| 2024-11-17 |
AdobeFips – Adobe Reader Lolbin |
Living off the land ‧ adam |
|
| 2024-11-16 |
Beyond good ol’ Run key, Part 144 |
Autostart (Persistence) ‧ adam |
|
| 2024-11-09 |
The different type of relocation aka Moving between countries in practice 1/n |
Relocation ‧ adam |
|
| 2024-11-08 |
Beating the dead horse, only to inject it some more… |
Archaeology ‧ adam |
|
| 2024-11-06 |
Procmonning the Win11_24H2 build |
Archaeology ‧ adam |
|
| 2024-10-27 |
Some notes on Windows 11 Notepad |
Archaeology ‧ adam |
|
| 2024-10-26 |
Going reverse on reversing tools… |
Archaeology ‧ adam |
|
| 2024-10-26 |
Installing latest Ghidra w/o installing it |
Ghidra ‧ adam |
|
| 2024-10-20 |
Beyond good ol’ Run key, Part 143 |
Archaeology ‧ adam |
|
| 2024-10-20 |
advpack.dll and IEAdvpack.dll logging capability |
Archaeology ‧ adam |
|
| 2024-10-13 |
The Sweet16 – the oldbin lolbin called setup16.exe |
Archaeology ‧ adam |
|
| 2024-10-03 |
Using Guids to guide the ID of samples’ capabilities or unique (attributable) properties… |
Archaeology ‧ adam |
|
| 2024-09-22 |
Rundll32 goes to hell… |
Anti-Forensics ‧ adam |
|
| 2024-09-21 |
Dexray v2.34 |
DeXRAY ‧ adam |
|
| 2024-09-15 |
The delayed import-table phantomDLL opportunities |
Archaeology ‧ adam |
|
| 2024-09-12 |
Rundll32.exe bomb |
Archaeology ‧ adam |
|
| 2024-09-08 |
This post is totally Iconic |
Silly ‧ adam |
|
| 2024-09-07 |
The art of underDLLoading |
Archaeology ‧ adam |
|
| 2024-09-06 |
The art of overDLLoading |
Anti-Forensics ‧ adam |
|
| 2024-09-06 |
Technical debt of C:WindowsSystem path |
Anti-Forensics ‧ adam |
|
| 2024-09-05 |
Rundll32 and Phantom DLL lolbins, 32-bit version |
Anti-Forensics ‧ adam |
|
| 2024-09-04 |
Rundll32 and Phantom DLL lolbins |
Anti-Forensics ‧ adam |
|
| 2024-08-14 |
Enter Sandbox 29: The subtle art of reversing persuasion – pushing samples to run… |
Sandboxing ‧ adam |
|
| 2024-08-08 |
Counting the API arguments… |
Archaeology ‧ adam |
|
| 2024-08-03 |
The value-proposition of building and maintaining an internal Threat Hunting team… |
Preaching ‧ adam |
|
| 2024-08-02 |
High Fidelity detections are Low Fidelity detections, until proven otherwise, Part 2 |
Archaeology ‧ adam |
|
| 2024-07-14 |
High Fidelity detections are Low Fidelity detections, until proven otherwise |
Archaeology ‧ adam |
|
| 2024-07-08 |
Writing a Frida-based VBS API monitor, Take two |
Frida ‧ adam |
|
| 2024-07-07 |
Writing a Frida-based VBS API monitor |
Frida ‧ adam |
|
| 2024-06-23 |
Enter Sandbox 28: Automated access primitives extraction |
Sandboxing ‧ adam |
|
| 2024-06-16 |
Couple of Splunk/SPL Gotchas, Part 2 |
Splunk, SPL ‧ adam |
|
| 2024-06-15 |
The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 5 |
Clustering ‧ adam |
|
| 2024-06-09 |
PE Section names – re-visited, again |
PE Sections ‧ adam |
|
| 2024-06-08 |
The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 4 |
Clustering ‧ adam |
|
| 2024-06-06 |
The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 3 |
Clustering ‧ adam |
|
| 2024-05-04 |
The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 2 |
Clustering ‧ adam |
|
| 2024-05-02 |
The art of artifact collection and hoarding for the sake of forensic exclusivity… |
Clustering ‧ adam |
|
| 2024-04-27 |
A license (metadata) to kill (for)… |
Forensic Analysis ‧ adam |
|
| 2024-04-26 |
Excelling at Excel, Part 4 |
Excel ‧ adam |
|
| 2024-04-19 |
Shall we say… Good bye, phishing queue? Part 2 |
Incident Response ‧ adam |
|
| 2024-04-06 |
The art of cutting corners |
Hackme/crackme ‧ adam |
|
| 2024-03-31 |
Subfrida v0.1 |
Frida ‧ adam |
|
| 2024-03-30 |
From Underground to Overground |
Preaching ‧ adam |
|
| 2023-09-04 |
The secret of 961c151d2e87f2686a955a9be24d316f1362bf21 |
Archaeology ‧ adam |
|
| 2023-08-26 |
Writing better Yara rules in 2023… |
Yara sigs ‧ adam |
|
| 2023-08-26 |
Lolbins for connoisseurs… |
Compromise Detection ‧ adam |
|
| 2023-07-15 |
How to start your own threat intel company? |
Preaching ‧ adam |
|
| 2023-07-14 |
Enter Sandbox 27: Account creation |
Sandboxing ‧ adam |
|
| 2023-06-23 |
The myth of “knowing your org” -> know_your_org.docx |
Preaching ‧ adam |
|
| 2023-06-15 |
Mitre Att&ck – from JSON to CSV |
Mitre Att&ck ‧ adam |
|
| 2023-06-10 |
Perl and Python Scripting Templates… |
Batch Analysis ‧ adam |
|
| 2023-06-08 |
This LOLBIN doesn’t exist… |
LOLBins ‧ adam |
|
| 2023-06-04 |
Analyzing nested, obfuscated PHP files… |
Archaeology ‧ adam |
|
| 2023-06-02 |
Analysing PS2EXE executables… |
De-everything, Un-everything ‧ adam |
|
| 2023-05-24 |
DeXRAY, DFIR, and the art of ambulance chasing… |
DeXRAY ‧ adam |
|
| 2023-05-18 |
Blue teaming – it’s DATa complicated… |
Security Logs ‧ adam |
|
| 2023-05-13 |
Da Li’L World of DLL Exports and Entry Points, Part 6 |
Archaeology ‧ adam |
|
| 2023-05-13 |
Matlab persistent lolbin – 2 years too late, but always… |
Autostart (Persistence) ‧ adam |
|
| 2023-05-12 |
PE Section names – re-visited, again, in 2023 |
Reversing ‧ adam |
|
| 2023-05-12 |
An Elf walks into the bar… |
Windows 11 ‧ adam |
|
| 2023-05-06 |
Malware – some musings about the meaning of the word… |
Preaching ‧ adam |
|
| 2023-05-05 |
Threat Hunting – architecture issues… |
ARM ‧ adam |
|
| 2023-04-22 |
Using Detect It Easy to… detect it easy |
elf ‧ adam |
|
| 2023-04-21 |
The words that go adapataadadapata |
Silly ‧ adam |
|
| 2023-04-15 |
Beyond good ol’ Run key, Part 142 |
Autostart (Persistence) ‧ adam |
|
| 2023-04-02 |
The words that go (.)[a-z]1[a-z]1[a-z]1[a-z]1[a-z]1 |
Silly ‧ adam |
|
| 2023-03-29 |
Converting questionable questions into unquestionable opportunities… |
Preaching ‧ adam |
|
| 2023-03-12 |
List of clean mutexes and mutants |
threat hunting ‧ adam |
|
| 2023-03-11 |
Threat Hunting – localization issues |
threat hunting ‧ adam |
|
| 2023-02-26 |
Beyond good ol’ Run key, Part 141 |
Autostart (Persistence) ‧ adam |
|
| 2023-01-22 |
Excelling at Excel, Part 3 |
Excel ‧ adam |
|
| 2023-01-21 |
Yara rules pageant |
Yara sigs ‧ adam |
|
| 2023-01-14 |
Decrypting SHell Compiled (SHC) ELF files |
elf ‧ adam |
|
| 2023-01-08 |
Excelling at Excel, Part 2 |
Excel ‧ adam |
|
| 2023-01-07 |
Excelling at Excel, Part 1 |
Excel ‧ adam |
|
| 2023-01-03 |
Putting ELF on the shelf… |
Malware Analysis ‧ adam |
|
| 2023-01-01 |
A bunch of OLD-School RCE tricks… |
Productivity ‧ adam |
|
| 2022-12-31 |
Beyond good ol’ Run key, Part 140 |
Autostart (Persistence) ‧ adam |
|
| 2022-12-15 |
How to be a good quitter? |
career advice ‧ adam |
|
| 2022-12-10 |
Marrying client-side Windows-based CryptEncrypt and server-side,Linux-based Crypt::OpenSSL::RSA |
C2 ‧ adam |
|
| 2022-12-09 |
The Future of SOC |
Incident Response ‧ adam |
|
| 2022-12-04 |
Using make_sc_hash_db.py to create API hashing DBs |
Malware Analysis ‧ adam |
|
| 2022-12-03 |
Environment… is variable |
Archaeology ‧ adam |
|
| 2022-11-20 |
Cracking Zeppelin |
Factorization ‧ adam |
|
| 2022-11-20 |
Beyond good ol’ Run key, Part 139 |
Autostart (Persistence) ‧ adam |
|
| 2022-10-09 |
Dealing with alert fatigue, Part 2 |
SOC ‧ adam |
|
| 2022-10-02 |
Dealing with alert fatigue, Part 1 |
SOC ‧ adam |
|
| 2022-09-22 |
Inserting data into other processes’ address space, part 1a |
Code Injection ‧ adam |
|
| 2022-09-03 |
Adobe: JSX and JSXBIN files |
Autostart (Persistence) ‧ adam |
|
| 2022-08-20 |
What to know, what to learn? What are useful skills for cyber in 2022? |
Preaching ‧ adam |
|
| 2022-08-20 |
Password as a (Yara) Service |
Archaeology ‧ adam |
|
| 2022-08-07 |
Week of Data Dumps, Part 7 – registry |
Archaeology ‧ adam |
|
| 2022-08-06 |
Week of Data Dumps, Part 6 – file names |
Archaeology ‧ adam |
|
| 2022-08-01 |
Week of Data Dumps, Part 5 – commands |
Archaeology ‧ adam |
|
| 2022-07-31 |
Week of Data Dumps, Part 4 – games-related strings |
Archaeology ‧ adam |
|
| 2022-07-24 |
Week of Data Dumps, Part 3 – service names |
Archaeology ‧ adam |
|
| 2022-07-23 |
The curse of being ‘technical’ |
Preaching ‧ adam |
|
| 2022-07-23 |
Week of Data Dumps, Part 2 – GUIDs |
Archaeology ‧ adam |
|
| 2022-07-22 |
Week of Data Dumps, Part 1 – device names |
Archaeology ‧ adam |
|
| 2022-07-08 |
Shall we say… Good bye, phishing queue? |
Incident Response ‧ adam |
|
