πŸ”’
There are new articles available, click to refresh the page.
Yesterday β€” 23 January 2022Uncategorized

Dexray v2.32

23 January 2022 at 00:07
By: adam
I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]

Beyond good ol’ Run key, Part 138

23 January 2022 at 00:03
By: adam
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]
Before yesterdayUncategorized

Beyond good ol’ Run key, Part 137

22 January 2022 at 01:08
By: adam
This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]

Yara Carpet Bomber, Part 2

18 January 2022 at 23:15
By: adam
Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]

Beyond good ol’ Run key, Part 136

18 January 2022 at 19:23
By: adam
I love Office-based Persistence mechanisms, because there is always… one more to discover πŸ™‚ Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the […]

Yara Carpet Bomber

16 January 2022 at 15:50
By: adam
A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]

ms-cxh and ms-cxh-full handlers

16 January 2022 at 10:46
By: adam
Another 2 bits I posted to Twitter β€” noticed that there is a built-in β€œms-cxh” handler that was unknown to me (CXH stands for Cloud Experience Host) and there is […]

Windows Installation animation

16 January 2022 at 10:04
By: adam
While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments: /zdp (for Zero Day Package) […]

Beyond good ol’ Run key, Part 135

16 January 2022 at 09:50
By: adam
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? πŸ™‚ Still, good to document some of it in a more permanent […]

IBM Talk, die erste ;-)

11 January 2022 at 07:53
Unser GeschΓ€ftsfΓΌhrer Florian Hansemann dufte am 07.12.2021 bei einem Weihnachtsspezial in der IBM Zentrale mitmachen. Alle VortrΓ€ge drehten sich Rund um das Thema SOC & SIEM bzw. QRadar. Nur unser Vortrag stach hierbei etwas heraus, da wir als einzige Redteamer die andere Seite betrachten durften und einige Geschichten aus vergangenen Assessments erzΓ€hlen konnten. Wie wir […]

Erster Radio Beitrag: GefΓ€lschte Impfausweise

28 December 2021 at 09:31
Am 02.11.2021 durfte ich einen kurzen Beitrag bei der deutschen Welle zum Thema der gefΓ€lschen Impfausweise geben. Aufgrund der Tatsache, dass sich das Thema sehr umfangreich im OsteuropΓ€ischen Raum abspielte, hatte sich ausschließlich der russsich sprachige Bereich des Senders mit dem Thema befasst. Somit seid nicht ΓΌberrascht, dass Sowohl der Beitrag, als auch das Video […]

Putting .inf files and NSRL database to a better use

25 December 2021 at 23:08
By: adam
When you look at a large repository of clean files there is always an opportunity to find something interesting. For instance, list of precursors to forensic artifacts that one can […]

Mapping Chrome extension IDs to their names

24 December 2021 at 23:35
By: adam
It’s been a long time since I did any forensic research, so today is the day. There is no old phrase coined yet β€” your forensic investigations’ results are as […]

Vulnerability Wordline

21 December 2021 at 22:10
CVE pending Vulnerable Software HIDCCEMonitorSVC Version <= 5.2.4.3 Vulnerability A Unquoted service path in HIDCCEMonitorSVC software allows a local attacker to potentially escalate privileges to system level. Timeline 29.10.2021 Vendor informed 10.11.2021 Vendor confirms the vulnerability and informs HanseSecure that the vulnerability will be patched in the next version. 21.12.2020 Disclosure References: Hall of Fame […]

Top Security QuickFails: #5 Angriff der KlonAdmins aka Missing LAPS

29 November 2021 at 07:49
#5 Angriff der KlonAdmins aka Missing LAPS Der Angriff In der FaulerHund AG in MΓΌnchen starten die Mitarbeiter in ein neues GeschΓ€ftsjahr und freuen sich auf neue Herausforderungen. So auch der Administrator Karl KannNixDafΓΌr, welcher am Donnerstag Mittag gegen 12:30 festgestellt hat, dass der Account von Ute Unbeschwert noch angemeldet ist, obwohl diese gegen 11 […]

Dexray v2.31

11 November 2021 at 22:17
By: adam
With help of @simpo13 Dexray now supports Defender for Mac quarantine files. Thanks @simpo13! Download it here.

Top Security QuickFails: #4 Kein SPF

1 November 2021 at 21:48
Morgens halbzehn in Deutschland. Bianca in der MedienBude GmbH beginnt ihren Arbeitstag und checkt den Posteingang ihres E-Mail Postfaches. Dort findet Sie eine dringende E-Mail von Ihrem Chef, der Sie bittet die letzte Abrechnung zu ΓΌberprΓΌfen.

Trololololobin and other lolololocoasters

9 October 2021 at 06:44
By: adam
In my older tweet I gave an example of a surgical way to inject process into a chain of executed programs and launch them at a predetermined position in a […]
❌