DFIR Lab

In l2c_fcr_clone_buf of l2c_fcr.cc, there is a possible way to trigger controlled heap corruption within the privileged Bluetooth process due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

DeepBlueCLI is a PowerShell module that turns Windows event logs into actionable threat intelligence. Developed by SANS instructor Eric Conrad for the SEC555 course, this single-script tool analyzes Security, System, and PowerShell logs to surface indicators of compromise that are easy to miss in raw EVTX data. It detects password spraying campaigns, suspicious user account creation, RDP brute force attempts, malicious service installations, and obfuscated PowerShell execution. What makes DeepBlueCLI powerful is its simplicity: no dependencies, no installation — just run it against live logs via Get-WinEvent or drop in archived EVTX files from compromised systems. Perfect for rapid triage during an active incident or retrospective hunting across collected artifacts. In a recent engagement, we used DeepBlueCLI to identify a credential stuffing attack buried in 200K Security events. The tool flagged 47 failed logon attempts from a single source IP within 90 seconds — a pattern invisible in Event Viewer but immediately obvious in DeepBlueCLI's output. Repo: hXXps://github[.]com/sans-blue-team/DeepBlueCLI #DFIRTools #IncidentResponse

A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manage_product.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

Linux login accounting artifacts — utmp, wtmp, and btmp — are essential for reconstructing user access timelines during incident response. utmp (/var/run/utmp) tracks currently logged-in users in real time. It's volatile and resets on reboot, so it's only useful for live triage. wtmp (/var/log/wtmp) is the historical record of all successful logins and logouts. Parse it with the 'last' command or utmpdump for timestamped session data. This is critical for establishing user activity baselines and identifying unauthorized access patterns. btmp (/var/log/btmp) logs failed login attempts — your first stop when investigating brute-force attacks or credential stuffing (MITRE T1078). Use 'lastb' to review failed authentication events. All three are binary files and can be tampered with by attackers with root access. Always cross-reference findings with /var/log/auth.log or /var/log/secure for corroboration. Tools like Plaso can parse these artifacts into unified timelines for deeper analysis. Practical IR use case: Correlate a suspicious wtmp entry showing an off-hours login with auth.log entries and network connection logs to confirm lateral movement or persistence. #DFIR #IncidentResponse