RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Beyond good ol’ Run key, Part 134

3 May 2021 at 19:19
By: adam
This one is for historical reasons, primarily. Old Adobe Photoshop/ImageReady used to have a feature called β€œJump to” which is neatly described here. The feature was implemented via a simple […]

Non-debugging uses of CDB

3 May 2021 at 12:25
By: adam
Catching up with another tweet from 3 months ago. VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it […]

Debug Environment Variable are \o/

3 May 2021 at 11:56
By: adam
Looking at the list of debug environment variables one can immediately spot a lot of room for abuse. One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point […]

SleepStudy logs

3 May 2021 at 11:09
By: adam
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]


2 May 2021 at 13:53
By: adam
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using β€œcopy” to copy files you can always use … curl: curl […]

Throwing LOLBIN a tar ball

2 May 2021 at 13:42
By: adam
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command […]

Gup \o/ bin

2 May 2021 at 13:39
By: adam
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while […]

FTP.EXE Lolbin v2

2 May 2021 at 11:38
By: adam
@0gtweetβ€˜s tweet inspired me to look at lolbin stuff again (as it is often the case). So… everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick […]

Playing CAPAeira with Yara rules

20 April 2021 at 21:46
By: adam
Writing Yara rules is easy. Writing good Yara rules is … testing – both as an adjective and a verb. There is a class of Yara rules – the one […]

Yara & maldoc pics

7 April 2021 at 22:06
By: adam
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for […]

ELF sections stats

13 March 2021 at 23:02
By: adam
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never […]

Beyond good ol’ Run key, Part 133

5 March 2021 at 23:18
By: adam
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it […]

Event ID 7039 – out…pid a pid

26 February 2021 at 19:18
By: adam
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]

Beyond good ol’ Run key, Part 132

24 February 2021 at 23:19
By: adam
This is a very unpromising persistence mechanism relying on environment variables (again). Combing through OpenSSL source code I came across two variables that it relies on and they are described […]


19 February 2021 at 00:00
By: adam
The previous posts about hosts files build a foundation for the trick I wanted to cover in this post. Most of native LOLBINish downloaders are already known (certutil, BITS, etc.). […]

Yet another secret of hosts file

18 February 2021 at 23:41
By: adam
In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals. Turns […]

Misre-presentation host

8 February 2021 at 23:34
By: adam
PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding – running as […]

Beyond good ol’ Run key, Part 131

6 February 2021 at 21:44
By: adam
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated […]

Desperate downloader lolbin

5 February 2021 at 23:41
By: adam
I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown […]