I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consulting practice exposed me to many different types of ‘IT security’ jobs over last 13 years and today I will describe one of them… Nearly … Continue reading →

As many of you know, I am a big fan of Frida framework and I love its intuitiveness and flexibility, especially when it comes to auto-generating handlers for hooked functions, even if they are randomly chosen. In my older Frida … Continue reading →

There are many debates and infosec dramas related to vulnerability research, publishing Offensive Security Tools (OST), Proof Of Concept (POC) Code, and in recent days – some Original Gangsters (OG) are reflecting on their own doings by posting teary memoirs … Continue reading →

I love revisiting the ‘there is nothing else to be found there anymore’ cases and I described this process here. Recently, I’ve been thinking of the WINDIR environment variable. I have already covered a few cases where WoW executables could … Continue reading →

I have already covered cases where I abused WINDIR environment variable to LOLBINize some WoW executables. I thought I covered w32tm.exe before, but looking at my blog history I can’t find any reference to it. So, here it is:

Windows Explorer is a beast. It does so many things when it starts that it hurts… Sometimes, literally. One of the things it checks during its startup routine is the comparison of the Registry value HKEY_CURRENT_USER\Control Panel\Appearance\SchemeLangID and the result … Continue reading →

I was recently surprised by the fact that Windows’ nslookup.exe accepts the local config file .nslookuprc. When the program starts it resolves the environment variable HOME and then looks for a %HOME%\.nslookuprc file. It then reads this config file (if … Continue reading →

In my post from 2018 I listed a number of strategies one can use to ‘find interesting stuff’ – that post was heavily focused on Windows’ persistence mechanisms… Today Dominik posted this twit: eliminate your self defeatist attitudes to which … Continue reading →

ScriptRunner.exe is a known lolbin, but the Lolbas project doesn’t cover all of this program’s features. Timeout It can execute child processes and kill them after a certain timeout f.ex.: ScriptRunner.exe -appvscript cmd.exe -appvscriptrunnerparameters -timeout=5 Multiple invocations It can execute … Continue reading →

In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too. … Continue reading →

In my previous post I introduced the concept of bitmap hunting. Today I will show another example that helps to find a sequence of more than 2 events. Consider this artificially generated sequence of events: | makeresults | eval _time=_time … Continue reading →

Same as in the previous case, we can copy the main executable fondue.exe to a different folder f.ex. c:\test and start it from there, loading the c:\test\appwiz.cpl we control in the process.

I have mapped an extensive list of Chrome Plug-in IDs to their names before. Of course, I knew for a long time that I will need to take a look at Firefox Add-ons too…. And in fairness, I did… I … Continue reading →

One of the most annoying hunting exercises is detecting a sequence of failures followed by a success. Brute-force attacks, dictionary attacks, and finally password spray attacks have all this in common: lots of failures, sometimes followed by a success. The … Continue reading →

There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test and load malicious hdwwiz.cpl from the very same … Continue reading →

The forfiles.exe program is a well-known lolbin. Its power comes from the /c command line argument that helps to specify a command that we want to execute for each item found by the program when it enumerates directories. The less … Continue reading →

The program has been changed since win10 and it now loads wdscore.dll almost immediately after it starts. Unfortunately, while it does so via LoadLibraryEx, the API is called in a way that is identical with calling LoadLibrary (both LoadLibraryEx arguments … Continue reading →

The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really … Continue reading →

In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading →

There is an archaic feature that regsvr32.exe leverages to autoregister libraries associated with file extensions. For this to work, it expects an AutoRegister key to be present under the file extension handler with a default value pointing to the library … Continue reading →

When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API… Since the iernonce.dll library is loaded using … Continue reading →

The little known secret of regsvr32.exe is… You ready? You can load multiple DLLs at the same time. Yup. And not just one extra, but many. Let’s have a look at an example: regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx foo will first load c:\WINDOWS\system32\hhctrl.ocx … Continue reading →

Many Windows tools support commands f.ex.: We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.: This breaks many hard-coded detections. … Continue reading →

Over a decade ago I posted some random copyright banner stats from my (relatively small by today’s standards) malware repo. I really liked these stats back then and I still like them today. Why? These banners are great ‘low hanging … Continue reading →

If you’ve been reading my blog for a while now you will know that I love to challenge my threat hunting game with a lot of err…. banalities. And not the banalities I can ignore, but a lot of these … Continue reading →

‘Blade Runner’ – the cult classic movie – teaches us that the (non-)human traits/behaviors can be detected with a so-called Voight-Kampff test. This post is about discussing (not designing yet) a similar test for our threat hunting purposes… The key … Continue reading →

Inspired by Phill Moore’s new project called Ruler, I combed my collection of all old HijackThis logs (that I web scraped a long time ago) looking for paths that may be associated with security software. Unlike Phill’s, the resulting data … Continue reading →

Here’s an old-school file name-based research… it is not game changing, it won’t bring any immediate solution, but it’s still worth doing today… The software we install (focus here is on Windows, as usual) creates a loooot of files, and … Continue reading →

Update Don’t read the old post. It’s a result of an experiment and the experiment failed 🙂 Thanks to _BradleyVX who pointed out the hallucinations that sneaked in to the below list. Don’t do AI at home, kids! If you … Continue reading →