High Fidelity detections are Low Fidelity detections, until proven otherwise, Part 2 In my last post I looked at ‘good’ file names. Today I will look at them again. Sort of…... 2024-8-2 06:29:34 | 阅读: 7 | 收藏 | Hexacorn - www.hexacorn.com windows winload dirty evan crime

High Fidelity detections are Low Fidelity detections, until proven otherwise A few days ago Nas kicked off an interesting discussion on Xitter about detections’ quality. I l... 2024-7-14 08:8:16 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com kicked decompiled software illustrate stupid

Writing a Frida-based VBS API monitor, Take two In my previous post I introduced a simple VBS API Monitor developed using Frida framework.... 2024-7-8 02:34:33 | 阅读: 14 | 收藏 | Hexacorn - www.hexacorn.com windows realized naive memory pointed

Writing a Frida-based VBS API monitor I love experimenting with Frida and I have presented a few different API Monitoring prototypes b... 2024-7-7 08:4:13 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com msgbox vbscript cscript windows dispatcher

Enter Sandbox 28: Automated access primitives extraction In my previous post about TI I hinted that malware sample sandboxing (f.ex. extracting configs,... 2024-6-23 07:25:53 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com intercepted sandboxing hardcoded families sitting

Couple of Splunk/SPL Gotchas, Part 2 It’s been nearly 5 years since I dropped this old post about Splunk Gotchas. Okay, in fairness,... 2024-6-16 07:47:59 | 阅读: 17 | 收藏 | Hexacorn - www.hexacorn.com gotcha spl indexes invocations octets

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 5 If you follow this series you should know by now that I am obsessing here not about the benefits... 2024-6-15 06:53:57 | 阅读: 16 | 收藏 | Hexacorn - www.hexacorn.com software wiki actionable adept

PE Section names – re-visited, again I recently caught up with torrents shared by VirusShare and after merging the new VS sample... 2024-6-9 06:59:53 | 阅读: 17 | 收藏 | Hexacorn - www.hexacorn.com merging attributing 660k download caught

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 4 In my last post I mentioned the outdated PAD files. Let’s have a closer look at them.Before... 2024-6-8 06:51:37 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com pad software download genai repository

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 3 (this is a very long post, sorry; took weeks to distill it into something that I hope is readabl... 2024-6-6 07:48:54 | 阅读: 10 | 收藏 | Hexacorn - www.hexacorn.com software asset miss processes

The art of artifact collection and hoarding for the sake of forensic exclusivity… – Part 2 In the first part I had promised that I would demonstrate that the piracy is good! (sometimes)... 2024-5-4 07:29:59 | 阅读: 12 | 收藏 | Hexacorn - www.hexacorn.com software processes scrap landing windows

The art of artifact collection and hoarding for the sake of forensic exclusivity… This post is going to blow your mind – I am going to demonstrate that the piracy is good! (somet... 2024-5-2 08:18:27 | 阅读: 19 | 收藏 | Hexacorn - www.hexacorn.com windows software analysis processes clusters

A license (metadata) to kill (for)… Many forensic artifacts can be looked at from many different angles. A few years ago I proposed... 2024-4-27 07:40:21 | 阅读: 11 | 收藏 | Hexacorn - www.hexacorn.com analysis artifacts software gpl licensing

Excelling at Excel, Part 4 Excel is the emperor of automation. Not the SOAR type, but the local one – yours.Why?Its... 2024-4-26 07:33:44 | 阅读: 10 | 收藏 | Hexacorn - www.hexacorn.com ternary parenthesis formula formulas soar

Shall we say… Good bye, phishing queue? Part 2 [this post is work in progress; it will be updated when the script finishes its processing]I... 2024-4-19 08:32:55 | 阅读: 32 | 收藏 | Hexacorn - www.hexacorn.com phishing webmaster fly donotreply noreply

The art of cutting corners I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consul... 2024-4-6 07:46:43 | 阅读: 15 | 收藏 | Hexacorn - www.hexacorn.com software client roi analysis luckily

Subfrida v0.1 As many of you know, I am a big fan of Frida framework and I love its intuitiveness and flexibil... 2024-3-31 08:57:22 | 阅读: 11 | 收藏 | Hexacorn - www.hexacorn.com idf ofs onenter

From Underground to Overground There are many debates and infosec dramas related to vulnerability research, publishing Off... 2024-3-30 08:5:31 | 阅读: 18 | 收藏 | Hexacorn - www.hexacorn.com security ost era pocs

Stuffing up the WINDIR env. var. with THE SPACE I love revisiting the ‘there is nothing else to be found there anymore’ cases and I described th... 2024-3-17 07:40:35 | 阅读: 23 | 收藏 | Hexacorn - www.hexacorn.com msra wow 32k truncation windows

Lolbin Wow Ltd x 2 I have already covered cases where I abused WINDIR environment variable to LOLBINize some W... 2024-3-17 06:18:38 | 阅读: 22 | 收藏 | Hexacorn - www.hexacorn.com w32tm windows syswow64 payload sysnative