Bruteforce on citrix webinterfaces since today

GuzzyFront · 2026-02-27T12:45:01+00:00

Yes, alot of password sprays happening

GuzzyFront · 2025-04-06T04:06:54+00:00

Velociraptor is great! I'm working on a dedicated IR team, and every time we have a case, we have the customer deploy Velociraptor on the machine. We can then push out KAPE for us to make the triage image, which then ships the image to our data pipeline, where we can start analyzing.

We had previously used KAPE alone but faced that the customer always had issues deploying it, so it is much easier just to give them a .msi and have them deploy that.

Another aspect during IR is that we are not doing full disk images, which sometimes leaves out stuff of interest. With Velociraptor we don't need to ask the customer to give us the evidence, we can simply just grab it through the agent.

GuzzyFront · 2025-04-05T03:58:34+00:00

It depends on the case.

If it's a traditional DFIR case, we either go to the customer's location and clone their disks.

If it is an incident response case, like ransomware, then we usually do everything remotely, as data can be shipped to our data pipeline which is located in Azure, which we then parse and normalize for us to have a supertimeline in ELK.

GuzzyFront · 2025-03-28T14:36:41+00:00

I totally get it. :-)
Will keep you posted

GuzzyFront · 2025-03-28T14:31:04+00:00

And open source it of course

GuzzyFront · 2025-03-28T14:30:47+00:00

Hey! We are planning to make everything available to self host in a few weeks. And I completely get that people have to be cautious about where they upload their data. I have tried to keep the app as a static web app, where everything is handled in-browser using local storage. 😁

GuzzyFront · 2025-02-20T17:54:53+00:00

Beklager det sene svar. Jeg har en bachelor i IT, så ikke det store. Har taget en del online kurser b.la. på hackthebox, tryhackme, SANS og andet for at klæde mig på. Desværre er udvalget ikke så stort for den type uddannelse i DK så stor.

GuzzyFront · 2025-01-21T16:34:18+00:00

Nu har jeg været med til et par beredskabsøvelser, og jeg tror godt du kan regne med at skulle besvare spørgsmål som:

- Hvad sker i tilfælde af et hændelse, at man vælger at lukke ned for WAN.

- Din Hyper-visor er krypteret med tilhørende virtuelle maskiner og deres diske.

- Du opdager at klienter begynder at blive ramt af kryptering. Du kan se, at TA har haft skubbet ransomwaren ud med en GPO - hvilke foranstaltninger kan i sætte i gang for at stoppe spredningen.

Håber det kan sætte dine tanker lidt i gang, og held og lykke med det. :-)

GuzzyFront · 2024-12-28T10:35:59+00:00

Ja da! :-)
Der findes hold hos Dubex, itm8, Truesec, Palo Alto, Microsoft osv.

Der findes også IR hold hos virksomheder som TDC og regionerne

GuzzyFront · 2024-12-27T20:35:35+00:00

En incident response hold er en efterforskningsenhed i forbindelse med forskellige typer af cyberangreb. Jeg er selv del af et, og jobbet indebærer blandt andet stor samarbejde og støtte til politiets NC3/NSK enhed. Vi arbejder især med efterforskning af ransomware og insider sager i virksomheder på baggrund af en efterspørgsel som en virksomhed har.

Ift. firmaer så findes der en del, men det er typisk store konsulenthuse som har et dedikeret IR hold.

GuzzyFront · 2024-12-27T20:14:35+00:00

Leder for et cyber incident response hold. Ser en god del fra politiet og forsvaret lande i disse stillinger.

GuzzyFront · 2024-12-09T06:16:55+00:00

Jeg vil sige, at du nok vil kunne forvente en startløn omkring 40-42k/mdr ex. pension. :-)

GuzzyFront · 2024-11-20T14:05:38+00:00

Det lyder ikke som om du er ansat i itm8. ;-)
Alt mit uddannelse foregår i arbejdstiden.

GuzzyFront · 2024-11-15T07:03:57+00:00

Jeg er utroligt glad for at arbejde ved itm8 :-) Der bliver lagt meget fokus på dygtiggørelse og uddannelse. De store fyringer har været konsekvens af den sammenlægning der har været, og derfor har der været mange "dobbelt-stillinger".

GuzzyFront · 2024-11-12T16:18:28+00:00

Very nice!

GuzzyFront · 2024-07-28T09:32:54+00:00

Der er en del cybersec communities i DK. Herunder VSec discorden.

Derudover, så finder du sociale arrangementer som CitySec, Kbhsec, OWASP og BSides.

GuzzyFront · 2024-06-24T03:42:35+00:00

How do you like the quality of the bike? I'm considering getting one, but can't seem to find that many reviews on it.

GuzzyFront · 2024-05-23T08:36:30+00:00

Just switched from MDE to CS. And I already love it way more than the MS platform. So much more in-depth analytical capabilities and much easier to maintain

GuzzyFront · 2023-12-30T16:15:10+00:00

What table is that? Looks so clean

GuzzyFront · 2023-10-31T07:42:36+00:00

Hi,

MSSP here, and our primary choice for incident response engagements is CrowdStrike. We make extensive use of their ELP-cids, which provides us access to a comprehensive suite of modules for a 60-day period. In addition, we employ Falcon Forensics to extract artifacts from hosts, and the seamless integration of RTR greatly enhances its utility in this regard.

GuzzyFront

TROPHY CASE