I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]

This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]

This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]

Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]

I love Office-based Persistence mechanisms, because there is always… one more to discover 🙂 Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the […]

A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]

Another 2 bits I posted to Twitter — noticed that there is a built-in “ms-cxh” handler that was unknown to me (CXH stands for Cloud Experience Host) and there is […]

While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments: /zdp (for Zero Day Package) […]

These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂 Still, good to document some of it in a more permanent […]

When you look at a large repository of clean files there is always an opportunity to find something interesting. For instance, list of precursors to forensic artifacts that one can […]

It’s been a long time since I did any forensic research, so today is the day. There is no old phrase coined yet — your forensic investigations’ results are as […]

With help of @simpo13 Dexray now supports Defender for Mac quarantine files. Thanks @simpo13! Download it here.

In my older tweet I gave an example of a surgical way to inject process into a chain of executed programs and launch them at a predetermined position in a […]

In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided […]

ActiveX is dead. Unless used outside of the browser, locally, lolbin-ically. Back in a day companies loved to implement extra functionality for the web via their own ActiveX controls and […]

In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that […]

We all love Process Monitor, but what we love even more are its undocumented features. Checking program’s accepted command line arguments we can quickly discover that it can be called […]

This one was on a back burner for a while too. C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]

Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]