Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part […]
A decade ago blue teaming was … easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, […]
I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and […]
I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of […]
In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that […]
I have read Ali‘s question with a great interest, because it’s the questions like this that make you pause and think. In my reply I suggested that the context is […]
In my recent post I focused on localization issues, but there is (always!) more… Take a look at the Windows 11 ARM version – when you install it you will […]
I love Detect It Easy. It’s my go-to tool when it comes to triaging malicious samples and it continuously exceeds my expectations… Except the times when I forget to use […]
Long time ago (when I used to make my own cross-words), one of my favorite targets was building them in a way that made them either have some special properties, […]
I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread. After downloading it, trying it, tinkering with it… I actually found it far more confusing than […]
One of my old hobbies is playing with words. I love all sort of dad jokes, “the longest” words, “the weirdest” words, “foreign words”, homonyms, homophones, palindromes, synonyms, antonyms, metonyms, […]
Social media are full of questions that are formulated in a passive, passive-aggressive, or upfront aggressive way, often using common fallacies in a manipulative way to discourage dialogue. It is […]
A few years ago I released a list of ‘bad’ mutexes/mutants. That list was generated from my malware sandbox reports. I thought that it may be good to revisit the […]
So you finished writing your perfect threat hunting query. Done and dusted, right? Hmm, sorry… chances are, it is… broken. How come? One reason, but it has many acronyms: L10N, […]
In my recent post on Mastodon I asked if there is any repo of Shadowpad side-loading combos. I asked, because long time ago I have created one for PlugX, and […]
One of the most common use cases we come across during our malware analysis exercises is a ROI-driven comparison of features between many samples of the same malware family. Yes, […]
A few days ago I posted a very specific question on Twitter and Mastodon: You’ve got gazillion of random yara rules stored inside many random .yar files scattered around many […]
In its recent blog post AhnLab described a campaign that relies on SHell Compiled (SHC) ELF files. I wanted to see if I can replicate their reverse engineering work and […]
Today I will talk about automated query-building using Excel. Working as a detection engineering and/or threat hunting specialist we often need to create a lot of queries including a lot […]
In my old article I have demonstrated an atypical approach one may take to browse through similarly-looking security artifacts while analyzing a gazillion of similarly looking URls in Excel. I […]
In my last post I referred to something what I call “putting elf on the shelf”. The idea is simple — Windows is a very rich environment when it comes […]
Every once in a while I come across questions from RCE analysts who are asking how to analyze samples when either existing tools don’t work, or when they (analysts) get […]
This is a real oldie, but still worth a mention… Java gives us a lot of persistence possibilities and one of them are environment variables; when set, they will be […]
It is now. It is happening. You have finally submitted your resignation letter and you are leaving the company. Your accounts will be closed, and access to all company systems […]
Over last few years we moved away from a SOC that used to be almost solely focused on Network and Windows events and artifacts (probably a strong fintech bias here) […]
If you ever used shellcode_hashes IDA plugin from Mandiant, you probably have also used make_sc_hash_db.py before. But, if you haven’t, this post is for you. The focus of the article […]
I love environmental variables. They are often post-worthy, and sometimes they are just simply cool. Yet, many are still not known. Many are still not described. Looking for ‘easy’ research […]