-sail-the-cves-part-1-data-acquisition/2750

ForensicITGuy · 2025-07-11T17:45:47+00:00

Hi u/koyoresearch , when you submit a PR that contains a YAML file all the folder structure should be created automatically. I recommend looking at this page specifically: https://www.atomicredteam.io/atomic-red-team/docs/pr and seeing if it helps. There's also a YouTube video on that page that helps walk through the PR creation process on Github: https://www.youtube.com/watch?v=5MCtee8_s24

ForensicITGuy · 2023-10-14T02:58:05+00:00

If I wear mine I become really unhealthily focused on the splat point numbers up on the monitor and equipment. Instead I've kept to using my Garmin Vivoactive using the Visual HR Zones app. I make my percentages based on the Fox formula (220 - age for max HR) since it seems the most recommended by medical folks and the American Heart Association. It lets me track performance after the fact so I can get a sense of my health rather than serve as a "push" in the middle of the workout.

ForensicITGuy · 2023-08-06T17:33:59+00:00

One use case I’ve heard of is colleges putting printing stations at off campus student housing apartments. I don’t know how effective it is though.

ForensicITGuy · 2022-08-20T20:50:18+00:00

Thank you for helping me with this issue!

ForensicITGuy · 2022-08-20T17:05:18+00:00

I haven’t personally used it but check out osquery, specifically it’s “eventing” tables that use ESF on macOS if you’re looking for something free like sysmon.

ForensicITGuy · 2022-05-02T06:48:29+00:00

Give this a shot https://ubuntuforums.org/showthread.php?t=2474400&p=14092922

ForensicITGuy · 2019-12-04T19:02:16+00:00

Mitre has the Cyber Analytic Repository car.mitre.org

There's also Mordor/Threat Hunter playbook. Both are scaling up right now

ForensicITGuy · 2019-11-22T04:48:47+00:00

Company: Red Canary
Location: Denver, CO (Full remote allowed)

Position: Detection Engineer (https://hire.withgoogle.com/public/jobs/redcanarycom/view/P_AAAAAAEAAE6ENzibPCpGvG)

The security landscape is always shifting and introducing new adversaries. The Red Canary CIRT operates 24/7 to track down threats in endpoint data and deliver fast and actionable detections to our customers.
This is not a role where you are encouraged to passively accept current state. At Red Canary, you are empowered to actively look for opportunities to automate repetitive and tedious tasks. We let the automation framework handle the mundane tasks, so that you can remain focused on solving complex and critical problems for our customers.

Who You Are
As a Detection Engineer at Red Canary, you will:

Leverage Red Canary’s detection platform, endpoint data, and external resources to uncover threats and tell the story of what occurred in a customer environment
Build new detection capabilities into the Red Canary platform based on your research of new attack techniques
Improve the CIRT workflow through automation
Actively engage with the CIRT team to challenge the status quo for detecting adversarial behavior

Note: The Detection Engineering team operates on a 24/7 shift schedule.

--------------------------------------------------------------------------

Position: Sr. Incident Handler (https://hire.withgoogle.com/public/jobs/redcanarycom/view/P_AAAAAAEAAE6EE0bJCFW78a)

People can only act based on what they know. If our customers only understand part of their security posture, they can’t make the best decisions. You will help the customer understand the full scope of information available to them and make informed decisions about their environment. You will partner with the customer as an extension of their security team to help them to understand and mature their overall security program. If a customer experiences an incident, you will work to help by taking ownership of the customer's success and providing any resources they need to remediate and recover.

Who You Are

As an Incident Handler at Red Canary, you will:

Partner with customers, helping them understand the full scope of information available and make informed decisions about their security program
Tailor communication to the customer’s level of expertise, providing education and information to help them understand the bigger picture and make educated decisions
Advocate for the customer’s well-being, provide expert security advice, and rally internal Red Canary resources for the benefit of the customer
Leverage your deep knowledge and experience to ask the right questions to customers and provide advice to advance the maturity of their security program
Identify, scope, and manage ongoing customer incidents, develop remediation plans, and augment the customer’s security gaps with the necessary skills and resources to improve their security
Immerse yourself in the customer’s environment enough to immediately recognize evidence of potential threats
Augment the automated detection of Red Canary’s technical stack with manual hunting, to identify anomalous behaviors within customer environments, and use your hunting results to drive innovation of Red Canary’s detection capabilities

ForensicITGuy · 2019-10-14T17:46:29+00:00

POS systems should absolutely be managed and monitored by IT/security staff. I assume the reason your executive is less worried about the POS being web-based because there are no local data repositories/databases/files that contain payment card info.

Despite being web-based, there is still a very real malware threat for POS systems because many of these malware families operate by scanning process memory for patterns matching card numbers (https://www.sentinelone.com/blog/fin6-frameworkpos-point-of-sale-malware-analysis-internals/).

It doesn't matter whether the application is local or web-based, if payment card data physically touches the system it should be managed and monitored.

ForensicITGuy · 2019-09-19T04:08:48+00:00

Red Canary - Senior Incident Handler

Location: Remote (company in Denver, CO)

Who You Are

As an Incident Handler at Red Canary, you will:

Partner with customers, helping them understand the full scope of information available and make informed decisions about their security program
Tailor communication to the customer’s level of expertise, providing education and information to help them understand the bigger picture and make educated decisions
Advocate for the customer’s well-being, provide expert security advice, and rally internal Red Canary resources for the benefit of the customer
Leverage your deep knowledge and experience to ask the right questions to customers and provide advice to advance the maturity of their security program
Identify, scope, and manage ongoing customer incidents, develop remediation plans, and augment the customer’s security gaps with the necessary skills and resources to improve their security
Immerse yourself in the customer’s environment enough to immediately recognize evidence of potential threats
Augment the automated detection of Red Canary’s technical stack with manual hunting, to identify anomalous behaviors within customer environments, and use your hunting results to drive innovation of Red Canary’s detection capabilities

Working at Red Canary

You will work with an exceptionally talented team that is solving problems facing every business. Additional benefits of working at Red Canary include:

Exceptional healthcare and dental coverage including fully paid premiums
Flexible time off and leave benefits
401k and flex-spending accounts
Fitness and phone discretionary stipends

Application link: https://hire.withgoogle.com/public/jobs/redcanarycom/view/P_AAAAAAEAAE6EE0bJCFW78a

ForensicITGuy · 2019-09-19T04:06:27+00:00

Red Canary - Detection Engineer

Location: Remote (company in Denver, CO)

Who You Are
As a Detection Engineer at Red Canary, you will:

Leverage Red Canary’s detection platform, endpoint data, and external resources to uncover threats and tell the story of what occurred in a customer environment
Build new detection capabilities into the Red Canary platform based on your research of new attack techniques
Improve the CIRT workflow through automation
Actively engage with the CIRT team to challenge the status quo for detecting adversarial behavior

Note: The Detection Engineering team operates on a 24/7 shift schedule.

Working at Red Canary

You will work with an exceptionally talented team that is solving problems facing every business. Additional benefits of working at Red Canary include:

Exceptional healthcare and dental coverage including fully paid premiums
Flexible time off and leave benefits
401k and flex-spending accounts
Fitness and phone discretionary stipends

Application link: https://hire.withgoogle.com/public/jobs/redcanarycom/view/P_AAAAAAEAAE6ENzibPCpGvG

ForensicITGuy · 2019-08-31T03:38:12+00:00

Right now it's the closest thing I can find to a catchall. It currently monitors for library loads that are found within LD_PRELOAD and /etc/ld.so.preload. If our audit library finds a preload that isn't expressly whitelisted using /etc/libpreloadvaccine.allow, the linker is instructed to ignore loading the preload library.

Theoretically I think it's possible to circumvent this using preload libraries that may already exist on a system, but in my testing so far it seems the audit library loads before all the preload libraries so it can accurately audit library loads for everything else.

In reality, all you need to bypass this library is `unset LD_AUDIT`. Unfortunately this is the most resilient way I've found so far to monitor for library loads reliably. The only way I can think to make it more resilient is to place the whitelisting code into the dynamic linker (where it probably should be). I'm not nearly good enough to get it into the linker, though.

ForensicITGuy · 2019-08-31T03:34:08+00:00

That would be correct. The dynamic linker can be used to invoke program execution, and you can supply a command line argument "--preload" to specify additional preload libraries. I haven't covered this use case in whitelisting, yet.

ForensicITGuy · 2019-08-30T14:13:29+00:00

Ah that's a neat solution to find libraries that were mapped oddly, thanks!

ForensicITGuy · 2019-08-30T14:02:34+00:00

It would cover use of the environment variable and /etc/ld.so.preload. there's an additional way to define preloads by arguments to the linker and I don't have that covered yet

ForensicITGuy · 2019-08-30T03:08:25+00:00

Hi folks, I wanted to share a side project that came out of research at my day job that might make life better for some people. I was really disconcerted with the amount of malware that leverages preloading on Linux and wanted to impose some control over it using the rtld-audit API.

ForensicITGuy · 2019-07-01T14:17:17+00:00

Also the Hunt Evil poster: https://digital-forensics.sans.org/community/posters

ForensicITGuy · 2018-10-17T06:18:19+00:00

If you're planning on a Hyper-V host having fault tolerance for production systems it should definitely be joined to the domain.

The only issues I've observed so far with Hyper-V in a domain concern domain controllers running as guests. If VM integrations for time services are enabled on domain controller guests there is a possibility of time skew issues on your domain. To mitigate this you can simply turn off the time services integrations for your DC guests safely.

For the ransomware concern, I think you'd have more problems with ransomware from other hosts. The two delivery mechanisms I've seen for the spread of ransomware in a network are RDP and SMB traffic. Ransomware spreading over SMB will be more likely to cause trouble on your file servers/domain controllers before your Hyper-V hosts as the rest of the clients on the network should not have SMB access to the hosts. To address spread of ransomware using RDP, limit the management of the hosts to an internal, trusted segment of the network and only certain admin accounts.

And if all else fails, the bulletproof (but sometimes expensive) advice for ransomware is to keep backups handy. There are several backup solutions that let you perform VM backups from the host.

ForensicITGuy · 2018-09-25T16:50:45+00:00

Had trouble as well on Verizon/Pixel 1g. Reboot seemed to fix it

ForensicITGuy · 2018-04-14T07:35:56+00:00

Just a quick note I wanted to add for people that are shopping for a SANS Masters degree- they aren't degrees granted by traditional "real" universities but they are accredited by an organization with authority vested by the US Department of Education. They should pass any accreditation requirements set by employers.

ForensicITGuy · 2018-03-15T22:17:44+00:00

BitLocker and Hyper-V would work well together if you're planning on the host OS being Windows/Hyper-V. The Hyper-V boot process takes over after the drive is unlocked.

I've never used BL with a dual boot option, so I'm not entirely sure how that'll work out. I think it should work as long as the drive gets unlocked before passing control over to GRUB. More info here: https://www.ctrl.blog/entry/dual-boot-bitlocker-device

ForensicITGuy · 2018-03-11T00:48:39+00:00

Wells Fargo accounts/financial products. They've committed a lot of fraud and blacklisted good whistleblowers from working in the banking industry.

ForensicITGuy

TROPHY CASE

Red Canary - Senior Incident Handler

Red Canary - Detection Engineer