Matt Profile picture
#DFIR | #CyberChef |
Yasir Hamza Profile picture 1 added to My Authors
Feb 4, 2021 13 tweets 6 min read
Let's walk through #malware de-obfuscation of a REvil PowerShell ransomware script in #CyberChef. The original can be found below if you want to play alone at home!… Following my analysis, I realised there is an excellent write up of the same PowerShell on SANS here which is worth a read:… Thanks to @xme for saving me the detonation to learn its ransomware! 👍
Feb 2, 2021 5 tweets 2 min read
Here it is! It was an absolute pleasure to develop this course, #CyberChef for Security Analysts, with @chrissanders88. I've tried to cover a range of use cases for work in our field but I probably only scratched the surface. (1/5) What I've aimed to do instead is to teach the skills so that you can look at the data you'll be using in your work and be confident you can whip up a recipe in CyberChef to suit your needs (2/5).
Mar 23, 2020 6 tweets 2 min read
A small Powershell script leads to a longer #CyberChef recipe.

(1/6): Let's extract the obfuscated section with a regular expression: a regex lookahead/lookbehind. (2/6) We're going to convert the obfuscated text into Character Codes.
Jan 5, 2020 15 tweets 6 min read
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x) For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x)…