Skip to main content


Incident response case study featuring Ryuk and Trickbot (part 2)

This is part 2 of our recent incident response study encountering a Trickbot infection.

Initial compromise Right after tricking a user into running the malicious Office macro on their machine, thus gaining code execution, the first stage Trickbot executable is downloaded and executed. The first stage payload is responsible for three things: First, Trickbot tries to disable Windows Defender by running these commands:    cmd.exe /c sc stop WinDefend
    cmd.exe /c sc delete WinDefend
    cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
The next step is to unpack itself to all users' AppData/Roaming directory under a less-than-suspicious folder name (such as WinDefrag, WinSocket, GPUDriver, msnet, etc.).Last, but not least, it creates persistence. As we have already mentioned in the first part of this series, Trickbot does not need advanced persistence mechanisms; creating Scheduled task, installing a Service or even a simple Run registry persistence is sufficien…

Our course at Óbuda University launches February 2019

Hands-on and practical, immediately usable knowledge integrated into academic education – our course at Óbuda University launches February 2019.

Are you a BSc or MSc student of Computer Engineering or the Cyber Security Expert course at the John von Neumann Faculty of Informatics of Óbuda University? Are you interested in the field of IT security, corporate defence, or are you planning on playing a role in an enterprise Blue Team or SOC? If the answer is yes to any of the abovementioned, you should check out our course, Blue Team & Security Operations I-II, and come to the Óbuda University on 28th January at 4 pm, where we will tell you all the information you need and give you the opportunity to test if you are up for the course.

During the lectures we take a look at the IT security systems and system elements of corporate networks, and the roles and responsibilities involved. We study in detail the following Blue Team and SOC (Security Operations Center) roles: L1 analyst; Threat intelligence analyst; L2 analyst; Forensics and Network forensics experts; Malware analyst; Threat Hunter; SOC system administrator, coordinator and manager; CISO. Throughout this we illustrate and analyse the individual steps of the defence procedure through the incident management of a life like APT attack – how the subsequent phases are structured, how they interact, and what roles and responsibilities this necessitates on the personnel side.

We at White Hat believe that if you can give back to the community, you should – that is why we have started a cooperation with the prestigious Óbuda University to integrate our WHCD course aimed at experts already on the field into the academic curriculum. This became the course that students of all of the educational paths above can choose to take.

On the one hand to give the chance to the top 25 talented students based on the entry test to learn up-to-date practical skills and knowledge of current on demand value; and on the other hand, to help make academic education more life-like and marketable.

Óbuda University proved to be an excellent partner in this endeavour – and thus we are proud to say that come next February we will have the chance to teach 25 of the young minds of the future, every year. Trust us, this is as exciting for us as it (we hope) is for you.

If you have any questions about the course, or would like to know more, check out our blog at or contact us directly via or through the university.