What is NOCACTI

NOCACTI is a Cyber Threat Intelligence project that’s been running for several years.

The goal is to share high confidence and context rich indicators of compromise with the cyber community.

NOCACTI was originally started because I was salty. So often as a analyst you’d find Indicators of Compromise being involved in alerts with little to no context and them being nothing burgers due to low confidence! While this of course isn’t all source by any means and their are plenty of other amazing providers out there, I wanted to also try and do better which lead me to starting NOCACTI.

Before diving into the broad types of feeds published by NOCACTI, here’s a diagram from our graphic design team with over 200 years of combined experience ;^)

Adversary Infrastructure

So, Adversary Infrastructure, this was the second major feed and is the one I believe has the most detection value and comes with a very high confidence rating.

Adversary Infrastructure Indicators of Compromise are indicators that come directly from hosts hosting tools associated with ‘offensive’ cyber security tooling such as Command and Control servers or known hack-tools.

A big advantage of NOCACTI’s approach to Adversary Infrastructure is that it’s not reactive, but proactive. Rather than waiting for hits on a Honeypot, or even a live system, our approach is to actively go looking for Adversary Infrastructure - allowing us to identify systems even before they conduct a attack.

While adversaries obfuscating or hiding their infrastructure can of course avoid it being picked up, so often we find adversaries using default settings or tooling that can be discover and used for these detections!

This feed can provide some amazing value, but keep in mind the reported IPs especially can be noisy to alert on unless you look specifically for Outbound traffic which is what we recommend. Any outbound traffic to a adversary infrastructure indicator points towards a compromise host reaching out to a command and control server and we’d highly recommend digging into any involved detections to find out why the connection is occurring.

A snapshot of the Adversary Infrastructure main feed

Intrusion

Intrusion IoCs from NOCACTI cover indicators relating to a intrusion into a system. For example, a adversary connecting to a exposed MySQL instance and running a number of queries to discover data.

The type of indicator provided in a ‘Intrusion’ event is often largely dependent on the service being monitored. For example:

• SSH and MySQL intrusions generally have IP the adversary is connecting from, along with any files dropped, and commands executed
• FortiGate will have ‘Web’ related artifacts associated with the intrusion, such as URLs hit, User Agent and IPs of the attacker, and in many cases the Exploits used by the adversary

Commands run after a adversary connects to a Linux host over SSH

CVE-2018-13379 exploitation attempt on a FortiGate device.

With Intrusion indicators, NOCACTI seeks to always group these into specific objects, so a indicator such as a IP can always be tied back to specific commands run, service targeted, and artifacts dropped. This provides a ‘context’ rich experience when investigating indicators, as it’s much easier to see all associated events to any given identified indicator.

Overview

Cyber Threat Intelligence

This article is intended to serve as a brief guide on how to access the Indicators of Compromise provided by NOCACTI.

Along with providing a overview, some monitoring recommendations are also given as its important to note the intention behind how each CTI type be used.

Where to Access

All feeds are hosted on misp-feed.nocacti.com at one of the following locations! (Note: these are all web directories containing MISP formatted IoC’s, except the Raw directory which is a plain old list of IPs!)

• misp-feed.nocacti.com/Intrusion/
• misp-feed.nocacti.com/AdversaryInfrastructure/
• misp-feed.nocacti.com/Raw/

Raw Feeds

The NOCACTI: Adversary Infrastructure Feed is provided in a ‘Raw IP list’ format to make it easier to integrate this feed into different unique tools.

This IP list is available at https://misp-feed.nocacti.com/Raw/AdversaryInfrastructureIPs.txt

It’s important to note, while you can still get amazing detection value from this feed, you do loose context as the ‘tagging’ that comes with when you ingest the IoC’s from MISP is lost in a flat file format!

RECOMMENDATION: A key recommendation is when using the ‘Adversary Infrastructure’ feed, when highly recommend focusing on outbound traffic to the IPs in the list. Due to the nature of the IPs, any outbound connects are highly indicate of a malware/C2 infection, but inbound connections can often be due to scanning or generic exploit spamming activity.

MISP Feeds

NOCACTI feeds are part of the default feed list on MISP!

If you’d like to use them, simply click ‘Load default feed metadata’ on the MISP Feeds page in your deployment and enable the NOCACTI: Intrusion Feed and the NOCACTI: Adversary Infrastructure Feed!

Decompile

JPEXS Flash Decompiler seems to be good, worked here! https://github.com/jindrapetrik/jpexs-decompiler

The Story

As a flash fan from way back in the day, I’ve got a bunch of my fav’s stored locally I’ll often crack open for nostalgia.

With that in mind, the security issues associated with flash are well documented (RIP).

This was a fun situation I found myself in where a flash I had downloaded did show some sus behaviour and while it ended up being fine, it was still a cool chance to learn a little bit about analysing flash files.

Fun Case

What the hell is this message! Popped up after launching a flash file locally (On a VM luckily as a safe flash enjoyer!).

Bruh

not[.]shaaa[.]dy[.]fi

Okay, so dy.fi is a Dynamic DNS service for Finnish people!

Description from webpage below

dy.fi is a free dynamic DNS service offered exclusively for Finnish users. It provides you a short domain name like 'yourname.dy.fi', which can be pointed to the dynamic IP address of your home system (for running an FTP or web server at home, or SSH/VNC remote use), or forwarded to your home page which has a long and hard-to-remember URL.

The ‘News’ on the site for dy.fi starts back in 2006 and last updated in 2018, wild.

Some basic site scans on the not[.]shaaa[.]dy[.]fi URL seem to indicate the web server is now offline and traffic is hitting a HTTP 307 (Redirect) and landing on the homepage of dy.fi.

Sandbox time!

Running with Procmon doesn’t show anything interesting really, a few curious registry items being read (GPU/Screen stuff), but possibly explainable simply by the nature of ‘Flash’ animations.

Looking up decompilers for flash, JPEXS came up, it seems to work really well!

Scripts looked interesting and indeed under <default package> was a file named ET and bang in there was the URL seen earlier along with one another (Seemingly a backup and just one step up the domain)

shaaa[.]dy[.]fi

After some scrolling and reading, the urlvars section proves really interesting! So it seems a number of metrics (show below as capabilities.METRIC) are being collected and then POSTed to the Web Server

Found a online translation of the Capabilities and what each means in some documentation here https://www.cs.vu.nl/~eliens/assets/flex3/langref/flash/system/Capabilities.html

So after all that it seems to be data collection!

After these findings, eventually did some searching and found this swfchan thread detailing some of the drama hahahaha - so it does appear this is known adn the person has done this to a number of flashes https://swfchan.net/31/BTR8OLB.shtml (A few different threads about this same topic/person though)

This thread is even better, apparently its someone under the name of AMM https://swfchan.net/32/ACOR3IF.shtml Of course the typical 4chan 2015 over the top profanity

To be continued!

There is a really interesting ‘ID’ in the decompiled flash file as well, I wonder if this is unique to each flash compiled by this person. Might go digging/make a little script to see if any of my other flash files have this same thing! Could also grab another of the ‘reported’ flashes on swfchan and see if the ID is unique on that

OSCP

Back in September 2025, I sat and successfully passed my OSCP+ exam on my first attempt! I got my 70 points for a passing grade in a little over 5 hours, completing the AD set in under a hour as well!

As someone with only ‘Defensive’ security experience, but who really enjoys CTF/HTB challenges I wanted to take the OSCP exam to undertake what was a fun and exciting challenge (Also a bit shamefully for the clout lol).

Enough with the bragging though, when prepping for the exam I found reading about others experiences really helpful, so I wanted to offer my own perspective and advice in the hope it can help someone else undertaking there exam.

Preperation Tips

Tips in the lead up to the exam

Practice!

This covers my recommened approach to ‘practice’ AND how to identify when your ready for the exam!

Practicing may seem obvious, but I think a key tip from me would be to not just practice, but get good practice!

I think it’s important when preparing for the OSCP to focus on machines with content/a style that will be similar to those seen in the exam. What’s also key and incredibly key though is to not rely to heavily on write-ups (or even small hints) when preparing for the OSCP!

During the exam you won’t be able to get any external assistance at all (e.g. through a write-up or hint), so it’s incredibly important you feel comfortable doing boxes/sets without any assistance.

For me write-up/no write-up is a totally different game. With a write-up/hint you’ll always have some idea of where to go next, but without these you need to be comfortable being uncomfortable and working through your enumeration in order to know where to go next.

That being said, towards the start of your learning absolutely use write-ups, especially for harder/more challenging machines! Write-ups provide great insight into what others do and you can always learn from this to improve your own style, you just need to be sure you don’t make them too much of a crutch, especially when it comes to exam time.

Every time you do use a hint just ask yourself why you needed to use it after finding where you went wrong/what you missed. Don’t just take the hint and run, but try and reflect on what was missing that prevented you from getting there on your own, this really helped me!

When it comes time to book your exam, considfer this exercise for identifying if your ready. Choose 5 (Proving Grounds) machines at random from the Tj Null/NetSecFocus Room list (https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview ). Try doing these machines with no assistance at all and see how you go! Don’t be discouraged if you can’t do them all without write-ups, but I’d aim to be able to at least bee able to do 4/5 without any help before heading into your exam. But don’t let this discourage you either! Not all machines are equal and honestly a big part of the exam is down to luck of what your going to get for those standalones!

Develop Strong ‘Checklists’ for your enumeration, but DON’T Re-Invent The Wheel!

Having a checklist of what you should be checking during your enumeration phase will be a massive help during the exam.

While doing your practice boxes in the lead-up to the exam, take note of useful commands for enumeration and what your checking. You can use this information to make a checklist and during the exam it can come in as a massive help!

The exam can be very stressful and you don’t want to be relying on memory alone of what you should be doing, so a checklist can be very useful.

Do note, you don’t need to re-invent the wheel here either though! So many guides to enumeration different services are available online and you’ll likely encounter at least some service during the exam you haven’t seen before. So when/if you do, simply google ‘x service enumeration pentesting’ or something similar and chances are you’ll find someone else’s steps you can use!

Tips for the Exam

Take HIGH QUALITY Breaks

A mental reset can be key during the exam.

If you find yourself stuck for an extended period of time, a decent break to reset your brain may be what you need.

For me, a decent break is one where I’m able to go do something else that takes my focus away from the core task, which then when returning to the core task gives me a bit of a reset.

Of course for OSCP your time is going to be limited so you can’t take a massive breaks to reset yourself, but absolutely try and get up for a walk, make a tea or coffee (and drink it away from your PC to try and reset!) or do something that works for you!

Don’t overlook anything as part of your enumeration/initial access

Key tip for the exam

During the exam you’ll of course be faced with several boxes you need to root.

Without giving anything away, you’ll obviously be charged with enumerating different services on each of these boxes.

Now a trap I fell for was seeing services and before even looking thinking (1) oh it’ll likely be this OR (2) oh they wouldn’t make it X that’d be too easy!

Now for me this was a massive trap! Don’t overlook anything as part of your enumeration/initial access phase and try everything you can!

TIP: Don’t get stuck in the loop of running the exact same commands and expecting a different outcome. You’re probably in a rabbit hole if your at this stage!

Try and Chill Out!

Listen to music and try not too stress to hard!

For me at least, being overly stressed/nervous really gets in the way of my thinking. I know for such a big investment like OSCP it can be hard to try and set aside stress, but getting in a more chill mindset can be a absolute godsend for the exam and put your best foot forward.

Great Learning Resources!

Resources I highly rate for preparing for the exam.

TryHackMe and/or HackTheBox https://tryhackme.com/ https://app.hackthebox.com/

Both of these sites are great at supplying boxes for learning/practicing new techniques.

The debate between the two sites will always be a thing, but while I prefer HackTheBox now days if your earlier on in your journey I would rate TryHackMe as it’s got some awesome learning pathways that can be far less dauting for beginners. HackTheBox in my opinion though provides a lot more challenging/fresher content, so it’s great once you have more experience (but can be hard for beginners cause I swear some of those easy boxes don’t be EASY!!!)

NetSec Trophy Room https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview

The most useful resource I found for my exam was this list of boxes. This is a list of ‘OSCP like machines’ curated by Tj Null and has machines that are ‘similar’ to those you’ll likely encounter during the OSCP exam.

I’m a very practical learner, so having a list of machines to focus on doing was awesome for preparing for the exam.

I’d highly recommend focusing on these machines when preparing for your exam and really try and get use to doing them without write-ups or hints once you have experience!

OffSec https://www.offsec.com/

This may seem incredibly obvious, but while the learning content for the OSCP+ does draw mixed reviews it’s still important to acknowledge the exam is being supplied by OffSec so I think it’s very important to focus on the machines/learning content from Offensive Security!

In my opinion, the boxes both directly listed under the OSCP+ learning content (Supplied as part of the course) AND the boxes you can find on OffSec’s Proving Grounds content are the most usesful/similar to those you’ll see in the exam, so I’d focus on these while learning! (Don’t forget to use the TJ Null/NetSec Trophy Room list of OffSec/Proving Grounds machines!)