In continuation of my prior work on web shells (Medium/Blog), I wanted to take my work a step further and introduce a new tool that goes beyond my legacy webshell-scan tool. The “webshell-scan” tool was written in GoLang and provided threat hunters and analysts alike with the ability to quickly scan a target system for web shells in a cross platform fashion. That said, I found it was lacking in many other areas. Allow me to elaborate below…

Requirements of web shell analysis

In order to perform proper web shell analysis, we need to define some of the key requirements that a web shell analyzer…


In my last post here: (Medium, Stillztech:Finance), I briefly covered two types of income streams to help boost your monthly income. These two types of streams were dividend investing and P2P Lending. In this post, we cover how to develop a second income stream using dividend based stocks. While this strategy is not new, it’s a great topic to explore and I thought it might be useful to share what works for me.

So, why dividend based stocks? I’ve listed a few key points below:

  • Dividends: Price per share payout for each share you own (or fraction of a share)

Forming a budget is the first step when building a solid financial foundation. The goals of a personal budget are as follows:

  • Quickly show your “before expenses” and “after expenses” estimated balance
  • Track paid vs pending expenses
  • Track upcoming expenses (forecasting)
  • Track the amount of money going to each expense
  • Identify and develop trends to optimize your budget

Keeping the budget simple and building upon it is a great way to get started. As you’ll see in the image below, one way we can keep the budget simple is by tracking only the “core” expenses. …


Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;).

I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification.

Incident Response:

  • Incident Response &…

As mentioned in my prior post (https://medium.com/@tstillz17/introduction-to-malware-analysis-b98d895fb50), malware analysis can be grouped into four categories:

  • Basic Static
  • Basic Dynamic — PE File (what this post will cover)
  • Advanced Static
  • Advanced Dynamic

As stated in my prior post, we perform basic static analysis first to understand the executable’s “potential” capabilities and structure. Some questions we aim to answer during basic static analysis:

What libraries does the PE file import, including functions / ordinals

  • Why? This may indicate the file has the “capability” to log to a text file and read credit card track data from memory, indicating you’re dealing with some…

In this post, we will learn how using a Graph Database like Neo4j can help visualize malware relationships and extend these relationships to identify patterns between samples. Before we dig into Neo4j, let’s start with some fundamental graph terminologies:

Nodes represent entities such as a human, car, laptop or phone.

Properties are attributes nodes can contain. A steering wheel or tires would be a property of the “car” node.

Labels are a way to group together nodes of a similar type. For example, a label of “FastFood” may include nodes such as “Taco Bell, McDonald’s, and Chipotle”.

Edges (or vertices)…


Analyzing log files is generally a tedious task, especially when you are hunting for anomalies without an initial lead or indication of evil. Trying to remove all the legitimate entries while leaving the malicious ones requires not only knowledge of common attacker techniques but a flexible tool. In this post, we’re going to cover analysis of Apache Tomcat access logs and Catalina logs using a text editor called “Sublime Text 3” (https://www.sublimetext.com/).

The Scenario

To make things semi-realistic, i’ve deployed Apache Tomcat on top of Windows Server 2012 with ports 80,443 and 8080 exposed. For now, we’re not going to deploy any…


In my previous post (https://medium.com/@tstillz17/leveraging-aws-for-incident-response-part-1-2963bb31bc05) we covered how AWS resources such as S3 can be used to quickly spool up storage, lockdown access to this storage and provision users in the AWS console. In this post, we’re going to cover how we can automate this process. Before we began, let’s review some common issues with the previous manual process of using AWS console to provision and manage AWS resources:

  • Time to provision: If you’re new to AWS, using the AWS console to provision the S3 bucket, bucket policy and IAM user account with programmatic access may take ~30 minutes, while…

When an incident occurs, time is everything. One significant challenge I’ve experienced performing incident response is working with the large amounts of data needed by responders; storage mechanisms need to be accessible, fast, secure, and allow integrations with post-processing tools. There are many options for storage mediums, but by storing data in the Amazon AWS ecosystem your team can leverage many of the AWS services to store, process, and collaborate on incident response activities, enabling your team to scale response efforts. I’ve outlined some of the main reasons I use AWS below:

  • Adopted by many organizations
  • Ease of use
  • Granular…

Github: https://github.com/tstillz/cbr-stack

In this blog post, we will cover how we perform stacking using Carbon Black Response and how we can use this methodology to find anomalies in your environment. In reality, an awesome threat hunter would like to have the following data at their disposal:

For this blog post, we will focus on Real Time (RT) process executions within Carbon Black Response. The concept of stacking is simple, we start with collecting data of the same type and choose specific fields in which we want to perform frequency analysis on. Basically, we’re cherry picking specific processes we know attackers…

Tstillz

Posting on various topics including incident response, malware analysis, development and finance/investing automation.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store