Technical debt of C:\Windows\System path Thanks to @sixtyvividtails who corrected a mistake I made in the earlier version of the pos... 2024-9-6 05:9:13 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com windows searched maintains procmon loaded

Rundll32 and Phantom DLL lolbins, 32-bit version As I have shown in the last post, there exists a class of DLLs on Windows OS that load othe... 2024-9-5 05:0:46 | 阅读: 9 | 收藏 | Hexacorn - www.hexacorn.com windows 22h2 imports payload essence

Rundll32 and Phantom DLL lolbins This may be a new, kinda ephemereal addition to the lolbin world (not sure if anyone covere... 2024-9-4 05:23:10 | 阅读: 20 | 收藏 | Hexacorn - www.hexacorn.com windows rundll32 updateapi tssrvlic ducsps

Enter Sandbox 29: The subtle art of reversing persuasion – pushing samples to run… Every once in a while you will run into samples that themselves do not run.Some use anti- te... 2024-8-14 07:15:15 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com library ordinal windows rsrc comctl32

Counting the API arguments… Today Matt posted a half-joking twit about the acceptable number of arguments that can be p... 2024-8-8 05:59:28 | 阅读: 9 | 收藏 | Hexacorn - www.hexacorn.com candidate descending acceptable microsoft merging

The value-proposition of building and maintaining an internal Threat Hunting team… The IT/cyber Buy vs. Build discussions often focus on, and present the issue at hand as a zerosu... 2024-8-3 07:10:38 | 阅读: 4 | 收藏 | Hexacorn - www.hexacorn.com roi asset security processes feeds

High Fidelity detections are Low Fidelity detections, until proven otherwise, Part 2 In my last post I looked at ‘good’ file names. Today I will look at them again. Sort of…... 2024-8-2 06:29:34 | 阅读: 4 | 收藏 | Hexacorn - www.hexacorn.com windows winload dirty evan crime

High Fidelity detections are Low Fidelity detections, until proven otherwise A few days ago Nas kicked off an interesting discussion on Xitter about detections’ quality. I l... 2024-7-14 08:8:16 | 阅读: 9 | 收藏 | Hexacorn - www.hexacorn.com kicked decompiled software illustrate stupid

Writing a Frida-based VBS API monitor, Take two In my previous post I introduced a simple VBS API Monitor developed using Frida framework.... 2024-7-8 02:34:33 | 阅读: 11 | 收藏 | Hexacorn - www.hexacorn.com windows realized naive memory pointed

Writing a Frida-based VBS API monitor I love experimenting with Frida and I have presented a few different API Monitoring prototypes b... 2024-7-7 08:4:13 | 阅读: 6 | 收藏 | Hexacorn - www.hexacorn.com msgbox vbscript cscript windows dispatcher

Enter Sandbox 28: Automated access primitives extraction In my previous post about TI I hinted that malware sample sandboxing (f.ex. extracting configs,... 2024-6-23 07:25:53 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com intercepted sandboxing hardcoded families sitting

Couple of Splunk/SPL Gotchas, Part 2 It’s been nearly 5 years since I dropped this old post about Splunk Gotchas. Okay, in fairness,... 2024-6-16 07:47:59 | 阅读: 11 | 收藏 | Hexacorn - www.hexacorn.com gotcha spl indexes invocations octets

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 5 If you follow this series you should know by now that I am obsessing here not about the benefits... 2024-6-15 06:53:57 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com software wiki actionable adept

PE Section names – re-visited, again I recently caught up with torrents shared by VirusShare and after merging the new VS sample... 2024-6-9 06:59:53 | 阅读: 14 | 收藏 | Hexacorn - www.hexacorn.com merging attributing 660k download caught

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 4 In my last post I mentioned the outdated PAD files. Let’s have a closer look at them.Before... 2024-6-8 06:51:37 | 阅读: 8 | 收藏 | Hexacorn - www.hexacorn.com pad software download genai repository

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 3 (this is a very long post, sorry; took weeks to distill it into something that I hope is readabl... 2024-6-6 07:48:54 | 阅读: 7 | 收藏 | Hexacorn - www.hexacorn.com software asset miss processes

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 2 In the first part I had promised that I would demonstrate that the piracy is good! (sometimes)... 2024-5-4 07:29:59 | 阅读: 9 | 收藏 | Hexacorn - www.hexacorn.com software processes scrap landing windows

The art of artifact collection and hoarding for the sake of forensic exclusivity… This post is going to blow your mind – I am going to demonstrate that the piracy is good! (somet... 2024-5-2 08:18:27 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com windows software analysis processes clusters

A license (metadata) to kill (for)… Many forensic artifacts can be looked at from many different angles. A few years ago I proposed... 2024-4-27 07:40:21 | 阅读: 8 | 收藏 | Hexacorn - www.hexacorn.com analysis artifacts software gpl licensing

Excelling at Excel, Part 4 Excel is the emperor of automation. Not the SOAR type, but the local one – yours.Why?Its... 2024-4-26 07:33:44 | 阅读: 7 | 收藏 | Hexacorn - www.hexacorn.com ternary parenthesis formula formulas soar