Let's build our own SOC using open-source tools such as Zeek, Sigma and OSQuery. Please note, this is a bit of a notes dump of how I set it up. It is not a step by step guide but you could pop this into an AI chat bot to get a step by step guide going for your systems. For quite some time now I have been concentrating on offensive security, malware analysis and reverse engineering. But let's flip the script and start to look at how to defend against all of the above and more. The SOC is the command hub of enterprise defense, it is where large amounts of data from endpoints, networks, application and cloud services are collected and analysed. A skilled SOC analyst balances technical fluency with adversary knowledge. First step - Determine our adversary framework First we need to understand our adversary framework so we get a head start on knowing how to build our detection platform. We will engineer our detection directly to the MITRE ATT&CK framework (https://attac...
Reverse engineering for bug bounties is a thrilling adventure, often leading down rabbit holes of code and unexpected discoveries. My recent journey involved the Spotify installer, a quest to uncover a potential DLL hijacking vulnerability. This post will walk you through the process, the tools, the roadblocks, and the ultimate conclusions, highlighting key lessons learned along the way. Understanding DLL Hijacking: The Goal At its core, DLL (Dynamic Link Library) hijacking is a common vulnerability where an application attempts to load a legitimate DLL, but a malicious one is loaded instead. This often happens because applications search for DLLs in a specific order (e.g., current directory first, then system directories). If a malicious DLL with the expected name is placed in an earlier search path, the application loads it, allowing an attacker to execute arbitrary code within the application's context. Tools of the Trade Our investigation relied on a suite of powerful tools: G...