Useful sites and tools for an Investigation


Lets say that we are investigating a company as a part of an assessment, during this recon process we must use anything available on internet (Surface Web, DeepWeb or DarkWeb). This includes free tools and sites, but also if you can/want use paid services, is up to you. Just remember, we are to good guys, so don’t cross the line.

But don’t worry, we are smart enough and we know how to perform and intelligence analysis ¿ok?

When I investigate a company with no previous information provided by them, I usually begin with the Domain and web services. You will probably know the organization’s name, domain and/or at least one email account. If not, you can start with Google/ DuckDuckGo 🙂

With this simple piece of information we can start scanning the domain, looking for anything useful like registered IP addresses, open ports, outdated protocols or vulnerable technologies :


We could also use tools like Nmap or Rustscan to validate around the same information, but FYI: this kind of tool might raise alerts on the IDS/Firewalls and/or perimeter security tools. Anyway…you can install them easily on Windows, Linux, etc systems:


If we go one step further, we can use vulnerability scanners like Nessus from Tenable or you can choose an open-source tool like Nikto, which is a web server scanner. Even if they’re oriented to Pentesting or Vulnerability Assessments, they can also be used during the Recon phase to obtain information on the target’s vulnerabilities. As a especial mention, you can add to your browser (Firefox) this amazing extension called Wappalyzer which basically can detect most of the technologies used on a website. Going back to the recon idea, what better tool to be mentioned than Recon-ng:


And let’s not forget those sites that could put some light on old incidents or linked/related threats to an organization, Virustotal and JoeSandbox:


Lets say we want to start digging into available email accounts for domain users, along with the names they belong to, also maybe even some aliases for different sites. Here I introduce TheHarvester and Sherlock, two open source tools that conducts search-and-gathering through all kind of social networks and search engines:


When we try to analyze the email accounts that we were able to gather, we would find quite a good list of sites that will provide us with very useful information. Simple Email Reputation website can analyze the records for the account’s domain, the blacklist state, along with possible password breaches. Talking about leaks, here we can use another very simple and useful site called ‘;–have i been pwned?, which basically tells you on which known leak shown up the account. On the same line, you can use a paid resource like DeHashed which will tell you not only if it was leaked or when, but also the extracted passwords and hashes. Another site where sometimes we can find information is the most known pasting site: Pastebin.


Lets put something stronger in your plate: Maltego is an intelligence tool used to conduct open source investigations and centralize the information gathering trough different sources (both free and paid versions are available). This tool is a little bit more complex than the ones we already mentioned, but it worthwhile the learning process. You need to create a free account at the Maltego website and once you have downloaded it, you must login to use it. You need to configure the “Transforms” that integrate different platforms. Some of them are paid, and others are free, but in any case, you will need to create an account to connect with your private API (E.g. SHODAN, AlienVault, VirusTotal, etc.):


Lets continue in the same line of thought, now, the next tool is a bless for the ones we like to analyze metadata. FOCA Pentest is a metadata gathering tool that allows you to search for around 20 different type of extensions (you can customize this). After you found them, you will be able to download them in a directory, extract the metadata and even analyze them for possible infection.


Now, let’s imagine that among the information that you recollected, you got with some PCI/USB device information. Here’s a very awesome site that will let you ‘hunt‘ any possible intel about the device: DeviceHunt. Now, if you find a different type of information like possible SSIDs, Wi-Fi names, and/or any network information, you should definitely check WIGLE:


A quick tip and trick, very useful when we need to find something, someplace or someone through a photograph is to reverse search through images with search engines. We can Use Google Images, Yandex or another great website Tineye:


The last ones for today, since we could continue for a while. If we collected personal information and around this we get Twitter accounts, we can use a geolocation website called BirdHunt to try to find the location of the account’s owner. Continuing with Twitter, we can monitor it’s activities and perform tag/hashtag searches using another great website: TweetDeck. As a last mention, another geolocation tool, but this time for YouTube accounts is the website YouTube Geofind:


That’s it for today, I will probably do a second part for this, especially because I left out all the DarkWeb stuff. The reason for that is that we need to take extra precautions around it, so you should not just go on your own visiting DarkWeb sites. Next time!

Threat Intel

The Sand Clock model of cybersecurity

Sun Tzu by Fabricio Miranda

Today I want to share with you a cybersecurity model that I developed while I was conducting some trainings for different clients. I made it as a way to explain different concepts on offense and defense.

Its a direct relation between our infrastructure self-awareness and what we know about the adversaries out there. Its about preparation and strategy. Its about the cyber-war we fight every day.

The paper is 14 pages long, so I posted the download button at the bottom (Its a PDF file).

MD5:    60AA1B9A30A603642464FC15A580D701
SHA256: 2C55C8BAF39AD9824E8A47DE267DA2B082BCB2DACF0F1FE01B599580CF4E7088
Threat Intel

The APT that hunts other APT’s: “APT49”, “BlueHornet”, “AgaintsTheWest”

This amazing picture is from the genius Valentin Tkach

Around October of the past year, a new group who self-procalimed BlueHornet aka AgainstTheWest shown up at forums like the already dead RAID Forums (This was a well-known site to share information about security breaches, leaks, but also to sell drugs, personal data, etc. The owner of the site was captured at the United Kingdom the 21st of January).

More recently, at the successor of the RAID forums, a website called Breached.co, this Actor shown up again with the following account:

He got banned from the site by the admins on March 18, but he created a new account the same day, which is the one we can see on the previous picture.

¿What’s the peculiarity about this group? ¿What makes them so different from the rest?

Their motivation is quite interesting if you allow me to be said. They act as Hacktivist pursuing mainly other Threat Actors’ information (but not exclusively). So far, their focus has been groups from China (Including China’s Banks), Russia, Iran and North Korea. Profs, so far, points them to be from North America or at least from the OTAN block. Though this doesn’t mean this is a state-sponsored group, quite contrary, since they submitted quizzes on their Twitter account asking people to vote for potential targets, and they are self-proclaimed hacktivists and journalists, among other things.

¿Which communication platforms they use?

So far, we have seen publications related to all their leaks on Twitter, Telegram, and the previously mentioned site Breached.io. They also have a Github repository called AgaintsTheWest.

¿What’s the information leaked about the other APTs and which ones?

The information published at Breached.io was related to some members of the Threat Actors Known as APT3, APT28, APT38 and APT40.

We have to clarify that part of this information was already known by the Feds, but wasn’t public.

APT3: Gothic Panda

Introduction from MITRE ATT&CK

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

In 2017, MITRE developed an APT3 Adversary Emulation Plan.

Member Information:

APT28: Fancy Bear

Introduction from MITRE ATT&CK

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Member Information:

APT38: Lazarus Group

Introduction from MITRE ATT&CK

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Member Information:

APT40: Leviathan aka Kryptonite Panda

Introduction from MITRE ATT&CK

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.

Member Information:

Potential Allies

Intrusion Truth
-Belarusian Cyber Partisans
-Anonymous Taiwan

Giving closure to this

Recently, the group stated on its Telegram account that it would stop its activities, pursuing a “normal life” for all its members. Nonetheless, their account remains active and is being used at the Breached Forum.

Im, sure there’s probably a more complete inform our there. Still, I hope this information will be helpful for other Cybersec Researchers, Threat Intelligence Analysts, and SOC Analysts in the wild.

If you find this information useful or you liked it, feel free to add a comment 😉

See ya’ space cowboy…


A SANS 2021 Report: Securing Cell Phones

Very Interesting paper regarding our cell phones security, how the adversaries are evolving in this field and how little we spend securing our devices. It tries to bring some light to a subject that is being a real concern, which is how to secure our cell phones and why it’s so important. Also predicts very accurately the fact that we are gonna have to start getting focused on securing the mobile devices, since it’s the future.

You can read this paper here.


The Who, What, Where, When, Why and How of Effective Threat Hunting

Excellent paper from Robert M. Lee and Rob Lee about what it is Threat Hunting, when you should implement it, how to make it more effective; whom should be taking care of this role, in which part of your organization should be located, among other things.

Highly recommended if you’re interested on the Intelligence methodologies and implementing this practice on your company’s maturity model.

You can find this paper at the SANS DFIR community here.


Intel Driven Defense – Recommended reading

Great paper about the CND and Cyber Kill Chain, a short explanation (around 14 pages) on the intelligence process from both sides of the equation: “The Adversary” and “The Defenders”. How to take advantage of every piece of information and correlate it with it’s spot on the chain, developing a better reactive and proactive plan.

You can find it here.


Forensics: Browser Forensics 101

(Yeah, not today…)

Hello there! (I know, Obi-Wan would it be proud!)

Today I bring to you some basic procedures that might help you to research possible IOCs, evidence or resources to be analyzed on your intelligence cycle. All of this in the context of well known Internet Browsers (Chrome, Firefox, Edge, etc).

In my experience so far, trying to gather as much information as possible from a Browser, I use a free tool called Sqlite Browser (https://sqlitebrowser.org/dl/):

This very intuitive and easy-to-use software, lets you browse the common local databases that this browsers creates to store your historical information, such as downloads, urls, searches, logs, in a timeline.

You can achieve this exploring the usual common paths for this browsers:

C:\Users\USERNAME\AppData\Local\Microsoft\Edge\User Data\Default

C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default


Before touching anything at all, the golden rule in forensics is “Never use the original, always make a copy”. So what we are going to do is hash the original file, make a copy of this file and hash that copy too, this way we could rest sure is an exact match.

In windows you can achieve that using Powershell:

Once you have that copy with the exact match as a proof, you can start working on it.

–Open the Sqlite DB browser and click on “Open Database Read Only”:

If you ask Why Read Only? is because you want to extract information from here without affecting it’s integrity. I know it’s a copy, but still ¡It’s a good habit! Make sure you select “All Files(*)

Here you will see all the tables on the file:

I dare to say almost every table can give you a lot of information, I will not go deep on every one of these, but as an example, you can check the Downloads history, with the right time and place (URL in this case…).

–Go to the second tab “Browse Data” and on ‘Table’ select Downloads:

(I had to make it in two pictures since it’s too long, with too many columns)

From this columns you can get dates, urls, sizes, the exact time it took to download, the mime types and much more.

Something that it’s important to say, is that the times are displayed on Epoch/Unix, so you can use an online converter like: https://www.epochconverter.com/ to read it in human format.

–Switch to other tables like “urls” and you will see different columns/information like :

–Another interesting table is “Keyword_Search_Terms”, as it’s name says, it represents all your searches on search engines :

–If we decide to explore/switch to a different file, another one very useful can be Bookmarks or Cookies. Some of the columns with information that you might find here:

Take your time to explore all the different files that you can find on this browser’s default paths, just remember to follow the first part, never play with an original file, you might corrupt the data.

Now, let’s say you want to find out if someone used the built-in feature of the browser to clear/delete history, caché and/or downloads. Here’s something you can use to, not just confirm if this has been done, but also to know which “period” or “range” in the history has been deleted:

->Close Chrome (As an example) and then open the following path:
C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

->Find a file called “Preferences” , right click on it and “Open with”  Notepad, Notepad++, Sublime, Wordpad or any other text editor:

-> Open Find on your editor (Usually CTRL + depending on your layout), and search for ‘clear_data’

->If the browser history has been cleared, you should see something like:

Pay attention to the number after Time period and check the table below to know what range of time was select for whom deleted the information.

-> You can compare here the user’s choice vs the values that you might find:

Hopefully this will be useful for you, this are just some tips that might help you with your investigation, hobby, CTF.

Regards my friends!



OSINT: TryHackMe Sakura Room


The room begins with a quick plot to get us into this investigation world..

->1 Let’s Go!


We open the image left by the attacker and using the element Inspect of our browsers we can see on the image path a Username, here:

That would give us or Answer: SakuraSnowAngelAiko


Here I decided to start googling the Username to see what can we find:

The first 2 things we see here is a Github account and in second place, a possible Linkdin account related to this name.

Here I began checking the repository that contains the public key and tried to find a site to crack/recover anything from it. After some failed attempts, I found this site:

Answer: SakuraSnowAngel83@protonmail.com

Now digging a little bit found other interesting stuff on GitHub, but didn’t lead me to her name, so I decided to check the name from the Linkedin account:

Tested and It worked! our Answer for the second question is: Aiko Abe


Remember that interesting thing I said before about Github? well, this is it. If you go to:

Check the “History” and select the oldest, you should see the following:

Here’s what it seems to be a cryptowallet. I checked this with a couple sites that gave me some info, but finally the most useful was:


The first answer as soon as you check this address anywhere is: Ethereum

The second answer is the one we already found at GitHub: 0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef

Now on the Etherchain site, after you search for the wallet and see the transactions, you should see the answers to questions 3 and 4 almost at the same place:

Answer 3, for the mining pool of this transaction: Ethermine

And then Answer 4, the other cryptocurrency that the attacker exchanged: Tether


Here, not much of an effort:

Answer: SakuraLoverAiko

Now, this one got me for a while thinking:

Googling a little bit the Keywords DEEP, PASTE and Pasted I got a DarkWeb site called “Deep Paste” or “depasted“. You will need to access using a TOR browser to:

http://depastedihrn3jtw.onion/show.php?md5=0a5c6e136a98a60b8a21643ce8c15a74 (Which is our Answer 2)

Here you need to search the MD5 of the previous picture and you will get different Wi-Fi information, the one that we need is Home.

Using the WI-FI name obtained on the well known site Wigle, on Advanced Search (Requires from you to sign in) we get:

Our Answer 3 is listed right there: 84:af:ec:34:fc:f8


The last task…here we go!

Lets check the photos shared on twitter:

looking for the closest airport in google gave me:

And it’s also our first Answer: DCA

Looking at the other tweets, we saw this one:

Once again, googling this:

Actually here I tested both, and it was Haneda. Our Answer is the short version: HND

For the last two I decided to jump first to the last question, using the BSSID obtained from the previous section, we can see on the same Wigle site that the location is Hirosaki

So checking Japan’s map, going from Haneda to Hirosaki you can easily find the lake of the picture:

The Answer 3 is: Lake Inawashiro

And as we already found out a minute ago, the Answer 4 (and last one) is: Hirosaki

I hope you have enjoyed this room as much as I did. Thank you for reading my walkthrough!