πŸ”’
There are new articles available, click to refresh the page.
βœ‡ Hexacorn Ltd

When good URLs are bad for business

By: adam β€”
Analyzing memory dumps comes with a price – β€˜good’ information overload. One that annoys me a lot is running URl/domain extraction tools over the memdump and finding tones of legitimate […]
βœ‡ Hexacorn Ltd

DeXRAY 2.24 update

By: adam β€”
Added yet another file type to the list – K7 <md5>.qtn. The latest version of DeXRAY can be downloaded here. DeXRAY supports: AhnLab (V3B) Amiti (IFC) ASquared (EQF) Avast ([email protected]=’-chest- […]
βœ‡ Hexacorn Ltd

DeXRAY 2.25 update

By: adam β€”
I recently learned there is a lot of new (to me) AV companies that I never heard of. As such, it became an opportunity to update DeXRAY with additional decryption […]
βœ‡ Hexacorn Ltd

Re-sauce, Part 2

By: adam β€”
In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name […]
βœ‡ Hexacorn Ltd

Commander Minority Report

By: adam β€”
This is an idea I have not tested in practice, but it emerged in response to a simple question: What if sysmon, 4688, EDR command line logging couldn’t catch a […]
βœ‡ Hexacorn Ltd

Updated appid_calc.pl & dexray.pl

By: adam β€”
Stuart pinged me about an issue with appid_calc.pl, so I updated the tool to fix the bug. You can download appid_calc from here. And Brian did another run over dexray […]
βœ‡ Hexacorn Ltd

Re-sauce, Part 3

By: adam β€”
I like extracting data from many samples because this way I often discover new things. Combing through a set of manifest files I have extracted from a large sampleset of […]
βœ‡ Hexacorn Ltd

TestHooks, take 2

By: adam β€”
In my older post I mentioned TestHooks in a context of Windows Update. Studying Windows 10 binaries brings more interesting findings. Few days ago I stumbled upon Test_TestHookIndex string inside […]
βœ‡ Hexacorn Ltd

csrss.exe and its manifests

By: adam β€”
This is yet another odd behavior I spotted using Procmon. I was curious what .manifest files may be missing on my test Windows 10 system. The idea was that if […]
βœ‡ Hexacorn Ltd

FaaS for noobs

By: adam β€”
This is the first version of this article. Due to nuances, and things I forgot while writing its first version I will come back to it to fix stuff I […]
βœ‡ Hexacorn Ltd

Propagate, Ribbonate

By: adam β€”
I thought Propagate technique is a dead horse. Described, implemented, used in malware. But. There is perhaps one more possibility, or four. When you open Windows Explorer and Ribbons are […]
βœ‡ Hexacorn Ltd

Beyond Fear

By: adam β€”
In his book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier tells us that: a) 9/11 was a evilish, but brilliant plan,b) risk assessment is hard, […]
βœ‡ Hexacorn Ltd

handle..ing SHAllocShared

By: adam β€”
There couldn’t be a less misleading post title than the one I chose for this entry. The function SHAllocShared is documented, may not be very well known, but we may […]
βœ‡ Hexacorn Ltd

aMus(ing)Notification

By: adam β€”
Update Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the […]
βœ‡ Hexacorn Ltd

Recoll – a perfect tool for Threat Intelligence Analysts and other Report Readers

By: adam β€”
@SwiftOnSecurity is a driving force for many cool ideas and one of them brought this looong thread about great tools people use to life. I bookmarked it and I recommend […]
βœ‡ Hexacorn Ltd

Mitre Domin&trix

By: adam β€”
Mitre Att&ck coverage is a utopian vision of compliance promoted all over the place in recent years. I have spent many hours working towards this unicorn target and here I […]
βœ‡ Hexacorn Ltd

Desperate downloader lolbin

By: adam β€”
I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown […]
βœ‡ Hexacorn Ltd

Beyond good ol’ Run key, Part 131

By: adam β€”
This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated […]
βœ‡ Hexacorn Ltd

Misre-presentation host

By: adam β€”
PresentationHost.exe is a known LOLBIN so I approached it with a caution. To my surprise, I discovered that it accepts a number of command line arguments: Embedding – running as […]
❌