Incident Response on ESXi

Posted on in security
   Leave a reply

Virtualisation platforms and hypervisors have increasingly become prime targets for attackers. When an ESXi system is compromised, rapid triage and investigation are vital to understand the extent of the incident. The qelp-ir-triage-esxi.py script, used in conjunction with QELP—provides a straightforward way to turn ESXi logs into timelines and summaries.

QELP, the Quick ESXi Log Parser, is a Python utility that processes ESXi log archives and outputs a timeline in CSV format. Before using QELP, ensureRead more.

RansomLook Ticker

Posted on in internet, security
   Leave a reply

RansomLook Ticker is a lightweight Python utility that monitors the latest posts from RansomLook (a ransomware gang tracker) and forwards enriched notifications to Mattermost. It leverages:

The RansomLook API for recent incident data Google Custom Search to gather contextual snippets OpenAI’s ChatGPT to extract structured intelligence (country, sector, etc.) Mattermost webhook for real-time alerts

This project is ideal if you want:

Push notifications without hosting a RansomLook instance A minimal Retrieval-Augmented Generation (RAG) pipeline ARead more.

Extract hostnames and domains from DDoSia MISP object

Posted on in internet, security
   1 Reply

DDoSia is a distributed denial-of-service (DDoS) attack tool reportedly employed by pro-Russian hacktivist groups. The tool coordinates large networks of compromised devices to flood targeted websites or services with excessive traffic, overwhelming their capacity and rendering them inaccessible to legitimate users. It has been used to disrupt government, financial, and media platforms, aiming to create instability and hinder critical infrastructure.

The DDoSia configuration, basically the instructions for the attack tool, have been shared via theRead more.

ENISA Threat Landscape 2024

Posted on in security
   Leave a reply

I contributed to the ENISA Threat Landscape 2024.

The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.

Throughout the latter part of 2023 and the initial half of 2024, there was a notable escalation in cybersecurity attacks, setting new benchmarksRead more.

Using Threatview.io as example to add MISP feeds

Posted on in open source, security
   Leave a reply

This article demonstrates how to quickly add new MISP feeds, either to your own MISP server or as a contributor to the MISP project. I use the feeds from Threatview.io as an example. Threatview.io provides daily feeds on IPs, domains, URLs, and file hashes, as well as a C2 hunt feed.

MISP feeds are remote or local resources containing indicators that can be either imported into MISP or used for correlations without importing them intoRead more.

Presentation of MISP playbooks at the Jupyterthon

Posted on in open source, security
   Leave a reply

I did a presentation on the MISP playbooks at Jupyterthon. Have a look at the recording at https://www.youtube.com/watch?v=2lqbH1m9yKo&t=7193s

Don’t hesitate to provide your feedback on the playbooks, or suggest extra additions with the GitHub issue tracker.

MISP playbook: Malware triage

Posted on in internet, open source, security
   Leave a reply

I shared the MISP playbook for malware triage that I regularly use for a first assessment on new samples. It uses MISP, VirusTotal, MalwareBazaar, Hashlookupand pefile. It then uploads the samples to MWDB and alerts to Mattermost.

The MISP playbook on malware triage is one of many playbooks that address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP.

ENISA Threat Landscape 2023

Posted on in security
   Leave a reply

I contributed to the ENISA Threat Landscape 2023.

The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.

In the latter part of 2022 and the first half of 2023, the cybersecurity landscape witnessed a significant increase in both the varietyRead more.

MISP to Microsoft Sentinel integration with Upload Indicators API

Posted on in open source, security
   Leave a reply

The MISP2Sentinel integration allows you to sync indicators from MISP to Microsoft Sentinel. The old integration relied on the Microsoft Graph API. Microsoft prefers new integrations to rely on the Upload Indicators API. The new MISP to Microsoft (previously Azure) Sentinel or misp2sentinel does just that, it

Supports integration with the old Graph API, but also It supports the new, and preferred, Upload Indicators API.

Read the installation and configuration documentation at https://github.com/cudeso/misp2sentinel forRead more.

Include threat information from MISP in Zeek network visibility

Posted on in internet, linux, open source, security
   Leave a reply

Zeek (formerly Bro) is a free and open-source software network analysis framework. It gives insights on DNS queries, HTTP and TLS information and details on transmitted files. I find Zeek one of the best network monitoring tools available to provide detailed visibility on network traffic.

Zeek has a built-in intelligence framework. This framework allows you to add information received via MISP directly into the network visibility capabilities of Zeek. This includes

Visits to URLs orRead more.