Shall we say… Good bye, phishing queue? Part 2
In my older piece I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parable… Still, there is a lot of quick wins I described there that can be...
View ArticleExcelling at Excel, Part 4
Excel is the emperor of automation. Not the SOAR type, but the local one – yours. Why? Its formulas and VBA capabilities can turn many awfully mundane tasks into plenty of automation opportunities… For...
View ArticleA license (metadata) to kill (for)…
Many forensic artifacts can be looked at from many different angles. A few years ago I proposed a concept of filighting that tried to solve a problem of finding unusual, orphaned and potentially...
View ArticleThe art of artifact collection and hoarding for the sake of forensic...
This post is going to blow your mind – I am going to demonstrate that the piracy is good! (sometimes) I like to challenge the forensic processes du jour. At least in my head. Today we often use this...
View ArticleThe art of artifact collection and hoarding for the sake of forensic...
In the first part I had promised that I would demonstrate that the piracy is good! (sometimes) I kinda lied back there, but I am not going to lie today: I will tell you all about it in the part …...
View ArticleThe art of artifact collection and hoarding for the sake of forensic...
(this is a very long post, sorry; took weeks to distill it into something that I hope is readable) As promised, today I am finally going to demonstrate that the piracy is good! (sometimes) In order to...
View ArticleThe art of artifact collection and hoarding for the sake of forensic...
In my last post I mentioned the outdated PAD files. Let’s have a closer look at them. Before we do so, a short comment first — in the era of omnipresent GenAI buzz sometimes it’s really hard to...
View ArticlePE Section names – re-visited, again
I recently caught up with torrents shared by VirusShare and after merging the new VS samples with my repo decided to extract PE section stats from all the files again…. This time, instead of actually...
View ArticleThe art of artifact collection and hoarding for the sake of forensic...
If you follow this series you should know by now that I am obsessing here not about the benefits of piracy, but about a new, powerful forensic capability: a truly actionable summary (extracted from the...
View ArticleCouple of Splunk/SPL Gotchas, Part 2
It’s been nearly 5 years since I dropped this old post about Splunk Gotchas. Okay, in fairness, I also covered SPL-based, path normalization in 2020 & bitmap-based hunting aka bitmap hunting here...
View ArticleEnter Sandbox 28: Automated access primitives extraction
In my previous post about TI I hinted that malware sample sandboxing (f.ex. extracting configs, credentials, domains, emails, (S)FTP accounts) – identifying TTPs is a great TI data source… I must admit...
View ArticleWriting a Frida-based VBS API monitor
Update See the updated version of the script here. Old Post I love experimenting with Frida and I have presented a few different API Monitoring prototypes based on this framework a few times before…...
View ArticleWriting a Frida-based VBS API monitor, Take two
In my previous post I introduced a simple VBS API Monitor developed using Frida framework. Today I did some more code analysis of vbscript.dll and I realized that in my previous post I made a naive...
View ArticleHigh Fidelity detections are Low Fidelity detections, until proven otherwise
A few days ago Nas kicked off an interesting discussion on Xitter about detections’ quality. I liked it, so I offered my personal insight. I then added a stupid example to illustrate my point to which...
View ArticleHigh Fidelity detections are Low Fidelity detections, until proven otherwise,...
In my last post I looked at ‘good’ file names. Today I will look at them again. Sort of… Over the years I have written a number of yara rules that use a peculiar condition that hits on an internal …...
View ArticleThe value-proposition of building and maintaining an internal Threat Hunting...
Update After I posted this piece, i got some really good feedback from a number of people. Many highlight the problem of the wide scope that I covered below. Some insist on making a clear distinction...
View ArticleCounting the API arguments…
Today Matt posted a half-joking twit about the acceptable number of arguments that can be passed to a function… I took the challenge VERY SERIOUSLY and decided to investigate. In my old post I shared...
View ArticleEnter Sandbox 29: The subtle art of reversing persuasion – pushing samples to...
Every once in a while you will run into samples that themselves do not run. Some use anti- techniques, some require command line arguments, command line input, others require configuration and/or data...
View ArticleThe art of overDLLoading
Some time ago I came up with a silly idea: i’d like to build an executable that statically links to most of the c:\windows\system32 libraries. It’s a non-sensical programming exercise, but it’s also an...
View ArticleThe art of underDLLoading
In my previous post I created a posh artisan .exe file ornamented with a large number of intricate system32 DLL imports. The process of building that file was painful – before I even managed to run the...
View Article