Smuggling payloads and tools in, using WIM images
We often hear of attackers bringing in their payloads via virtual drive images (f.ex. vhd,vhdx) in an attempt to bypass security solutions. The WIM files can be used to smuggle in tools and payloads to...
View ArticleClean hash set – 12M rows
The file contains 12M+ of rows, each containing a set of popular hashes, and a file name extracted from my ‘good files’ repo (dome dups may be found if f.ex. file name changes, but hashes don’t). These...
View ArticleSmuggling payloads and tools in, using WIM images, Part 2
In this post we explore the dism.exe and WIM images a bit more. It turns out that WIM files are containers that can include more than one image. One can create the first image using the /Capture-Image...
View ArticleBeing a tool while using a tool
This case is kinda DFIR-fascinating. There is an unwritten rule in the DFIR world that says – always check the results provided by one tool, with another tool, or manually… Well… it all sounds nice in...
View ArticleFiles of interest
I really like this MalBeacon’s project because it highlights how easy it is to detect many malware families by just looking at the telemetry/forensic data obtained from a file system. And since I like...
View Article