Stephan Berger

Come join me for my fast-paced, two-day, hands-on training that takes a deep dive into anti-forensics techniques. The course is divided not only into operating systems but also into red/blue perspectives. On the one hand, we will learn how adversaries are trying to cover their tracks, which might also be of interest to red teamers. On the other hand, we will teach various methods to circumvent or work around these anti-forensics techniques.🤘 Due to various requests, I will also have a section on Linux Rootkits ready, depending on time and the class's interest. Or just be prepared for a late-night session on the second day 🙃 Looking forward to welcoming some of you in my classroom 🤓 PS: My DMs are open if anyone wants a sneak peek at the content and slides to help them decide whether to register for the training. More information and registration here: brucon.org/training-detai…

A big shout-out to the @ToulouseHacking Review Committee. I submitted two talks, and one was accepted. Both talks were reviewed by three reviewers, and I received their comments along with the decision (Accepted/Rejected). This is so valuable! Even though one of the talks was accepted, I can read the concerns (too deep for the time, too little time for the introduction, etc.) and, above all, the feedback on the talk that was not accepted. The feedback helps me refine the abstract for another CFP round and improve the talk in general. This feedback will certainly also help less experienced speakers understand the review committee's decision. Hopefully, this will help mitigate some of the negative feelings that a rejection can trigger. So once again: very cool! Keep up the good work :)

What I learnt today: Mandatory User Profiles Praetorian named their blog "Persistence Through Forgotten Windows Internals", and true, at least I never heard of Mandatory User Profiles before reading this article. In enterprise environments, administrators sometimes want to enforce a specific user profile that resets on each login. To accomplish this, Windows supports a file called NTUSER[.]MAN (the .MAN standing for “mandatory”), which takes precedence over the usual NTUSER.DAT registry hive stored in %USERPROFILE% when a user logs in. Setting up persistence on a copy of NTUSER.DAT using the Offline Registry Library might evade some EDRs. The whole blog post is worth a read, but the TL;DR for defender is: Consider monitoring for NTUSER[.]MAN file creation in user profile directories, especially when it doesn’t come from an enterprise profile management system. Source: praetorian.com/blog/corruptin…

Are you an Incident Responders and want to learn about Anti-Forensics (and Anti-Anti-Forensics😀) ? Check out this hands-on course course, giving you a real-world deep dive into attacker's tradecraft across Windows & Linux. Learn how adversaries hide, and how to detect, recover, and counter them using modern forensic techniques and artifacts. More information and registration ➡️brucon.org/training-detai…

Still searching for the perfect Valentine’s gift? 😉 Show your love (for cybersecurity!) with our #BruCON0x12 Spring Training program — featuring Blue💙, Purple💜, and Red 💖Team courses. To celebrate the season, we’re extending our early-bird registration until Valentine’s Day! 💘 Don’t miss out — check out the full program and sign up ➡️ brucon.org/training

📢 Hands-On Training: Anti-Forensics (and Anti-Anti-Forensics) Techniques for Incident Responders @ BruCON 2026 I’m excited to announce my upcoming hands-on training at BruCON 2026 in Mechelen. This in-depth technical course is designed for Incident Responders who want to understand and defeat modern anti-forensics techniques actively used by threat actors. The training progresses from foundational anti-forensic concepts to advanced techniques observed on Windows and Linux systems, with a strong focus on real-world detection and analysis. Key Learning Objectives: 🔹 Identify and analyze classic and modern anti-forensic techniques 🔹 Correlate specific anti-forensic techniques with telltale forensic artifacts, understanding what remains and what's altered 🔹 Learn real-world analytical methods to detect, reconstruct, and recover evidence affected by anti-forensic methods 📍 Location: Mechelen, Belgium (BruCON 2026) 📅 Training Dates: April 22–23, 2026 Register here: brucon.org/training-detai…

🚀 Ready to up your #cybersecurity game? Join the #BruCON0x12 Spring Training (Apr 22–24) — a powerful mix of 5 Red, Blue or Purple team courses taught by top experts. 💡 Early bird pricing until Feb 12 — grab your seat! 🔗 brucon.org/training

I recently reviewed a PingCastle report from a customer and noticed the image below. The image indicates that "EVERYONE" has indirect control over most high-privilege groups. Do yourself a favour and run a PingCastle and/or BloodHound every now and then.

@ido_gat It was important to me to teach the course live at least once or twice to get feedback and hear students' questions. So I think it would be realistic to record the course by the end of the year, and then put it online.

@malmoeb Is it possible to take this course online somehow? It looks fire! 🔥🔥

"Reverse Evidence", Log clearing, Anti-Forensics. VoidLink – A Stealthy, Cloud-Native Linux Malware Framework discovered by Check Point this week - is equipped with techniques to delete or manipulate logs and traces, making it harder for Incident Response teams or security software to find forensic evidence. I will be teaching my new course, Anti-Forensics (and Anti-Anti-Forensics) Techniques for Incident Responders, in Belgium this April at the BruCON Training (Spring Training 22-23 April), presenting a wide range of anti-forensic techniques and how to analyze your way around them. Sign up to learn more about how to defeat modern threats 🤓 Here is the link to the training: brucon.org/training-detai…

In the Metasploit Wrap-Up from last week, a new Python Site-Specific Hook Persistence module was released. [1] I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it. [1] rapid7.com/blog/post/pt-m… [2] dfir.ch/posts/publish_…

Great news to kick off your Monday! 🎉 The #BruCON0x12 Spring Training program (22–24 April) is now open for registration. Whether you’re into red, blue, or purple teaming, there’s a spot for you in one of our 5 hands-on courses. 🚀 Secure your seat and grab the early-bird pricing by registering before February 13th. 👉 All details and registration here: brucon.org/post/brucon-0x…

To quote my teammate Evgen Blohm (@ChaplinSec): "Shadow IT at its best." He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us: "We've now located the network. It was an SSL VPN network that was apparently still active on the FortiGate for several users. The VPN function has now been deactivated." Oh well.. The observed hostname that conducted the brute-force was "packerp-qdo4b3v" - packerp-* was also mentioned on other blogs, see reference section below. Yet another use case for monitoring hostnames roaming around in the network 🤓 - and invest some time in the new year to get rid of your shadow IT. ☝ References: arcticwolf.com/resources/blog… thedfirreport.com/2024/12/02/the…

@malmoeb So people, make yourself a New Year's promise and check your AV logs

My teammate @hackerkartellet worked on a case where the TA tried to dump LSASS with procdump on a server, resulting in Defender blocking the attempt: 1117 HackTool:Win32/DumpLsass.A Tool Remove No additional actions required CmdLine:_C:\Users\svc_ldap_sso\Desktop\procdump64.exe -accepteula -ma lsass.exe C:\programdata\over.png See the username? My first impulse is that this username (svc_ldap_sso) should never run anything on a server, and definitely not execute malicious commands (procdump, per se, it's not malicious, but this combination is likely not legit). I consider such AV alerts critical because a) somebody is trying to dump LSASS, and b) service accounts should not have a dual purpose, especially not used for daily operations. When we checked the security logs for that server: Successful logon (type: Network) for account 'svc_ldap_sso' from 'kali' (10.10.10.180) As I've preached so many times before, analyzing the hostnames roaming your network could be a great canary! It's simple alerts that could save your day, like the one that shows "kali" on your network (and no, this was not a pentest). I loved the latest blog post from Huntress, "Why Some Malware Attacks Aren't as 'Sophisticated' as You Think", which reflects what we see in our daily Incident response work. [1] Yes, we respond to APTs, but many attackers (especially ransomware groups) are not what I would call "sophisticated". [1] huntress.com/blog/trial-err…

This was an interesting alert, raised by an EDR: **** Uncommon creation or access operation of sensitive shadow copy by a high-risk process The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path. This causality and actor pair were seen on 0 hosts and 0 unique days in the last 30 days. The sensitive shadow copy path: \Device\HarddiskVolumeShadowCopy93\Windows\System32\config\SAM **** Hobocopy? "Hobocopy is a free, open-source backup tool for Windows. It can copy files that are locked, so you can do things like back up your Outlook .pst files without closing Outlook." [1] Hobocopy is over 15 years old (😲), but it is still used by attackers today, maybe because vendors do not flag it as much as other backup tools (read, rclone, for example) used by ransomware groups. I think the "causality and actor pair were seen on 0 hosts and 0 unique days in the last 30 days" is pretty cool, and one should definitely pay attention to such alerts. [1] candera.github.io/hobocopy/

I recently thought about the different pop-ups I receive every day on my Mac, AND how malware does the same to trick people into entering their password.. and I wondered if I could tell a legitimate prompt from a malicious one. I found a good article, depicting exactly this topic: "One of the primary aims of most malware is to trick you into giving it your password. Armed with that, there’s little to stop it gathering up your secrets and sending them off to your attacker’s servers. One of your key defences against that is to know when a password request is genuine, and when it’s bogus." [1] If you are like me, don't worry no more. Read the article, and be maybe a bit safer out there :) [1] eclecticlight.co/2025/12/18/how…

@FlorianHeigl1 🫠

@malmoeb i know a place that for _10_ years hasn't followed up on 'hire someone for a few days to do your AD baseline security'. dozens of reminders, meetings etc. no effect. today I consider that C-level failure: if there's no oversight, no demand for reporting, it's negligent.

Companies frequently approach us to discuss their security posture, playbooks, architecture, etc., but I wonder how many of them also regularly check basic configuration settings? An example from a recent case: We were investigating yet another compromised network, where we were at first puzzled by the missing logon records inside the Security event logs. Log clearing, anti-forensics? It turned out to be something simpler. The company, for whatever reason, turned off logging for Logons, as a quick check with auditpol revealed (see image). However, "Logon and Logoff" auditing is enabled by default. [1] You might want to consider checking your audit policy settings before writing yet another playbook 🤓 [1] learn.microsoft.com/en-us/windows-…

Neshta. The gift that keeps on giving. I wrote about Neshta two years ago, and now this week, we found traces of this malware strain on two domain controllers in a breached network. [1] As last time, the TA brought infected files into the compromised network, helping spread the infection. The file and registry paths have not changed in our case and are still the same as in my old X post. What's funny (not funny) is that I browsed the Malware Analysis section of VX Underground yesterday, and in 2006 (when this section started), there were only two papers about Malware families uploaded in that year. One of them was Neshta! [2] 19 years later - still alive and kicking 😂 Cheers to that! [1] x.com/malmoeb/status… [2] vx-underground.org/Malware%20Anal…