πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Week of Data Dumps, Part 7 – registry

6 August 2022 at 20:57
By: adam
This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there […]

Week of Data Dumps, Part 6 – file names

5 August 2022 at 20:45
By: adam
This week is longer than I thought, so time to catch up… πŸ™‚ This one is a mess, but sometimes a bit of a mess is not a bad thing. […]

Week of Data Dumps, Part 5 – commands

31 July 2022 at 18:40
By: adam
Writing your own sandbox has many advantages – the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into […]

Week of Data Dumps, Part 4 – games-related strings

30 July 2022 at 20:51
By: adam
This series got a bit delayed, because I got sick last week. β€” This is a bit counter-intuitive – why would you want to collect strings related to games? First, […]

Week of Data Dumps, Part 3 – service names

23 July 2022 at 17:16
By: adam
Knowing what service name is what is quite useful. The attached list lists many, primarily native OS, and security product-related services that I have aggregated by looking at native services […]

The curse of being β€˜technical’

22 July 2022 at 22:12
By: adam
You are either technical, or you are not. What does it mean? Many tried to answer that borderline philosophical question, but as far as I know no one is really […]

Week of Data Dumps, Part 2 – GUIDs

22 July 2022 at 20:40
By: adam
There was a time when knowing GUIDs of adware/spyware you could instantly attribute a sample to a known rogue company or group. Of course, these days are long gone, but […]

Week of Data Dumps, Part 1 – device names

21 July 2022 at 21:05
By: adam
Reversing is not only hours spent analyzing code. It’s also about collecting interesting data so that it can be used to quickly determine other programs’ functionality in the future. Recognizing […]

Shall we say… Good bye, phishing queue?

7 July 2022 at 22:19
By: adam
Imagine you stop processing your phishing reports today. Just stop. What could be the worst thing that could happen? Hmm ? Of course, some people will still get phished, some […]

DriverPack – Clean PDB paths

2 July 2022 at 21:43
By: adam
Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths […]

Da Li’L World of DLL Exports and Entry Points, Part 5

1 July 2022 at 22:03
By: adam
The previous parts of this series were done β€˜manually’. I would come across some new type of DLL and would jot down its properties so I would have a point […]

This post mentions many file extensions

30 June 2022 at 23:03
By: adam
What are Windows file extensions of interest ? Is there a single superset of all possible file extensions that are of interest from a security perspective? I tried to answer […]

A few more protocol handlers :)

7 June 2022 at 21:40
By: adam
Ug_0Security asked, and I am answering πŸ™‚ Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one […]

Not installing the installers, part 3

5 June 2022 at 16:38
By: adam
With file handlers being yet again a topic du jour it was only natural to try answering a question β€” how many file protocols are really out there? I tried […]

Not installing the installers, part 2

22 May 2022 at 21:05
By: adam
In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich […]

Not installing the installers

21 May 2022 at 22:22
By: adam
Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you […]

Hijacking HijackThis

20 May 2022 at 21:46
By: adam
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones […]

Infosec Salaries – the myth and the reality

21 April 2022 at 23:00
By: adam
Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; […]

The Anti-VM trick that is kinda… personal

16 April 2022 at 21:19
By: adam
I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a […]
❌