It’s easy to say ‘we follow the Sun’ or ‘we deliver that 24/7/365 service’. The story doesn’t end there though – the delivery part of this promise has a different story to tell. The one that is rarely talked about, … Continue reading →

This is probably the most unusual blog post I have ever written here… Oh, well… — TL;DR; My wife and I recently stayed at a pretty expensive hotel. I won’t name and shame, but it’s fair to say they didn’t … Continue reading →

A few days ago kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file … Continue reading →

Nearly two years ago I published a quick summary of my analysis of NSRL data. I believe I was the first one to publicly evaluate this data set, and I still stand by the harsh conclusions I reached back then, … Continue reading →

It may sound a bit counterintuitive, but some very known lolbins often make it to places that no one ever thought would be possible… Continuing the topic I started a few days earlier, today I will explore a few more … Continue reading →

I recently came across a malware sample that included the following, mysterious string: There are a few versions of this strings out there (extracted from a few malware samples downloaded in 2023): 961c151d2e87f2686a955a9be24d316f1362bf21 2.1.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.5.0 961c151d2e87f2686a955a9be24d316f1362bf21 3.6.1 961c151d2e87f2686a955a9be24d316f1362bf21 3.9.1 … Continue reading →

Update This post has been featured in Josh Hammond’s video! Yay, thanks Josh! Also, you should know that there are many other great resources online focusing on Yara performance improvements, efficiency, etc. f.ex: Old Post In my previous post I … Continue reading →

We are all quite fixated on a purity of lolbins. Best if it is a hidden/undocumented/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too. However… Living Off … Continue reading →

Have you ever wondered where all the threat intel feeds come from? How do these companies know that this, or that email account has been compromised? How do they identify breaches, early? How do they collect data in a way … Continue reading →

It’s been nearly 4 years since I published my last article in this series providing the community with a large corpora of sandbox reports (apilog_2019-07-14). One of the less known (but still pretty interesting, artifact-wise) findings inside this 200MB+ file … Continue reading →

The cyber consulting world delivers a lot of useful security work. They do workshops, trainings, table top exercises, they write playbooks, red team, provide assessments, and help companies with gap analysis, system configuration and hardening. Many of these engagements often … Continue reading →

I love JSON-formatted data so much that… anytime I see something valuable stored in this format I really can’t resist the temptation of converting it to CSV so that I can actually browse it and/or visually understand/analyze some of it … Continue reading →

One of the most important (basic) technical skills in cybersecurity are: Knowing Excel (or Google sheets) Knowing basic programming/scripting (bash, cmd, powershell, vbs, vba, autoit, python, perl, etc.) Knowing and staying up to date with tools I covered item #1 … Continue reading →

I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even […]

Many PHP webshells are encrypted, encoded, obfuscated in many different ways, but most use a rudimentary approach relying on engaging the same sequence of code ‘hiding’ routines repetitively, sequences that […]

In my older posts I have shown how to deal with ‘encrypted’ or otherwise ‘protected’ script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate […]

Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part […]

A decade ago blue teaming was … easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, […]

I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and […]

I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of […]

In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that […]

Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileA ElfBackupEventLogFileW ElfChangeNotify ElfClearEventLogFileA ElfClearEventLogFileW ElfCloseEventLog ElfDeregisterEventSource ElfFlushEventLog ElfNumberOfRecords ElfOldestRecord ElfOpenBackupEventLogA ElfOpenBackupEventLogW ElfOpenEventLogA ElfOpenEventLogW ElfReadEventLogA ElfReadEventLogW ElfRegisterEventSourceA ElfRegisterEventSourceW ElfReportEventA ElfReportEventAndSourceW ElfReportEventW And I […]

I have read Ali‘s question with a great interest, because it’s the questions like this that make you pause and think. In my reply I suggested that the context is […]

In my recent post I focused on localization issues, but there is (always!) more… Take a look at the Windows 11 ARM version – when you install it you will […]

I love Detect It Easy. It’s my go-to tool when it comes to triaging malicious samples and it continuously exceeds my expectations… Except the times when I forget to use […]

Long time ago (when I used to make my own cross-words), one of my favorite targets was building them in a way that made them either have some special properties, […]

I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread. After downloading it, trying it, tinkering with it… I actually found it far more confusing than […]

One of my old hobbies is playing with words. I love all sort of dad jokes, “the longest” words, “the weirdest” words, “foreign words”, homonyms, homophones, palindromes, synonyms, antonyms, metonyms, […]

Social media are full of questions that are formulated in a passive, passive-aggressive, or upfront aggressive way, often using common fallacies in a manipulative way to discourage dialogue. It is […]