“The Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a production environment. Second, the Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data. Third, it integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.” — Splunk Attack Range GitHub.

So the Attack Range in a nutshell is a way to spin up an environment…

Hopefully a write up that will help you weigh up your choice with the INE Cyber Security pass.

Purchasing Decisions

Cheap isn’t always bad

So I needed a platform or feed of training that was quite T shaped i.e. it covered a lot of areas, I recently started up https://vanguardcybersecurity.co.uk and could no longer afford the likes of SANS training despite how amazing the training is.

I was lucky enough to get the INE Cyber Security pass on an offer they ran, so roughly $1000. That might seem a lot but it gives you access to the whole eLearnSecurity curriculum and more!

Before Starting

If you want to automate the deployment of the tooling here…

Please see my Github for a .ps1 script to automate the install of the above, all you’ll need to do is retrieve your unique configuration for winlogbeat from Logzio.


  • Set your execution policy to unrestricted
  • Use a test VM
  • Run powershell as Admin before running the script

Benefits of SIGMA

Sigma is an open standard for writing rules that can be used in SIEM and log management solutions. Imagine Snort rules for NIDS, YARA for malware… Sigma for SIEM.

The first set of resources you need to get started are:

  • The…



When consulting our open sources for potentially vulnerable devices worldwide, we’re still seeing a high volume of public facing devices that are not patched.

Speaking with industry partners, we recognise that patching isn’t just as simple as applying a patch. We need visibility, a risk and the right tooling & people.

Netlogon is a high risk vulnerability that impacts Microsoft domain controllers… what does this mean for you? Your organisation, if unpatched, could be compromised already.

Vanguard Cyber Security offer a cutting edge, cloud based compromise assessment platform. …

Ransomware is now seasonal

Credit: https://dribbble.com/shots/6720826-Hacking-scene-Mr-Robot-Back

“And how your educational year starts?”

Recently, we’ve seen two high profile attacks on two UK based universities. Both attacks bearing hallmarks of ransomware, with one being claimed by DoppelPaymer.

I recently read an article about general crime being seasonal, the same appears to be apparent with the cyber space. We can see in the below screenshot, the DoppelPaymer gang highlighting the crucial time of the year for the university to be facing such issues.



  • Restore the host if anything suspicious occurs.
  • Keep up with patches on the virtualisation software, zero days are a thing.

Static analysis lab build

FlareVM — Windows Based lab by FireEye — Tutorial on how to install here

REMnux — Linux Based lab maintained by Lenny Zeltser

Dynamic analysis lab

Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)

Dynamic analysis toolbelt:

  • Fakenet — Simulates network requests for malware
  • INetSim — Simulates services on your machine
  • Wireshark — Record your network activity
  • Process Hacker — Observes running processes
  • Process Dump —…


WindowsAPI Primer for Malware Analysis

The Windows API is a common method Windows based malware will interface with the operating system to accomodate its functionality. Functions are required to ‘do something’, such as decrypting strings, making connections to IP addresses or enumerating processes on the victim machine.

These functions exist within DLL’s (Dynamic Link Libraries), let’s take URLDownloadToFile() as an example, referring to MSDN (Microsoft Developer Network), we can see that URLDownloadToFile purpose is to “Downloads bits from the Internet and saves them to a file.”.

We can also see the arguments (parameters) it takes to perform correctly, along with…


Malware written in GoLang

GoLang based malware has been known to spike since the beginning of 2019 and poses a big threat to even experienced Malware Analysts. There are over 53 known malware families known using this language and it is very flexible. Read about it here: https://unit42.paloaltonetworks.com/the-gopher-in-the-room-analysis-of-golang-malware-in-the-wild/

Static Analysis in REMnux

Malwology wrote this article (He’s a SANS610 instructor). He covers some very good Python based tools for statically analysing PE’s, some of those that seem unconventional compared to your current arsenal of tools. …

To get you started, read https://digital-forensics.sans.org/media/malware-analysis-cheat-sheet.pdf


You’ll see multiple articles numbered “MA-X”, for example “MA-01 — Emerging Malware Analysis News/Intel”, I recommend you read them sequentially if you’re new. You can refer to the series as a handbook.

Malware analysis methodology

These are going to be questions that you want to answer when analysing malware, what you want to achieve essentially by performing malware analysis.

Does the file pose a threat to the org, specifically? I.e. does it check for specific infrastructure, services or files that only the org’s users would hold.

What ways to defend against this threat, can we carve out…

Source: https://dribbble.com/shots/11988083-Server-Icons


In a landscape where we see odd traffic all the time in networks, pulling PCAP’s and remembering your Wireshark expressions can sometimes be a bit of a nightmare… That never ending list in your notes of expressions.

I’ve experimented with Security Onions tools such as ELK, Bro, Squill, Snort, Squert etc. and now integrated these with some nice lightweight bash scripting and CLI aliases to make for a very quick analysis platform to get an early verdict on your traffic.

Twitter: @mikecybersec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store