Threat Inteliigence / OSINT / NETSEC / NATSEC

Visiting the National Museum of Cryptology at the NSA

Full photo gallery available here :) Even though my visit to the USA was purely a holiday, I couldn't miss the opportunity to visit the NSA. Unfortunately, it is not possible to visit the agency itself, but it is the only one of the organizations that make up the United States Intelligence Community that has its part open […]

Squeezing out IoC juice - methodical analysis of network infrastructure.

One of the most common problems faced by CTI analysts is the use of collected data to discover further elements of hostile activity, i.e. the so-called "pivoting". Simply put, pivoting consists in discovering other artifacts such as IP addresses or malware samples through the common points of contact of both elements. In the case of malware, this can […]

RonanVM update

Shortly after setting up counterintelligence.pl, I also started the RonanVM project, i.e. a virtual machine image adapted to conduct OSINT investigations. Unfortunately, I don't have that much time to develop the project at the pace of Kali Linux, but I had the opportunity to make some changes and improvements recently. Moving on to the specifics: I also encourage you to use, in my opinion, the project […]

Attackers in the bottleneck - lateral movements and threat hunting

Threat hunting is not an easy task. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of intrusion during which attackers have less room to manoeuvre. And just the perfect attack phase for this […]

Register(ing) activity related to documents

The last two posts concerned hiding traces of malicious activity in the environment and attempts to confuse analysts. This time we will focus on traces that allow us to determine what the user or the attacker was doing. Forensic analysis can have two main purposes. In cases most often associated with threat intelligence, we will try to detect the activities of attackers leading […]

Anti-forensics techniques - registry timestomping

In the previous post, we dealt with one of the most popular anti-forensic techniques – timestomping. So we changed the timestamps of the files to confuse the analysts and make the files appear unrelated to malicious activity. This time we will try to transfer timestomping to another source of evidence - the Windows registry. The registry is definitely one of the […]

Anti-forensic - introduction and timestomping

As I mentioned in the blog, threat intelligence is essentially threat counterintelligence - the process of stopping hostile infiltration of the environment. This time we will deal with a strictly technical issue related to how attackers can try to (anti-forensic) hide traces of their activities and how to detect such activities. The starting point for our considerations [...]

Contract cyber - Iran and its way of conducting cyber operations

When we think of cyber operations conducted on behalf of or under the direction of the government, we usually think of intelligence agencies and military units. NSA, GRU, MSS or PLA are examples of this type of professional government organizations employing officers to implement state policy by cyber means. However, there is a state that is equally active in this space, [...]

The safest conference in Poland on December 3! Oh My H @ ck 2022 - live in Warsaw

Counterintelligence.pl is pleased to invite you to a unique event, the Oh My H @ ck conference, which will take place on December 3 in Warsaw! Cybercrime, reverse engineering, cyber threat intelligence or forensics are just some of the paths in the program of the Oh My H @ ck stationary conference, whose leading theme is cybersecurity. This is a great opportunity [...]

China's intelligence operations under the scrutiny of the Justice Department

The name of the blog obliges us, therefore, this time we deal with the latest events in the field of catching intelligence officers and fighting the operations they conduct. The opportunity for this was provided by the US Department of Justice, publishing indictments against a total of thirteen people accused of espionage, as well as Mandiant who published a report describing the detected Chinese outflow operations. IN […]

en_USEnglish