πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayHexacorn Ltd

Event ID 7039 – out…pid a pid

26 February 2021 at 19:18
By: adam
This event is not very well explained on the internet, so I took a liberty of describing it below: The event message is as follows: A service process other than […]

Beyond good ol’ Run key, Part 132

24 February 2021 at 23:19
By: adam
This is a very unpromising persistence mechanism relying on environment variables (again). Combing through OpenSSL source code I came across two variables that it relies on and they are described […]

DownLOLoloaders

19 February 2021 at 00:00
By: adam
The previous posts about hosts files build a foundation for the trick I wanted to cover in this post. Most of native LOLBINish downloaders are already known (certutil, BITS, etc.). […]

Yet another secret of hosts file

18 February 2021 at 23:41
By: adam
In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals. Turns […]

Misre-presentation host

8 February 2021 at 23:34
By: adam
PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding – running as […]

Beyond good ol’ Run key, Part 131

6 February 2021 at 21:44
By: adam
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated […]

Desperate downloader lolbin

5 February 2021 at 23:41
By: adam
I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown […]

Mitre Domin&trix

3 February 2021 at 22:56
By: adam
Mitre Att&ck coverage is a utopian vision of compliance promoted all over the place in recent years. I have spent many hours working towards this unicorn target and here I […]

Recoll – a perfect tool for Threat Intelligence Analysts and other Report Readers

1 February 2021 at 19:10
By: adam
@SwiftOnSecurity is a driving force for many cool ideas and one of them brought this looong thread about great tools people use to life. I bookmarked it and I recommend […]

aMus(ing)Notification

3 January 2021 at 23:31
By: adam
Update Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the […]

handle..ing SHAllocShared

25 December 2020 at 23:53
By: adam
There couldn’t be a less misleading post title than the one I chose for this entry. The function SHAllocShared is documented, may not be very well known, but we may […]

Beyond Fear

22 December 2020 at 00:50
By: adam
In his book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier tells us that: a) 9/11 was a evilish, but brilliant plan,b) risk assessment is hard, […]

Propagate, Ribbonate

22 December 2020 at 00:09
By: adam
I thought Propagate technique is a dead horse. Described, implemented, used in malware. But. There is perhaps one more possibility, or four. When you open Windows Explorer and Ribbons are […]

FaaS for noobs

6 December 2020 at 00:53
By: adam
This is the first version of this article. Due to nuances, and things I forgot while writing its first version I will come back to it to fix stuff I […]

csrss.exe and its manifests

5 December 2020 at 23:23
By: adam
This is yet another odd behavior I spotted using Procmon. I was curious what .manifest files may be missing on my test Windows 10 system. The idea was that if […]

TestHooks, take 2

2 December 2020 at 23:20
By: adam
In my older post I mentioned TestHooks in a context of Windows Update. Studying Windows 10 binaries brings more interesting findings. Few days ago I stumbled upon Test_TestHookIndex string inside […]

Re-sauce, Part 3

27 November 2020 at 22:36
By: adam
I like extracting data from many samples because this way I often discover new things. Combing through a set of manifest files I have extracted from a large sampleset of […]

Updated appid_calc.pl & dexray.pl

26 November 2020 at 22:56
By: adam
Stuart pinged me about an issue with appid_calc.pl, so I updated the tool to fix the bug. You can download appid_calc from here. And Brian did another run over dexray […]

Commander Minority Report

21 November 2020 at 00:55
By: adam
This is an idea I have not tested in practice, but it emerged in response to a simple question: What if sysmon, 4688, EDR command line logging couldn’t catch a […]
❌