πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Dealing with alert fatigue, Part 1

1 October 2022 at 23:43
By: adam
Gazillion tickets, gazillion emails a day. The business as usual for most SOCs… It actually doesn’t matter how we got here (although I will cover some bits later on) – […]

Inserting data into other processes’ address space, part 1a

21 September 2022 at 22:05
By: adam
I never thought I will write the part 1a of my old post, but here it is. As usual, I have not explored the below topic in-depth, but have certainly […]

Adobe: JSX and JSXBIN files

2 September 2022 at 22:21
By: adam
I wrote about older Adobe scripting before. I recently discovered that Adobe products support scripting using so-called ExtendScript language with code being stored either in a source-level JSX file, or […]

What to know, what to learn? What are useful skills for cyber in 2022?

19 August 2022 at 23:41
By: adam
~12 years ago I felt I am on the top of the (blue side of cyber) world. I knew Windows forensics pretty well, Linux forensics far less, but with some […]

Password as a (Yara) Service

19 August 2022 at 21:43
By: adam
In a recent Twitter exchange with Tim I mentioned my earlier post in which I described a practice of crypto code copypasting being quite prevalent. Such practice is problematic of […]

Week of Data Dumps, Part 7 – registry

6 August 2022 at 20:57
By: adam
This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there […]

Week of Data Dumps, Part 6 – file names

5 August 2022 at 20:45
By: adam
This week is longer than I thought, so time to catch up… πŸ™‚ This one is a mess, but sometimes a bit of a mess is not a bad thing. […]

Week of Data Dumps, Part 5 – commands

31 July 2022 at 18:40
By: adam
Writing your own sandbox has many advantages – the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into […]

Week of Data Dumps, Part 4 – games-related strings

30 July 2022 at 20:51
By: adam
This series got a bit delayed, because I got sick last week. β€” This is a bit counter-intuitive – why would you want to collect strings related to games? First, […]

Week of Data Dumps, Part 3 – service names

23 July 2022 at 17:16
By: adam
Knowing what service name is what is quite useful. The attached list lists many, primarily native OS, and security product-related services that I have aggregated by looking at native services […]

The curse of being β€˜technical’

22 July 2022 at 22:12
By: adam
You are either technical, or you are not. What does it mean? Many tried to answer that borderline philosophical question, but as far as I know no one is really […]

Week of Data Dumps, Part 2 – GUIDs

22 July 2022 at 20:40
By: adam
There was a time when knowing GUIDs of adware/spyware you could instantly attribute a sample to a known rogue company or group. Of course, these days are long gone, but […]

Week of Data Dumps, Part 1 – device names

21 July 2022 at 21:05
By: adam
Reversing is not only hours spent analyzing code. It’s also about collecting interesting data so that it can be used to quickly determine other programs’ functionality in the future. Recognizing […]

Shall we say… Good bye, phishing queue?

7 July 2022 at 22:19
By: adam
Imagine you stop processing your phishing reports today. Just stop. What could be the worst thing that could happen? Hmm ? Of course, some people will still get phished, some […]

DriverPack – Clean PDB paths

2 July 2022 at 21:43
By: adam
Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths […]

Da Li’L World of DLL Exports and Entry Points, Part 5

1 July 2022 at 22:03
By: adam
The previous parts of this series were done β€˜manually’. I would come across some new type of DLL and would jot down its properties so I would have a point […]

This post mentions many file extensions

30 June 2022 at 23:03
By: adam
What are Windows file extensions of interest ? Is there a single superset of all possible file extensions that are of interest from a security perspective? I tried to answer […]

A few more protocol handlers :)

7 June 2022 at 21:40
By: adam
Ug_0Security asked, and I am answering πŸ™‚ Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]

Not installing the installers, part 3

5 June 2022 at 16:38
By: adam
With file handlers being yet again a topic du jour it was only natural to try answering a question β€” how many file protocols are really out there? I tried […]
❌