AHMED KHLIEF
Incident Response Specialist
Dubai
Summary
DFIR specialist who have experience in blue team and red team operations with over 8 years of practical experience. the author of ( APT-Hunter , NinjaC2 ) tools which now used by thousands of security professionals around the world .
Overview
8
8
years of professional experience
11
11
Certifications
Work History
Incident Response Specialist
Kaspersky Lab
01.2023 - Current
- Conducting compromise assessment service and incident response for clients around the world.
- Participating in research and development operations that include: creating new tools to analyze/parse new artifacts, enhancing existing tools, creating hunt rules to enhance the detection coverage.
- Full focus on automating tasks and collaborating with the DevSecOps team to reduce the time for collection and analysis.
- Participating in conferences and security meetups.
- Conducting threat hunting activity to reveal anomalies and hidden attacks for MDR customers.
Digital Forensic and Incident Response Specialist
HelpAG
7 2021 - 01.2023
- Perform Threat Emulation assessment to assess customer defenses and detection capabilities .
- Perform Compromise Assessment to uncover ongoing or old compromise.
- Helping customer recover from ransomware attack.
- Investigate ransomware attacks and trace back to patient zero
- Investigate APT attacks and provide full timeline to the customer.
- Experience with DFIR tools : Autopsy,APT-hunter,zercolite,KAPE,volatility,timesketch,plaso,regripper,Eric Zimmerman's tools,mftdump.
- Malware analysis in multiple platforms with tools : dnSpy,IDA Pro , OllyDbg,x64dbg,gdb,cutter,radare2,apktool,dex2jar.
- Develop automation scripts and tools to gather , analyze and report possible incidents based on logs and artifacts collected .
- Develop automation scripts to perform compromise assessment using carbon black API.
- Perform incident response and threat hunting using Azure Sentinel, Splunk , carbon black , Azure Defender 365 , trend micro vision one.
Security Specialist
Specialized Technical Services, STS
10.2018 - 07.2021
- Perform Threat Emulation assessment to assess customer defenses and detection capabilities .
- Perform Compromise Assessment to uncover ongoing or old compromise and detect hidden APTs.
- Perform Social engineering and phishing campaigns .
- Delivering Internal and External Penetration.
- Delivering Red Team Simulation.
- Delivering Firewall Review service.
- Delivering Wireless Penetration test.
- Experience with DFIR tools : Autopsy,APT-hunter,zercolite,KAPE,volatility,timesketch,plaso,regripper,Eric Zimmerman's tools,mftdump.
- Automating routine tasks and creating tools to save the team time.
- Creating correlation rules and do research to detect new attacks ( created more than 100 correlation rules ).
- Providing Incident Response and Forensic Investigations to our customers in KSA remotely and onsite .
- DFIR experience in cloud and remote environment as must of our customer on cloud .
- Supporting more than 30 customer in our SOC .
- Conducting Threat Hunting to detect APT based on MITRE ATT&CK framework.
- Analyze new attacks and APT TTP in order to send it as a report or articles to our customers .
- Malware Analysis , Reverse Engineering discovered malware's and perform IOC extraction.
- Integrating Logs sources , extracting fields and make sure fields are normalized to be ready for the correlation rule usage .
Information Security Officer
Electronic Health Systems, EHS
10.2017 - 09.2018
System Administrator
Specialized Technical Services / PayOne
06.2016 - 09.2017
Education
Bachelor of Engineering - Networks and Systems Engineering
Balqa Applied University
Sep 2011 - 02.2016
Skills
Exploit Development
Reverse engineering
Linux administration
Python and Bash scripting
Regex
Malware Analysis
Developing Correlation Rules
Digital Forensics
Wireless Pentest
Incident Response
Web APP Pentest
APT Simulation
Threat hunting
SIEM Administration
Threat Assessment
Phishing Simulation
Windows Server Administration
Splunk
Accomplishments
- Security tools developer - github.com/ahmedkhlief
- Author of APT-Hunter threat hunting tool that detect more than 200 use cases via windows event logs and can analyze office365 logs .Currently used by thousands of security professionals around the world with 1200 stars on github.
- Author of Ninja C2 tool for red team operations .723 stars on github.
- Blogger at shells.systems
- Author of Reverse Engineering and Malware Analysis Course on my youtube channel with more than 133K views and 2.4K subscribers.
- Won the first place in Jordan Top hacker (2018) competition Organized by Ahli Bank ( hack the box style ).
- Won the 4th place in Jordan Top hacker (2016) competition Organized by Zain ISP ( hack the box style ).
- Scored with my team the 3th across Middle east and 19 across the world from 1200 competitor in CSAW 2018 CTF world wide information security competition .
Certification
PGI Digital Forensic and Incident Response Practitioner -License PGIDFIRP/3022
Publications
- Security automation tool developer.
https://github.com/ahmedkhlief
- Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log
https://shells.systems/introducing-apt-hunter-threat-hunting-tool-via-windows-event-log/ - Uncovering New Attack group ( APT FIREPLACE ) Targeting MENA.
https://shells.systems/uncovering-new-attack-group-apt-fireplace-targeting-ksa/ - Introducing Ninja C2 : the C2 built for stealth redteam Operations
https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/ - Bypassing Kaspersky Endpoint and Cloud SandBox (real world pentest case) .
https://shells.systems/bypassing-kaspersky-endpoint-and-cloud-sandbox-real-world-pentest-case/ - Reviving MuddyC3 Used by MuddyWater (IRAN) APT.
https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/
- Youtube Channel for malware analysis and reverse engineering
https://www.youtube.com/user/27medk
Timeline
Incident Response Specialist
Kaspersky Lab
01.2023 - Current
Security Specialist
Specialized Technical Services, STS
10.2018 - 07.2021
Information Security Officer
Electronic Health Systems, EHS
10.2017 - 09.2018
System Administrator
Specialized Technical Services / PayOne
06.2016 - 09.2017
Digital Forensic and Incident Response Specialist
HelpAG
7 2021 - 01.2023
Bachelor of Engineering - Networks and Systems Engineering
Balqa Applied University
Sep 2011 - 02.2016
Similar Profiles
GAURAV BHATNAGARGAURAV BHATNAGAR
Enterprise Group Manager at Kaspersky LabEnterprise Group Manager at Kaspersky Lab
Dinesh SirkarDinesh Sirkar
Senior Bookkeeper at Kaspersky LabSenior Bookkeeper at Kaspersky Lab
Rui GonçaloRui Gonçalo
SOC Analyst & Threat Hunter at Kaspersky LabSOC Analyst & Threat Hunter at Kaspersky Lab
SADIQ ABBASSADIQ ABBAS
Banking Advisor at Fintrek Marketing Management LLCBanking Advisor at Fintrek Marketing Management LLC
NAVAS MOHAMEDNAVAS MOHAMED
Digital Marketing Manager & Team Lead at Invisor Management Training LLCDigital Marketing Manager & Team Lead at Invisor Management Training LLC