The password is: infected
This repository was created to store the artifacts of any intrusions I share publicly. The main goal is to provide resources for newcomers in the field to help them develop their investigative skills with data from real intrusions. Each set of data is supported by a blog post that provides additional context.
The blog post details the steps the threat actors took during the intrusion. Using this repository, individuals should be able to retrace these steps using the available telemetry for each case. During this process, they can gain knowledge about the different sets of tools and querying techniques.
The password is: infected
While providing these artifacts for exploration, I offer no guarantees regarding their safety. I encourage you to conduct any investigation in a secure, isolated environment. Please understand that all interactions with these artifacts are at your own risk, and I accept no liability for any potential damages or consequences that may occur. All artifacts are sanitized but if you come across any that are not, please let me know.
The password is: infected
| Case | Artifacts | Blog |
|---|---|---|
| Opinion Survey | 1. SRUM(Parsed NetworkUsage) 2. Endpoint 3. PCAP 4. Scheduled Task 5. Malware used |
Public Opinion Survey Results: You're Pwned |
| Ursnif VS Italy: Il PDF del Destino | 1. PowerShell 2. Endpoint 3. PCAP 4. Malware used |
Ursnif VS Italy: Il PDF del Destino |
Feel free to reach out to me on
