Before yesterdayHexacorn Ltd
Week of Data Dumps, Part 7 β registry
6 August 2022 at 20:57
This one is not a surprise, I hope. Most of forensic artifacts come from either file- or Registry- oriented artifacts. Of course, there is a macOS&OS/X world out there, there [β¦]
Week of Data Dumps, Part 6 β file names
5 August 2022 at 20:45
This week is longer than I thought, so time to catch upβ¦ π This one is a mess, but sometimes a bit of a mess is not a bad thing. [β¦]
Week of Data Dumps, Part 5 β commands
31 July 2022 at 18:40
Writing your own sandbox has many advantages β the most important is an ability to collect data only large companies have. Analysing many samples gives us an unique insight into [β¦]
Week of Data Dumps, Part 4 β games-related strings
30 July 2022 at 20:51
This series got a bit delayed, because I got sick last week. β This is a bit counter-intuitive β why would you want to collect strings related to games? First, [β¦]
Week of Data Dumps, Part 3 β service names
23 July 2022 at 17:16
Knowing what service name is what is quite useful. The attached list lists many, primarily native OS, and security product-related services that I have aggregated by looking at native services [β¦]
The curse of being βtechnicalβ
22 July 2022 at 22:12
You are either technical, or you are not. What does it mean? Many tried to answer that borderline philosophical question, but as far as I know no one is really [β¦]
Week of Data Dumps, Part 2 β GUIDs
22 July 2022 at 20:40
There was a time when knowing GUIDs of adware/spyware you could instantly attribute a sample to a known rogue company or group. Of course, these days are long gone, but [β¦]
Week of Data Dumps, Part 1 β device names
21 July 2022 at 21:05
Reversing is not only hours spent analyzing code. Itβs also about collecting interesting data so that it can be used to quickly determine other programsβ functionality in the future. Recognizing [β¦]
Shall we say⦠Good bye, phishing queue?
7 July 2022 at 22:19
Imagine you stop processing your phishing reports today. Just stop. What could be the worst thing that could happen? Hmm ? Of course, some people will still get phished, some [β¦]
DriverPack β Clean PDB paths
2 July 2022 at 21:43
Unique PDB debug paths embedded inside malware are useful to detect other variants of the malicious family (not applicable to more advanced malware families where authors either wipe the paths [β¦]
Da LiβL World of DLL Exports and Entry Points, Part 5
1 July 2022 at 22:03
The previous parts of this series were done βmanuallyβ. I would come across some new type of DLL and would jot down its properties so I would have a point [β¦]
This post mentions many file extensions
30 June 2022 at 23:03
What are Windows file extensions of interest ? Is there a single superset of all possible file extensions that are of interest from a security perspective? I tried to answer [β¦]
A few more protocol handlers :)
7 June 2022 at 21:40
Ug_0Security asked, and I am answering π Not all of them are just from win11, but itβs just a quick diff between what I saw back in 2018 and one [β¦]
Not installing the installers, part 3
5 June 2022 at 16:38
With file handlers being yet again a topic du jour it was only natural to try answering a question β how many file protocols are really out there? I tried [β¦]
Not installing the installers, part 2
22 May 2022 at 21:05
In the last post I described how we can pull some interesting metadata from decompiled installers. Today I want to discuss one practical example of how this data can enrich [β¦]
Not installing the installers
21 May 2022 at 22:22
Looking at installers of goodware is quite boring. They do the right thing, at least most of the time, and there is not much to see there. However, if you [β¦]
Hijacking HijackThis
20 May 2022 at 21:46
Long before endpoint event logging became a norm it was incredibly difficult to collect information about popular processes, services, paths, CLSIDs, etc.. Antivirus companies, and later sandbox companies had tones [β¦]
Infosec Salaries β the myth and the reality
21 April 2022 at 23:00
Update 3 If you want to know more about salaries at FAANG and all over the world look at the following resources: levels.fyi h1bdata.info https://docs.google.com/spreadsheets/d/1TWvPQalmwl1sIS3n2eOU4KST4oJwcxtSfT8lMo9IgVM/edit https://twitter.com/LadyCyberRosie/status/1490695657249816583 Update 2 tl; dr; [β¦]
The Anti-VM trick that is kinda⦠personal
16 April 2022 at 21:19
I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a [β¦]