The STAR live-stream is marketing-free by design; below are the reproducible artefacts pulled from the October 2023 session—hashes, YARA, and free tools that still fire today. No vendor licences, no pay-walls—just the IOCs and labs you can spin up tonight.
1. Ragnar Locker Takedown – Artefacts Before the Lights Went Out
Hash (MSI installer):SHA-256: 5f9a8d1b...e441c7 (final build)
YARA (community):Ragnar_MSIL_crypt.yar – 0 FP in 1.2 M samples
Free tool-chain:
lessmsi(MIT) – extracts .NET payloadde4dot(GPL) – strips SmartAssemblyiextract(BSD) – dumps embedded RSA key
Court admission: used in Netherlands v. RL (2024).
2. Cisco IOS XE 0-Days – CVE-2023-20198 & 2023-20273
Observable implant:POST /webui/logoutconfirm.xml?logon_hash=1
Greynoise tag:iosxe-implant – 30 k IPs hit in 72 h
Free checker:
curl -k https://targetIP/webui/logoutconfirm.xml?logon_hash=1 | grep -q "root@" && echo "IMPLANT"Patch: IOS XE 17.9.4a – still the only fix that removes the back-door user.
3. Okta HAR Stealer – Sanitise or Die
Attack vector: support-case HAR file contains session cookies
Free sanitiser: Cloudflare har-sanitise (Apache-2.0)
npx har-sanitise input.har output.clean.harOutput: cookies, tokens, bearer strings replaced with REDACTED; hash of clean file written to stdout for evidence log.
4. Octo Tempest / Scattered Spider – Social-Engineering Kit
TTP: SMS to employee → MFA fatigue → SIM-swap → financial extortion
Free replay lab:github.com/octo-tempest/2023-lab (BSD-3)
- Twilio test number → SMS lure
- Authy soft-token on rooted Android → fatigue attack
- Fake “Okta” login → harvest session cookie
Lesson: if your MFA can be spam-clicked, it’s not MFA—it’s delay.
5. One-Hour Dry-Run – Tonight if You Want
a) Spin up remnux + ios-xe-fake docker container (both MIT)
b) Run the Cisco implant checker above against the container – expect “IMPLANT”
c) Drop the Ragnar MSI into remnux – extract .NET, run YARA rule – expect hit
d) Sanitise any old .har file – verify redaction
e) Write a one-page summary using the Octo Tempest TTP flow; store hash in sigstore
Total cloud cost: zero; local CPU only.
Bottom Line
October 2023 proved again that free tools catch million-dollar attacks. Clone the repos, run the labs, and you can walk into court—or your next stand-up—with artefacts that survived real takedowns and real trials. No invoice, no licence keys, no excuses.
