It’s been nearly 5 years since I dropped this old post about Splunk Gotchas. Okay, in fairness, I also covered SPL-based, path normalization in 2020 & bitmap-based hunting aka bitmap hunting here and here in 2024. Still… I thought it … Continue reading →

If you follow this series you should know by now that I am obsessing here not about the benefits of piracy, but about a new, powerful forensic capability: a truly actionable summary (extracted from the ever-growing evidence…). In my previous … Continue reading →

I recently caught up with torrents shared by VirusShare and after merging the new VS samples with my repo decided to extract PE section stats from all the files again…. This time, instead of actually attributing section names to protectors, … Continue reading →

In my last post I mentioned the outdated PAD files. Let’s have a closer look at them. Before we do so, a short comment first — in the era of omnipresent GenAI buzz sometimes it’s really hard to convince yourself … Continue reading →

(this is a very long post, sorry; took weeks to distill it into something that I hope is readable) As promised, today I am finally going to demonstrate that the piracy is good! (sometimes) In order to do so, I … Continue reading →

In the first part I had promised that I would demonstrate that the piracy is good! (sometimes) I kinda lied back there, but I am not going to lie today: I will tell you all about it in the part … Continue reading →

This post is going to blow your mind – I am going to demonstrate that the piracy is good! (sometimes) I like to challenge the forensic processes du jour. At least in my head. Today we often use this forensic … Continue reading →

Many forensic artifacts can be looked at from many different angles. A few years ago I proposed a concept of filighting that tried to solve a problem of finding unusual, orphaned and potentially malicious files dropped inside directories that contain … Continue reading →

Excel is the emperor of automation. Not the SOAR type, but the local one – yours. Why? Its formulas and VBA capabilities can turn many awfully mundane tasks into plenty of automation opportunities… For instance… certain programming tasks. The case/switch … Continue reading →

In my older piece I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parable… Still, there is a lot of quick wins I described there that can be implemented/incorporated into phishing … Continue reading →

I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consulting practice exposed me to many different types of ‘IT security’ jobs over last 13 years and today I will describe one of them… Nearly … Continue reading →

As many of you know, I am a big fan of Frida framework and I love its intuitiveness and flexibility, especially when it comes to auto-generating handlers for hooked functions, even if they are randomly chosen. In my older Frida … Continue reading →

There are many debates and infosec dramas related to vulnerability research, publishing Offensive Security Tools (OST), Proof Of Concept (POC) Code, and in recent days – some Original Gangsters (OG) are reflecting on their own doings by posting teary memoirs … Continue reading →

I love revisiting the ‘there is nothing else to be found there anymore’ cases and I described this process here. Recently, I’ve been thinking of the WINDIR environment variable. I have already covered a few cases where WoW executables could … Continue reading →

I have already covered cases where I abused WINDIR environment variable to LOLBINize some WoW executables. I thought I covered w32tm.exe before, but looking at my blog history I can’t find any reference to it. So, here it is:

Windows Explorer is a beast. It does so many things when it starts that it hurts… Sometimes, literally. One of the things it checks during its startup routine is the comparison of the Registry value HKEY_CURRENT_USER\Control Panel\Appearance\SchemeLangID and the result … Continue reading →

I was recently surprised by the fact that Windows’ nslookup.exe accepts the local config file .nslookuprc. When the program starts it resolves the environment variable HOME and then looks for a %HOME%\.nslookuprc file. It then reads this config file (if … Continue reading →

In my post from 2018 I listed a number of strategies one can use to ‘find interesting stuff’ – that post was heavily focused on Windows’ persistence mechanisms… Today Dominik posted this twit: eliminate your self defeatist attitudes to which … Continue reading →

ScriptRunner.exe is a known lolbin, but the Lolbas project doesn’t cover all of this program’s features. Timeout It can execute child processes and kill them after a certain timeout f.ex.: ScriptRunner.exe -appvscript cmd.exe -appvscriptrunnerparameters -timeout=5 Multiple invocations It can execute … Continue reading →

In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too. … Continue reading →

In my previous post I introduced the concept of bitmap hunting. Today I will show another example that helps to find a sequence of more than 2 events. Consider this artificially generated sequence of events: | makeresults | eval _time=_time … Continue reading →

Same as in the previous case, we can copy the main executable fondue.exe to a different folder f.ex. c:\test and start it from there, loading the c:\test\appwiz.cpl we control in the process.

I have mapped an extensive list of Chrome Plug-in IDs to their names before. Of course, I knew for a long time that I will need to take a look at Firefox Add-ons too…. And in fairness, I did… I … Continue reading →

One of the most annoying hunting exercises is detecting a sequence of failures followed by a success. Brute-force attacks, dictionary attacks, and finally password spray attacks have all this in common: lots of failures, sometimes followed by a success. The … Continue reading →

There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test and load malicious hdwwiz.cpl from the very same … Continue reading →

The forfiles.exe program is a well-known lolbin. Its power comes from the /c command line argument that helps to specify a command that we want to execute for each item found by the program when it enumerates directories. The less … Continue reading →

The program has been changed since win10 and it now loads wdscore.dll almost immediately after it starts. Unfortunately, while it does so via LoadLibraryEx, the API is called in a way that is identical with calling LoadLibrary (both LoadLibraryEx arguments … Continue reading →

The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really … Continue reading →

In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading →

There is an archaic feature that regsvr32.exe leverages to autoregister libraries associated with file extensions. For this to work, it expects an AutoRegister key to be present under the file extension handler with a default value pointing to the library … Continue reading →