Posts on Suspicious Bytes

Who's Actually in Your Meeting? Why You Need to Take Teams, Webex, and Zoom Security Seriously

Sat, 27 Jun 2026 00:00:00 +0000

We’ve all gotten used to video conferencing. A few clicks and you’re on a call with colleagues, clients, or senior management. Precisely because it’s become so commonplace, we often forget something important: a meeting link is a digital door. And a door that isn’t properly locked can be opened by anyone who finds the key. In this post, I’ll explore why it’s so important to properly configure your meeting environments in Microsoft Teams, Cisco Webex, and Zoom, using a well-known blunder and a Teams setting that poses more risk than many people realize.

Writing Your First Sigma Rule

Mon, 08 Jun 2026 00:00:00 +0000

Sigma is to log detections what YARA is to files: a generic, vendor-neutral way to describe what you want to detect, which you then convert into the query language your SIEM actually speaks.

Why a portable format?

Detections written directly in one query language are stuck there forever. Sigma lets you write once and compile to many backends:

One rule, many targets (Splunk, Elastic, Sentinel, …)
Reviewable in pull requests like any other code
Shareable with the community without leaking your stack

A detection you cannot test, version, and review is a liability, not an asset.

Detecting Lateral Movement

Sat, 30 May 2026 00:00:00 +0000

Once an attacker has a foothold, the interesting part begins: moving from the first host toward whatever they actually came for. That east-west movement leaves traces if you know which events to join.

Signals worth joining

Lateral movement rarely shows up as a single smoking-gun event. It emerges from correlation:

Network logon events (4624 type 3) from unusual sources
Service or scheduled-task creation on the destination
Remote process creation shortly after

Correlate across hosts, not just within one. A single 4624 is noise; a chain of them following an account around the estate is a story.

Anatomy of a Phishing Incident

Thu, 21 May 2026 00:00:00 +0000

Most intrusions still start with someone clicking a link. This is a sanitised walk-through of a credential-phishing case and the timeline that mattered.

The timeline

Incident response lives and dies by an accurate timeline. Reconstruct it before you theorise:

08:42 — user reports a “mailbox full” email
08:55 — same template seen by twelve other recipients
09:10 — one set of credentials submitted to the fake portal
09:13 — successful logon from a foreign ASN

The goal of triage is not to find everything. It is to answer one question fast: did anything actually succeed?

Triaging Suspicious PowerShell

Tue, 12 May 2026 00:00:00 +0000

An encoded PowerShell command in your process logs is not automatically malicious, but it always deserves a closer look. Here is how to triage one calmly.

What raises the flag

Certain flag combinations are unusual for a legitimate script and common for tradecraft:

-EncodedCommand (base64 payloads)
-WindowStyle Hidden and -NonInteractive
-ExecutionPolicy Bypass

Decoding a payload is reading, not running. Decode in an isolated environment and never paste an unknown command back into a live shell.

OSINT for Beginners

Sun, 03 May 2026 00:00:00 +0000

Open-source intelligence is the practice of collecting information from publicly available sources — and a surprising amount of an organisation’s footprint is sitting in plain sight.

Where to start

Begin with the passive sources that never touch the target directly:

Public DNS and WHOIS records
Certificate transparency logs
Cached pages and archives

The goal of OSINT is not to break in. It is to understand a footprint using only what someone has already published.

Building a Threat Actor Profile

Fri, 24 Apr 2026 00:00:00 +0000

Cyber threat intelligence is only useful when it changes a decision. A good actor profile turns scattered observations into something a defender can act on this week, not just read.

Structure beats prose

A profile that reads like a story is hard to operationalise. Capture it as structured fields instead:

Aliases and overlapping clusters
Targeted sectors and regions
Observed techniques (mapped to ATT&CK)
Known infrastructure patterns

Intelligence without a confidence level is just a rumour with good formatting. State what you know, how well you know it, and how you’d be proven wrong.

Getting started with Threat Hunting with a minimal approach

Sat, 27 Sep 2025 00:00:00 +0000

Start Hunting Today!

Threat hunting doesn’t require enterprise tools. You can simply start with what you already have.

Minimum Requirements

Start with things you probably already have. Work from there, and then think about improving and growing.

Centralized logging (Sysmon, firewall, proxy logs)
Query capability (ELK, Splunk, or even grep)
Baseline knowledge of your network
2-4 hours per week of dedicated hunting time

Baselining is the hardest part for beginners, so start small. Pick one thing you can describe as “normal” (which hosts talk to the internet, which accounts run as admin, what runs at startup) and write it down. That single baseline becomes the yardstick for your first hunts.