The rapidly changing geopolitics and its inevitable effect on cyber "跟着太阳走"的信息共享模式已失效,国际组织间不再开放分享关键情报,甚至"五眼联盟"也难再合作。随着美国政治剧变,全球网络安全格局将发生巨变,过去由西方民主国家主导的"好人"集体不复存在。企业需迅速调整,采用地区化数据管理、分散安全运营中心等措施,但这将带来巨大挑战和成本。... 2025-2-21 22:18:22 | 阅读: 7 | 收藏 | Hexacorn - www.hexacorn.com guys gonna dramatic suggested fedramp

DWRCSAccess.log artifact 文章介绍了 DameWare 的 DWRCSAccess.log 文件，该文件记录远程控制事件的本地化消息和英文元数据。消息包括用户连接、断开及认证失败等信息；元数据包含详细系统和安全信息，可能对攻击者分析有用。... 2025-2-5 23:29:47 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com proxy localized benutzer

Files of interest I really like this MalBeacon’s project because it highlights how easy it is to detect many... 2025-1-31 00:50:10 | 阅读: 18 | 收藏 | Hexacorn - www.hexacorn.com telemetry unlimited families comb watermarked

Being a tool while using a tool This case is kinda DFIR-fascinating.There is an unwritten rule in the DFIR world that says –... 2025-1-25 01:22:29 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com 7z pluginsdir analysis nsi huh

Smuggling payloads and tools in, using WIM images, Part 2 In this post we explore the dism.exe and WIM images a bit more. It turns out that WIM files... 2025-1-1 00:9:30 | 阅读: 11 | 收藏 | Hexacorn - www.hexacorn.com wim newtest lowpart highpart dism

Clean hash set – 12M rows The file contains 12M+ of rows, each containing a set of popular hashes, and a file name ex... 2024-12-31 18:31:56 | 阅读: 8 | 收藏 | Hexacorn - www.hexacorn.com software watermarked firmwares unlimited dome

Smuggling payloads and tools in, using WIM images We often hear of attackers bringing in their payloads via virtual drive images (f.ex. vhd,vhdx)... 2024-12-31 00:20:44 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com wim mounted lowpart totalbytes highpart

WIMMOUNTDATA ADS In my old post I listed a number of ‘good Alternate Data Streams (ADS)’, and one of them wa... 2024-12-28 23:32:9 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com dism wim imagefile 3908

MoNotificationUxStub.exe lolbin When you run MoNotificationUxStub.exe on Windows Server 2025, it will try to load the follo... 2024-12-27 00:16:22 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com windows library uus umpdc

MLEngineStub.exe lolbin When you run MLEngineStub.exe on Windows 2025, it will try to locate the following non-exis... 2024-12-27 00:7:47 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com windows uus mlengine caveat

la57setup.exe & OOBEFodSetup.exe lolbin When you run la57setup.exe or OOBEFodSetup.exe on Windows Server 2025, they will try to loa... 2024-12-26 23:44:11 | 阅读: 9 | 收藏 | Hexacorn - www.hexacorn.com windows library dism la57setup

3 little secrets of netsh.exe It is typical for many of us to discover ‘the cool thing’, and then quickly move on to research... 2024-12-25 23:15:42 | 阅读: 10 | 收藏 | Hexacorn - www.hexacorn.com netsh scriptfile aliasfile lolbin careful

Windows Server 2025 and MsMpEng.exe Post navigation← PreviousPosted on 202... 2024-12-22 00:37:54 | 阅读: 20 | 收藏 | Hexacorn - www.hexacorn.com windows defender repeat waaaay

Beyond good ol’ Run key, Part 146 I did consider writing about:C:\Windows\System32\WptsExtensions.dllbut this phantom... 2024-12-20 13:17:9 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com windows phantom loaded

Beyond good ol’ Run key, Part 145 Windows Server 2022 launches ctfmon.exe during its start and this process’ DLL dependencies... 2024-12-20 00:46:42 | 阅读: 13 | 收藏 | Hexacorn - www.hexacorn.com windows launches ctfmon phantom library

Windows Server 2022 and MsMpEng.exe Running Procmon in a boot mode is a very powerful research tool. In this short post I want... 2024-12-20 00:28:1 | 阅读: 19 | 收藏 | Hexacorn - www.hexacorn.com defender procmon windows clearly surprised

dns.exe and its quirks This is not a proper research yet. I just happened to stumble upon an interesting artifact... 2024-12-15 00:21:35 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com windows backup rfc5011 dnssec artifact

Promoting a Windows 2022 server to Domain Controller and DNS Server I asked myself what tangible artifacts present on a file system can immediately tell us tha... 2024-12-11 07:44:34 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com experiment windows slightly edited myself

Not installing the installers, part 4 This old series is not very exciting. Decompiling goodware installation scripts will never... 2024-12-7 08:32:10 | 阅读: 14 | 收藏 | Hexacorn - www.hexacorn.com installers ratio rtools44 rtools43 ifcexporter

ExecCmd64 lolbin If you have ASRock Polychrome RGB installed on your system you may find this interesting ex... 2024-12-7 07:1:13 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com asrock execcmd64 aproduct polychrome asrrgbled