Wael Ghnimi aka 0xW43L

👋 About Me

Senior Cyber Threat Intelligence Analyst | Former Red Teamer & Blue Teamer | Offensive & Defensive Security Expert

With a strong foundation in both offensive security (Red Team) and defensive operations (Blue Team/SOC), I bring a dual perspective to the Cyber Threat Intelligence (CTI). My career is driven by a passion for uncovering and mitigating threats, blending deep technical expertise with strategic intelligence analysis to safeguard organizations against advanced cyber adversaries.

I thrive on complex challenges, whether it’s tracking sophisticated threat actors, developing custom security tools, or conducting deep-dive investigations into evolving attack vectors. I believe in continuous learning, research, and collaboration to stay ahead in the rapidly changing cyber threat landscape.

Certifications & Professional Achievements

• OSEP (PEN-300) - Experienced Penetration Tester (Advanced Evasion Techniques and Breaching Defenses)
• eWAPTx - Web application Penetration Tester eXtreme
• CRTO - Certified Red Team Operator
• eJPT - eLearnsecurity Junior Penetration Testing
• arcX - Cyber Threat intelligence Analyst Foundation (101)
• ICTTF - Ransomware Uncovered - Specialist Certificate
• HackTheBox Prolabs: Dante

---

Research, Projects & Tool Development

Purple Teaming

• TACTFlow: Purple Teaming Framework. A public framework bridging Cyber Threat Intelligence, Red Teaming, and SOC Engineering by mapping adversary TTPs from MITRE ATT&CK to operational purple-team playbooks. Ongoing blog series walks through each tactic and sub-technique from three angles: how CTI tracks it, how Red Teams simulate it, and how SOCs detect and mitigate it. Currently releasing across the Initial Access tactic, with continuing coverage across the remaining ATT&CK lifecycle.

Penetration Testing & Red Teaming

• LDAPHunter - LDAP Enumeration Tool. A Python tool that automates LDAP enumeration for penetration testers. Extracts users, groups, organizational units (OUs), password policies, privileged memberships, and unconstrained delegation from Active Directory. Supports anonymous and authenticated access over LDAP (389) and LDAPS/TLS (636), with multiple authentication formats.

Cyber Threat Intelligence (CTI)

• IOCs Finder: Cyber Threat Intelligence Hub. Automated pipelines for the collection, normalization, and correlation of Indicators of Compromise across open and closed sources. Integrated with IBM QRadar for real-time threat intelligence enrichment inside the SIEM, and connected to the CrowdStrike API to push curated indicators directly into the endpoint detection stack.

Reverse Engineering (RE) & Malware Analysis (MA)

• Qakbot Auto-Decryptor Plugin (IDA Pro). A Python plugin for IDA Pro that automates Qakbot configuration decryption and IOC / malware-config extraction. Removed the manual unpacking and string-decryption overhead from reverse engineering Qakbot samples. Integrated into the QRadar and CrowdStrike incident response workflow for automated enrichment during active campaigns.
• CryptBot Malware Analysis Series. Three-part technical deep-dive into the CryptBot infostealer family: v1 architecture and static analysis, v2 RC4 exfiltration and NetSupport RAT delivery, v3 compiler-switch analysis and obfuscation shifts. Published on the blog.

AI & Machine Learning

• DPTML: Dynamic Penetration Testing using Machine Learning. Academic research combining reinforcement learning with the penetration testing lifecycle to automate offensive decision-making. Automated input discovery, vulnerability indicator detection, and public-exploit matching driven by live engagement findings. Included a self-directed troubleshooting loop that let the agent adapt scripts and retry on execution failures.

---

Technical Expertise & Training (Learning, Research & Knowledge Base)

This section catalogs the books, courses, tools, and platforms I use to sharpen my skills and stay at the forefront of the field.

Programming

“The only way to learn a new programming language is by writing programs in it” - Brian W. Kernighan

1. C Programming

• Books
  • The C Programming Language” by Brian W. Kernighan and Dennis M. Ritchie
• Courses
  • C Programming for Everybody Specialization - Coursera
  • Learn Memory Management in C - boot.dev

---

Cybersec-Beginner (Starting Point …)

Books

• How Cybersecurity Really Works: A Hands-On Guide for Total Beginners by Sam Grubb

---

Reverse Engineering (RE) & Malware Analysis (MA)

Courses

• Debugger 1001: Visual Studio - OST2
• Architecture 1001: x86-64 Assembly - OST2

Tools

• IDA Pro
• Ghidra
• Radare2
• gdb
• Binary Ninja
• OllyDbg
• Immunity Debugger
• x64dbg
• HxD
• Detect it Easy (DiE)
• PE Studio
• DNSpyEx
• System Informer
• Process Hacker
• PE Explorer
• PE Bear
• Resource Hacker
• Process Explorer

Services

• CAPEv2
• UnpacMe
• AnyRun
• Triage
• Hybrid Analysis
• Malpedia
• MalwareBazaar
• Malware Traffic Analysis
• Malware Information Sharing Platform (MISP)
• VirusTotal
• ReversingLabs
• AnyRun
• Cuckoo Sandbox
• Joe Sandbox
• ThreatFox
• ThreatMiner
• ThreatCrowd
• ThreatFox
• MalwareBazaar
• Malshare
• VX Underground

---

Malware & Exploit Development

Courses

• Windows Internals Courses - Pavel Yosifovich
• RED TEAM Operator: Malware Development Essentials Course - sektor7

Tools

• Visual Studio

---

Cyber Threat Intelligence (CTI)

Courses

• GCIA - GIAC Cyber Threat Intelligence
• Cyber Threat Intelligence 101 - ArcX
• Cyber Threat Intelligence Practitioner - ArcX
• Advanced Cyber Threat Intelligence Analyst - ArcX

Books

• Uncertain Shield: The U.S. Intelligence System in the Throes of Reform - by Richard A. Posner (Hoover Studies in Politics, Economics, and Society)
• Deception: The Untold Story of East-West Espionage Today - by Edward Lucas
• Enemies of Intelligence: Knowledge and Power in American National Security - by Richard K. Betts
• The Art of Intelligence - by Henry A. Crumpton
• Spurious Correlations - by Tyler Vigen
• Red Team Development and Operations: A Practical Guide - by Joe Vest
• The US Intelligence Community - by Jeffrey T. Richelson
• Active Measures: The Secret History of Disinformation and Political Warfare - by Thomas Rid
• Intelligence-Driven Incident Response: Outwitting the Adversary - by Scott J. Roberts
• Structured Analytic Techniques for Intelligence Analysis - by Richards J. Heuer Jr.
• Psychology of Intelligence Analysis - by Richards J. Heuer Jr.
• Threat Modeling: Designing for Security - by Adam Shostack
• Intelligence: From Secrets to Policy 8th Edition - by Mark Lowenthal
• Incident Response & Computer Forensics, Third Edition - by Jason T. Luttgens
• Effective Threat Intelligence: Building and Running an Intel Team for Your Organization - by James Dietle
• Visual Threat Intelligence: An Illustrated Guide For Threat Researcher - by Thomas Roccia
• Permanent Record - by Edward Snowden
• The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime - by Jon DiMaggio

Tools

• MISP
• OpenCTI
• TheHive
• Cortex
• Sigma
• YARA
• CAPE
• OSINT Framework
• SpiderFoot
• Maltego
• Recon-ng
• Censys
• Shodan
• ThreatConnect
• Fofa

Platforms

• AlienVault OSSIM
• Elastic Security
• Splunk
• IBM QRadar
• LogRhythm
• Sekoia.io
• ThreatConnect
• ThreatQ

Frameworks

• MITRE ATT&CK
• Diamond Model of Intrusion Analysis
• Cyber Kill Chain
• Cyber Threat Intelligence (CTI) Lifecycle

Data Feeds

• AlienVault Open Threat Exchange (OTX)
• AbuseIPDB
• URLhaus
• PhishTank
• Spamhaus
• Emerging Threats
• CIRCL - MISP Threat Sharing
• Open Threat Exchange (OTX)
• AbuseIPDB
• URLhaus

Services

• Google Threat Intelligence (GTI)
• SOCRadar
• CrowdStrike Intelligence
• FalconFeeds.io
• Quointelligence
• CIRCL - MISP Threat Sharing
• OpenCTI
• MITRE ATT&CK

---

Vulnerability Assessment & Management

• Qualys
• Tenable.io (Nessus)

---

Penetration Testing

Books

• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman

Tools

• Cobalt Strike
• Burp Suite Pro
• CrackmapExec
• netexec
• Impacket
• BloodHound
• Responder
• PowerShellMafia
• Metasploit
• Nmap
• Wireshark
• Burp Suite Community Edition
• OWASP ZAP
• SQLMap

---

EDRs (Detection and Response)

• CrowdStrike
• SentinelOne

Operating Systems

• Linux
• Windows
• macOS

Cloud Platforms

• Amazon Web Services (AWS)
• Microsoft Azure
• Google Cloud Platform (GCP)

Version Control

• Git
• GitHub
• GitLab
• Bitbucket
• SourceForge

Virtualization & Containerization

• Docker
• Kubernetes
• VirtualBox
• VMware
• Hyper-V
• Proxmox VE

---

Earned Certifications InRelation W/ University

• Fortinet - NSE 2 Network Security Associate
• Fortinet - NSE 1 Network Security Associate
• Microsoft - Microsoft Technology Associate: Security Fundamentals (MTA)
• Microsoft - Microsoft Technology Associate: Networking Fundamentals (MTA)
• Microsoft - Microsoft Technology Associate: Programming Using HTML and CSS
• Microsoft - Microsoft Office Specialist: Microsoft Powerpoint® 2016
• Microsoft - Microsoft Office Specialist: Microsoft Word 2016