https://p0peye-blog.pages.dev/categories/write-ups/Recent content in Write-ups on Ahmad Massd — Security BlogHugo -- gohugo.ioenahmad.massad.ir@gmail.com (Ahmad Massad)ahmad.massad.ir@gmail.com (Ahmad Massad)© 2026 Ahmad MassadWed, 20 Aug 2025 00:00:00 +0000https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/Wed, 20 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/aliens-ctf-dfir/<h2 class="relative group">Challenge: 7 Oct <div id="challenge-7-oct" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#challenge-7-oct" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">Description <div id="description" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#description" aria-label="Anchor">#</a> </span> </h3> <blockquote><p>We stormed one of the enemy&rsquo;s concentration areas and after completing the operation, we took some devices to investigate and obtain intelligence. One device belongs to a leader. We believe information is being leaked through a spy. Search the device to find the spy and location details — the enemy was planning a prisoner recovery operation and location information had been leaked to them.</p>https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/Sat, 16 Aug 2025 00:00:00 +0000ahmad.massad.ir@gmail.com (Ahmad Massad)https://p0peye-blog.pages.dev/posts/cyber-warriors-ctf-nashmi-apt/<p><figure><img class="my-0 rounded-md" loading="lazy" decoding="async" fetchpriority="low" alt="" src="https://miro.medium.com/v2/resize:fit:700/1*xmjWlgRCiaWpY7CiFRfAHg.png" ></figure> </p> <h2 class="relative group">Introduction <div id="introduction" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#introduction" aria-label="Anchor">#</a> </span> </h2> <p>Our Security Operations Center (SOC) detected suspicious activity originating from an internal employee workstation. The employee — a finance team member — reported slow system performance and unexpected behavior. Shortly after, EDR logs showed signs of malware persistence and suspicious outbound traffic.</p> <p><strong>Mission:</strong> Analyze a full memory image of the compromised machine, identify the scope of the infection, and answer key investigation questions.</p>