πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Dexray v2.32

23 January 2022 at 00:07
By: adam
I was recently contacted by Oskar who had a problem decrypting Defender for Mac Quarantine files. After quick investigations we discovered that the encrypted file doesn’t really conform to any […]

Beyond good ol’ Run key, Part 138

23 January 2022 at 00:03
By: adam
This is a post that should have appeared here at least 10 years ago. There is an enigmatic Registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll that I came across many times before. The […]

Beyond good ol’ Run key, Part 137

22 January 2022 at 01:08
By: adam
This is a neat persistence trick you can use… if you got access to TrustedInstaller… The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out […]

Yara Carpet Bomber, Part 2

18 January 2022 at 23:15
By: adam
Steve asked about the use cases for Yara Carpet Bomber approach and in this twitter convo I provided 2 examples of quick & dirty Yara rules: that help to find […]

Beyond good ol’ Run key, Part 136

18 January 2022 at 19:23
By: adam
I love Office-based Persistence mechanisms, because there is always… one more to discover πŸ™‚ Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the […]

Yara Carpet Bomber

16 January 2022 at 15:50
By: adam
A lot of people are sharing their Yara creation (look for #100DaysofYARA tag on Twitter), so I thought I will share a bit too. This is a very unusual way […]

ms-cxh and ms-cxh-full handlers

16 January 2022 at 10:46
By: adam
Another 2 bits I posted to Twitter β€” noticed that there is a built-in β€œms-cxh” handler that was unknown to me (CXH stands for Cloud Experience Host) and there is […]

Windows Installation animation

16 January 2022 at 10:04
By: adam
While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments: /zdp (for Zero Day Package) […]

Beyond good ol’ Run key, Part 135

16 January 2022 at 09:50
By: adam
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? πŸ™‚ Still, good to document some of it in a more permanent […]

Putting .inf files and NSRL database to a better use

25 December 2021 at 23:08
By: adam
When you look at a large repository of clean files there is always an opportunity to find something interesting. For instance, list of precursors to forensic artifacts that one can […]

Mapping Chrome extension IDs to their names

24 December 2021 at 23:35
By: adam
It’s been a long time since I did any forensic research, so today is the day. There is no old phrase coined yet β€” your forensic investigations’ results are as […]

Dexray v2.31

11 November 2021 at 22:17
By: adam
With help of @simpo13 Dexray now supports Defender for Mac quarantine files. Thanks @simpo13! Download it here.

Trololololobin and other lolololocoasters

9 October 2021 at 06:44
By: adam
In my older tweet I gave an example of a surgical way to inject process into a chain of executed programs and launch them at a predetermined position in a […]

Wine tasting, again

10 July 2021 at 16:51
By: adam
In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided […]

KillBit legacy – in search for ActiveX Lolbins

11 June 2021 at 22:07
By: adam
ActiveX is dead. Unless used outside of the browser, locally, lolbin-ically. Back in a day companies loved to implement extra functionality for the web via their own ActiveX controls and […]

Shopping for LOLbins

10 June 2021 at 22:13
By: adam
In this Twit that I posted a few weeks ago I demoed how to use older versions of Photoshop and Illustrator to execute calculator via their internal scripting engine that […]

A story about Procmon (no, not that one – its misbehaving client)

26 May 2021 at 22:49
By: adam
We all love Process Monitor, but what we love even more are its undocumented features. Checking program’s accepted command line arguments we can quickly discover that it can be called […]

Excellent Conversions (and downloads)

23 May 2021 at 22:19
By: adam
This one was on a back burner for a while too. C:\Program Files*\Microsoft Office\root\Office*\excelcnv.exe is a program that helps to convert various documents to XLSX format. While playing around with […]

BYOT – Bring Your Own Telemetry

20 May 2021 at 21:33
By: adam
Research is a funny business. You look at some stuff, you conclude it’s impossible, and then… you forget about it. So you think. It gets stuck in your head… somewhere… […]
❌