The Garuda Threat Hunting Framework, released at DEF CON 2025, is a PowerShell-based framework designed to simplify manual threat hunting. It allows you to correlate, filter, and investigate Sysmon events efficiently. In this video, I demonstrate how to install Garuda, explore its key features, and perform a step-by-step hunt of a Living-off-the-Land (LoLbin) attack using […]
In this video, we explore how AI enhances threat hunting by integrating Large Language Models (LLMs) with the Garuda Threat Hunting Framework. Garuda is a manual, PowerShell-based threat hunting and investigation framework designed to transform raw Sysmon telemetry into structured, actionable intelligence for Windows environments. It allows you to correlate, filter, and analyze sysmon events […]
In my previous blog posts I posted details of cyber attacks targeting Indian Ministry of External Affairs and Indian Navy’s Warship and Submarine Manufacturer. This blog post describes another attack campaign where attackers impersonated identity of Indian think tank IDSA (Institute for Defence Studies and Analyses) and sent out spear-phishing emails to target officials of […]
In my previous blog posts I described attack campaigns targeting Indian government organizations, and Indian Embassies and Ministry of External affairs. In this blog post I describe a new attack campaign where cyber espionage group targeted the users of Mazagon Dock Shipbuilders Limited (also called as ship builder to the nation). Mazagon Dock Shipbuilders Limited […]
In my previous blog I posted details of a cyber attack targeting Indian government organizations. This blog post describes another attack campaign where attackers used the Uri terror attack and Kashmir protest themed spear phishing emails to target officials in the Indian Embassies and Indian Ministry of External Affairs (MEA). In order to infect the […]
This blog post describes an attack campaign where NIC (National Informatics Centre) Cyber Security themed spear phishing email was used to possibly target Indian government organizations. In order to infect the victims, the attackers distributed spear-phishing email, which purports to have been sent from NIC’s Incident response team, the attackers spoofed an email id that […]
In the previous post we looked at HollowFind Volatility plugin and saw how it can detect different process hollowing techniques and display those malicious processes which are victims of process hollowing . In this post lets look at another Volatility plugin called Psinfo. This plugin is similar to hollowfind plugin but instead of identifying the […]
In this blog post we will look at different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis. I also present a Volatility plugin hollowfind to detect these different types of process hollowing. Before looking at the different types of process hollowing, lets try to understand […]
In late December a cyber attack caused power outage for few hours in the Ivano-Frankivsk region in Ukraine as mentioned here. Threat researchers from ESET linked this attack to a malware called “BlackEnergy” which attacked electricity distribution companies in Ukraine. This blog post contains the memory analysis details of BlackEnergy big dropper (SHA-1:896FCACFF6310BBE5335677E99E4C3D370F73D96) mentioned in […]
A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the target for malware attacks, so it becomes important to analyze the Linux malwares. Today, there is a need to analyze Linux malwares in an automated way to understand its capabilities. Limon is a sandbox […]