A few days ago Brian Krebs published a piece about Zeppelin key cracking, so … since I was also involved in recovering files for some of the ransomware gang victims […]

This one is a curious one. I actually don’t know how to trigger it! Yet, I will document some bits and bobs, so that you may take these entry points […]

In the first part of this series I found myself jumping from one topic to another. I will do so in part 2, too 🙂 Dealing with alert fatigue requires […]

Gazillion tickets, gazillion emails a day. The business as usual for most SOCs… It actually doesn’t matter how we got here (although I will cover some bits later on) – […]

I never thought I will write the part 1a of my old post, but here it is. As usual, I have not explored the below topic in-depth, but have certainly […]

I wrote about older Adobe scripting before. I recently discovered that Adobe products support scripting using so-called ExtendScript language with code being stored either in a source-level JSX file, or […]

~12 years ago I felt I am on the top of the (blue side of cyber) world. I knew Windows forensics pretty well, Linux forensics far less, but with some […]

In a recent Twitter exchange with Tim I mentioned my earlier post in which I described a practice of crypto code copypasting being quite prevalent. Such practice is problematic of […]

This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there […]

This week is longer than I thought, so time to catch up… 🙂 This one is a mess, but sometimes a bit of a mess is not a bad thing. […]

Writing your own sandbox has many advantages – the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into […]

This series got a bit delayed, because I got sick last week. — This is a bit counter-intuitive – why would you want to collect strings related to games? First, […]

Knowing what service name is what is quite useful. The attached list lists many, primarily native OS, and security product-related services that I have aggregated by looking at native services […]

You are either technical, or you are not. What does it mean? Many tried to answer that borderline philosophical question, but as far as I know no one is really […]

There was a time when knowing GUIDs of adware/spyware you could instantly attribute a sample to a known rogue company or group. Of course, these days are long gone, but […]

Reversing is not only hours spent analyzing code. It’s also about collecting interesting data so that it can be used to quickly determine other programs’ functionality in the future. Recognizing […]

Imagine you stop processing your phishing reports today. Just stop. What could be the worst thing that could happen? Hmm ? Of course, some people will still get phished, some […]

Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths […]

The previous parts of this series were done ‘manually’. I would come across some new type of DLL and would jot down its properties so I would have a point […]

What are Windows file extensions of interest ? Is there a single superset of all possible file extensions that are of interest from a security perspective? I tried to answer […]

Ug_0Security asked, and I am answering 🙂 Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]

With file handlers being yet again a topic du jour it was only natural to try answering a question — how many file protocols are really out there? I tried […]

In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]

Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]

Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]

Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]

I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]

We have our sampleset. We have our metadata. What’s next? You can very quickly script searches that will look for specific files, or their properties. I mentioned section names, PDB […]

This series talks about ‘good’ files. That is, files (samples) produced by reputable vendors, often signed, and hopefully not compromised by stolen certificates, vulnerabilities, supply-chain attacks or bothered by other […]