πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

aMus(ing)Notification

3 January 2021 at 23:31
By: adam
Update Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the […]

Recoll – a perfect tool for Threat Intelligence Analysts and other Report Readers

1 February 2021 at 19:10
By: adam
@SwiftOnSecurity is a driving force for many cool ideas and one of them brought this looong thread about great tools people use to life. I bookmarked it and I recommend […]

Mitre Domin&trix

3 February 2021 at 22:56
By: adam
Mitre Att&ck coverage is a utopian vision of compliance promoted all over the place in recent years. I have spent many hours working towards this unicorn target and here I […]

Desperate downloader lolbin

5 February 2021 at 23:41
By: adam
I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown […]

Beyond good ol’ Run key, Part 131

6 February 2021 at 21:44
By: adam
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated […]

Misre-presentation host

8 February 2021 at 23:34
By: adam
PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding – running as […]

Yet another secret of hosts file

18 February 2021 at 23:41
By: adam
In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals. Turns […]

DownLOLoloaders

19 February 2021 at 00:00
By: adam
The previous posts about hosts files build a foundation for the trick I wanted to cover in this post. Most of native LOLBINish downloaders are already known (certutil, BITS, etc.). […]

Beyond good ol’ Run key, Part 132

24 February 2021 at 23:19
By: adam
This is a very unpromising persistence mechanism relying on environment variables (again). Combing through OpenSSL source code I came across two variables that it relies on and they are described […]

Event ID 7039 – out…pid a pid

26 February 2021 at 19:18
By: adam
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]

Beyond good ol’ Run key, Part 133

5 March 2021 at 23:18
By: adam
Java programs compiled into executable form using launch4j have a few interesting features that make them a good target for both persistence and LOLBIN-ish activities. When the executable starts it […]

ELF sections stats

13 March 2021 at 23:02
By: adam
If you follow my blog you may know that I have dedicated a lot of time building a very comprehensive list of PE Sections, Today I realized that I never […]

Yara & maldoc pics

7 April 2021 at 22:06
By: adam
Update It took only a few minutes for @0xkyle to point me to Halogen project. Nice one! Old post This is a little trick that you may find handy for […]

Playing CAPAeira with Yara rules

20 April 2021 at 21:46
By: adam
Writing Yara rules is easy. Writing good Yara rules is … testing – both as an adjective and a verb. There is a class of Yara rules – the one […]

FTP.EXE Lolbin v2

2 May 2021 at 11:38
By: adam
@0gtweetβ€˜s tweet inspired me to look at lolbin stuff again (as it is often the case). So… everyone knows we can use ftp.exe as a lolbin and using COMSPEC trick […]

Gup \o/ bin

2 May 2021 at 13:39
By: adam
Notepad ++ comes with a built-in Updater called GUP typically located here: c:\Program Files (x86)\Notepad++\updater\GUP.exe It is a generic downloader that accepts a range of command line arguments, and while […]

Throwing LOLBIN a tar ball

2 May 2021 at 13:42
By: adam
This post summarizes some of the findings I posted on Twitter the other day. While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command […]

Cur\o/bin

2 May 2021 at 13:53
By: adam
This post wraps up another Twitter thread I started a few days ago: If you ever get bored using β€œcopy” to copy files you can always use … curl: curl […]

SleepStudy logs

3 May 2021 at 11:09
By: adam
Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I […]
❌