This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T10:51:09+00:00 www.secnews.physaphae.fr HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

In the first part I had promised that I would demonstrate that the piracy is good! (sometimes) I kinda lied back there, but I am not going to lie today: I will tell you all about it in the part … Continue reading →]]> 2024-05-03T23:29:59+00:00 https://www.hexacorn.com/blog/2024/05/03/the-art-of-artifact-collection-and-hoarding-for-the-sake-of-forensic-exclusivity-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8493260 False Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

This post is going to blow your mind – I am going to demonstrate that the piracy is good! (sometimes) I like to challenge the forensic processes du jour. At least in my head. Today we often use this forensic … Continue reading →]]> 2024-05-02T00:18:27+00:00 https://www.hexacorn.com/blog/2024/05/02/the-art-of-artifact-collection-and-hoarding-for-the-sake-of-forensic-exclusivity/ www.secnews.physaphae.fr/article.php?IdArticle=8492100 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche continuer à lire &# 8594;

---

Many forensic artifacts can be looked at from many different angles. A few years ago I proposed a concept of filighting that tried to solve a problem of finding unusual, orphaned and potentially malicious files dropped inside directories that contain … Continue reading →]]> 2024-04-26T23:40:21+00:00 https://www.hexacorn.com/blog/2024/04/26/a-license-metadata-to-kill-for/ www.secnews.physaphae.fr/article.php?IdArticle=8489312 False Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Excel is the emperor of automation. Not the SOAR type, but the local one – yours. Why? Its formulas and VBA capabilities can turn many awfully mundane tasks into plenty of automation opportunities… For instance… certain programming tasks. The case/switch … Continue reading →]]> 2024-04-25T23:33:44+00:00 https://www.hexacorn.com/blog/2024/04/25/excelling-at-excel-part-4/ www.secnews.physaphae.fr/article.php?IdArticle=8488776 False None None 2.0000000000000000 HexaCorn - Blog de recherche continuer à lire & # 8594;

---

[this post is work in progress; it will be updated when the script finishes its processing] In my older piece I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parabole… Still, … Continue reading →]]> 2024-04-19T00:32:55+00:00 https://www.hexacorn.com/blog/2024/04/19/shall-we-say-good-bye-phishing-queue-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8485015 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consulting practice exposed me to many different types of ‘IT security’ jobs over last 13 years and today I will describe one of them… Nearly … Continue reading →]]> 2024-04-05T23:46:43+00:00 https://www.hexacorn.com/blog/2024/04/05/the-art-of-cutting-corners/ www.secnews.physaphae.fr/article.php?IdArticle=8476771 False None None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

As many of you know, I am a big fan of Frida framework and I love its intuitiveness and flexibility, especially when it comes to auto-generating handlers for hooked functions, even if they are randomly chosen. In my older Frida … Continue reading →]]> 2024-03-31T00:57:22+00:00 https://www.hexacorn.com/blog/2024/03/31/subfrida-v0-1/ www.secnews.physaphae.fr/article.php?IdArticle=8473311 False None None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;/ span>

---

There are many debates and infosec dramas related to vulnerability research, publishing Offensive Security Tools (OST), Proof Of Concept (POC) Code, and in recent days – some Original Gangsters (OG) are reflecting on their own doings by posting teary memoirs … Continue reading →]]> 2024-03-30T00:05:31+00:00 https://www.hexacorn.com/blog/2024/03/30/from-underground-to-overground/ www.secnews.physaphae.fr/article.php?IdArticle=8472820 False Tool,Vulnerability None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

I love revisiting the ‘there is nothing else to be found there anymore’ cases and I described this process here. Recently, I’ve been thinking of the WINDIR environment variable. I have already covered a few cases where WoW executables could … Continue reading →]]> 2024-03-16T23:40:35+00:00 https://www.hexacorn.com/blog/2024/03/16/stuffing-up-the-windir-env-var-with-the-space/ www.secnews.physaphae.fr/article.php?IdArticle=8465124 False None None 3.0000000000000000 HexaCorn - Blog de recherche I have already covered cases where I abused WINDIR environment variable to LOLBINize some WoW executables. I thought I covered w32tm.exe before, but looking at my blog history I can’t find any reference to it. So, here it is:]]> 2024-03-16T22:18:38+00:00 https://www.hexacorn.com/blog/2024/03/16/lolbin-wow-ltd-x-2/ www.secnews.physaphae.fr/article.php?IdArticle=8465099 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Windows Explorer is a beast. It does so many things when it starts that it hurts… Sometimes, literally. One of the things it checks during its startup routine is the comparison of the Registry value HKEY_CURRENT_USER\Control Panel\Appearance\SchemeLangID and the result … Continue reading →]]> 2024-03-03T00:33:23+00:00 https://www.hexacorn.com/blog/2024/03/03/1-little-known-secret-of-explorer-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8458164 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

I was recently surprised by the fact that Windows’ nslookup.exe accepts the local config file .nslookuprc. When the program starts it resolves the environment variable HOME and then looks for a %HOME%\.nslookuprc file. It then reads this config file (if … Continue reading →]]> 2024-03-01T23:59:08+00:00 https://www.hexacorn.com/blog/2024/03/01/1-little-known-secret-of-nslookup-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8457737 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

In my post from 2018 I listed a number of strategies one can use to ‘find interesting stuff’ – that post was heavily focused on Windows’ persistence mechanisms… Today Dominik posted this twit: eliminate your self defeatist attitudes to which … Continue reading →]]> 2024-01-21T00:59:29+00:00 https://www.hexacorn.com/blog/2024/01/21/how-to-become-continue-to-be-a-security-researcher/ www.secnews.physaphae.fr/article.php?IdArticle=8441124 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2024-01-13T23:09:46+00:00 https://www.hexacorn.com/blog/2024/01/13/2-little-secrets-of-scriptrunner-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8438750 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture &# 8594;

---

In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too. … Continue reading →]]> 2024-01-12T23:39:35+00:00 https://www.hexacorn.com/blog/2024/01/12/adding-characters-to-command-line-processing/ www.secnews.physaphae.fr/article.php?IdArticle=8438431 False Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture &# 8594;

---

In my previous post I introduced the concept of bitmap hunting. Today I will show another example that helps to find a sequence of more than 2 events. Consider this artificially generated sequence of events: | makeresults | eval _time=_time … Continue reading →]]> 2024-01-06T23:46:54+00:00 https://www.hexacorn.com/blog/2024/01/06/bitmap-hunting-in-spl-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8435837 False None None 4.0000000000000000 HexaCorn - Blog de recherche Same as in the previous case, we can copy the main executable fondue.exe to a different folder f.ex. c:\test and start it from there, loading the c:\test\appwiz.cpl we control in the process.]]> 2024-01-06T01:29:25+00:00 https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8435400 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

I have mapped an extensive list of Chrome Plug-in IDs to their names before. Of course, I knew for a long time that I will need to take a look at Firefox Add-ons too…. And in fairness, I did… I … Continue reading →]]> 2024-01-05T23:36:45+00:00 https://www.hexacorn.com/blog/2024/01/05/not-mapping-firefox-extension-ids-to-their-names/ www.secnews.physaphae.fr/article.php?IdArticle=8435369 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

One of the most annoying hunting exercises is detecting a sequence of failures followed by a success. Brute-force attacks, dictionary attacks, and finally password spray attacks have all this in common: lots of failures, sometimes followed by a success. The … Continue reading →]]> 2024-01-01T17:23:21+00:00 https://www.hexacorn.com/blog/2024/01/01/bitmap-hunting-in-spl/ www.secnews.physaphae.fr/article.php?IdArticle=8432470 False Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test and load malicious hdwwiz.cpl from the very same … Continue reading →]]> 2024-01-01T13:21:53+00:00 https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8432372 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche 2023-12-31T10:21:41+00:00 https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8431765 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

The program has been changed since win10 and it now loads wdscore.dll almost immediately after it starts. Unfortunately, while it does so via LoadLibraryEx, the API is called in a way that is identical with calling LoadLibrary (both LoadLibraryEx arguments … Continue reading →]]> 2023-12-30T16:01:46+00:00 https://www.hexacorn.com/blog/2023/12/30/1-little-known-secret-of-ieunatt-exe-on-win11/ www.secnews.physaphae.fr/article.php?IdArticle=8431341 False None None 3.0000000000000000 HexaCorn - Blog de recherche Continue Reading & # 8594;

---

The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really … Continue reading →]]> 2023-12-29T21:57:39+00:00 https://www.hexacorn.com/blog/2023/12/29/1-little-known-secret-of-fsquirt-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8430966 False None None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

In the past I wrote a few times about the side-effect of having 2 binaries named the same way and residing in respective System32 and SysWOW64 directories. Regsvr32.exe is not different. If you run a 32-bit Regsvr32.exe with a command … Continue reading →]]> 2023-12-28T23:14:48+00:00 https://www.hexacorn.com/blog/2023/12/28/1-little-known-secret-of-regsvr32-exe-take-three/ www.secnews.physaphae.fr/article.php?IdArticle=8430508 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

There is an archaic feature that regsvr32.exe leverages to autoregister libraries associated with file extensions. For this to work, it expects an AutoRegister key to be present under the file extension handler with a default value pointing to the library … Continue reading →]]> 2023-12-27T00:09:35+00:00 https://www.hexacorn.com/blog/2023/12/27/1-little-known-secret-of-regsvr32-exe-take-two/ www.secnews.physaphae.fr/article.php?IdArticle=8429539 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API… Since the iernonce.dll library is loaded using … Continue reading →]]> 2023-12-26T15:22:47+00:00 https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ www.secnews.physaphae.fr/article.php?IdArticle=8429361 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

The little known secret of regsvr32.exe is… You ready? You can load multiple DLLs at the same time. Yup. And not just one extra, but many. Let’s have a look at an example: regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx foo will first load c:\WINDOWS\system32\hhctrl.ocx … Continue reading →]]> 2023-12-25T22:23:50+00:00 https://www.hexacorn.com/blog/2023/12/25/1-little-known-secret-of-regsvr32-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8429006 False None None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Many Windows tools support commands f.ex.: We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.: This breaks many hard-coded detections. … Continue reading →]]> 2023-12-25T11:15:35+00:00 https://www.hexacorn.com/blog/2023/12/25/2-less-known-secrets-of-windows-command-command-driven-line-tools/ www.secnews.physaphae.fr/article.php?IdArticle=8428778 False Tool,Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Over a decade ago I posted some random copyright banner stats from my (relatively small by today’s standards) malware repo. I really liked these stats back then and I still like them today. Why? These banners are great ‘low hanging … Continue reading →]]> 2023-12-19T00:52:09+00:00 https://www.hexacorn.com/blog/2023/12/19/copyright-banners-re-visited/ www.secnews.physaphae.fr/article.php?IdArticle=8425106 False Malware None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

If you’ve been reading my blog for a while now you will know that I love to challenge my threat hunting game with a lot of err…. banalities. And not the banalities I can ignore, but a lot of these … Continue reading →]]> 2023-12-14T00:08:10+00:00 https://www.hexacorn.com/blog/2023/12/14/custom-install-path-portability-issues/ www.secnews.physaphae.fr/article.php?IdArticle=8422348 False Threat,Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

‘Blade Runner’ – the cult classic movie – teaches us that the (non-)human traits/behaviors can be detected with a so-called Voight-Kampff test. This post is about discussing (not designing yet) a similar test for our threat hunting purposes… The key … Continue reading →]]> 2023-12-02T00:06:39+00:00 https://www.hexacorn.com/blog/2023/12/02/proof-of-life/ www.secnews.physaphae.fr/article.php?IdArticle=8418462 False Threat,Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Inspired by Phill Moore’s new project called Ruler, I combed my collection of all old HijackThis logs (that I web scraped a long time ago) looking for paths that may be associated with security software. Unlike Phill’s, the resulting data … Continue reading →]]> 2023-11-26T10:59:37+00:00 https://www.hexacorn.com/blog/2023/11/26/file-system-artifacts-for-known-security-software/ www.secnews.physaphae.fr/article.php?IdArticle=8416952 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuez à lire & # 8594;

---

Here’s an old-school file name-based research… it is not game changing, it won’t bring any immediate solution, but it’s still worth doing today… The software we install (focus here is on Windows, as usual) creates a loooot of files, and … Continue reading →]]> 2023-11-25T00:27:57+00:00 https://www.hexacorn.com/blog/2023/11/25/looking-for-the-randomness-in-the-most-non-ai-ml-way/ www.secnews.physaphae.fr/article.php?IdArticle=8416685 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture &# 8594;

---

Anytime you download a file via a browser, instant messenger, or other apps… it is first saved to a temporary file… These temporary files are saved with some particular extensions: For Browsers: For email clients: For Instant Messengers: Are there … Continue reading →]]> 2023-11-22T23:23:03+00:00 https://www.hexacorn.com/blog/2023/11/22/the-world-of-partially-downloaded-files/ www.secnews.physaphae.fr/article.php?IdArticle=8416191 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2023-11-15T22:52:24+00:00 https://www.hexacorn.com/blog/2023/11/15/lolbins-for-connoisseurs-part-3/ www.secnews.physaphae.fr/article.php?IdArticle=8412579 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuez à lire & # 8594;

---

There is a lot talk about whoami.exe recently, so here’s one more post about it… When we talk about whoami.exe we often think of it in ‘atomic’ terms. You run it, and you get the results. But by doing so … Continue reading →]]> 2023-11-11T23:28:40+00:00 https://www.hexacorn.com/blog/2023/11/11/who-am-i-asking-for-my-file-friend-whoami-exe/ www.secnews.physaphae.fr/article.php?IdArticle=8409929 False None None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Back in a day (90s/2000s), if you wanted an email, there were lots of (free) email providers available. With a minimum of effort one could sign up to as many free email services available at that time as possible. No … Continue reading →]]> 2023-11-03T23:21:29+00:00 https://www.hexacorn.com/blog/2023/11/03/email-domains-ad-2023/ www.secnews.physaphae.fr/article.php?IdArticle=8405584 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Update After I posted it, @netspooky pinged me with some additional info. Apparently, this technique is known since at least 2019 and was demoed by @zer0pwn first. This blog post from MCG describes it. Old Post This entry is a … Continue reading →]]> 2023-10-28T21:15:23+00:00 https://www.hexacorn.com/blog/2023/10/28/beyond-the-good-ol-bashrc-entry-part-3/ www.secnews.physaphae.fr/article.php?IdArticle=8402109 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Okay, okay, yup, it is a series now. Part two is here! Browsing available Ubuntu apps one can find a lot of interesting software. One of them is kchmviewer. Its purpose is to view CHM files – outdated, but still … Continue reading →]]> 2023-10-27T22:21:47+00:00 https://www.hexacorn.com/blog/2023/10/27/beyond-the-good-ol-bashrc-entry-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8401642 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Over the years I have made a lot of attempts to systematically extract Windows API information from various sources, but primarily, of course, from Microsoft help documentation available at different times, in different forms and file formats. If you need … Continue reading →]]> 2023-10-25T23:49:37+00:00 https://www.hexacorn.com/blog/2023/10/25/hunting-for-windows-api-prototypes-and-descriptions/ www.secnews.physaphae.fr/article.php?IdArticle=8400610 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Nearly 2 years ago I published the first part, so it’s time for a quick update. And this time I am publishing the file as well – note that it cannot be used for commercial purposes, but hope you will … Continue reading →]]> 2023-10-20T22:19:51+00:00 https://www.hexacorn.com/blog/2023/10/20/mapping-chrome-extension-ids-to-their-names-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8398419 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594; ]]> 2023-10-17T22:49:54+00:00 https://www.hexacorn.com/blog/2023/10/17/what-champagne-to-drink/ www.secnews.physaphae.fr/article.php?IdArticle=8396902 False None None 1.00000000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Even in 2023 Dexray seems to be delivering value to DFIR practitioners. I am always very humbled by unsolicited additions to Dexray code, because it means the tool is still alive, despite the fact it was written in archaic (by … Continue reading →]]> 2023-10-13T22:43:54+00:00 https://www.hexacorn.com/blog/2023/10/13/dexray-v2-33/ www.secnews.physaphae.fr/article.php?IdArticle=8395306 False Tool None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

I really don’t know if this is the first post in the series, or just a one-off that is also, the last. There are many fantastic blog posts out there that deal with the most popular Linux persistence tricks, f.ex. … Continue reading →]]> 2023-09-29T23:18:54+00:00 https://www.hexacorn.com/blog/2023/09/29/beyond-the-good-ol-bashrc-entry-part-1/ www.secnews.physaphae.fr/article.php?IdArticle=8389690 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

The moment I heard of machine code and its opcodes… I fell in love. Being able to understand machine code from just looking at the binary (okay, mostly its hexadecimal representation) felt like magic. And since many simple x86 assembly … Continue reading →]]> 2023-09-27T22:38:17+00:00 https://www.hexacorn.com/blog/2023/09/27/zydisinfo-the-disassembler-that-breaks-the-code-twice/ www.secnews.physaphae.fr/article.php?IdArticle=8388820 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuez à lire & # 8594;

---

It’s easy to say ‘we follow the Sun’ or ‘we deliver that 24/7/365 service’. The story doesn’t end there though – the delivery part of this promise has a different story to tell. The one that is rarely talked about, … Continue reading →]]> 2023-09-23T22:58:16+00:00 https://www.hexacorn.com/blog/2023/09/23/the-hidden-side-of-24-7-365-the-dreadful-apac-shift/ www.secnews.physaphae.fr/article.php?IdArticle=8387164 False None None 2.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

This is probably the most unusual blog post I have ever written here… Oh, well… — TL;DR; My wife and I recently stayed at a pretty expensive hotel. I won’t name and shame, but it’s fair to say they didn’t … Continue reading →]]> 2023-09-22T22:48:48+00:00 https://www.hexacorn.com/blog/2023/09/22/using-osint-skills-for-your-own-protection/ www.secnews.physaphae.fr/article.php?IdArticle=8386901 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture &# 8594;

---

A few days ago kernelv0id asked about an undocumented Excel format that he observed being used by one of the payloads he was analysing. He saw a malicious .xlsb file dropping a file that was being saved with a file … Continue reading →]]> 2023-09-21T22:37:46+00:00 https://www.hexacorn.com/blog/2023/09/21/documenting-the-undocumented-excels-saveas-method/ www.secnews.physaphae.fr/article.php?IdArticle=8386487 False Technical None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture & # 8594;

---

Nearly two years ago I published a quick summary of my analysis of NSRL data. I believe I was the first one to publicly evaluate this data set, and I still stand by the harsh conclusions I reached back then, … Continue reading →]]> 2023-09-16T22:11:55+00:00 https://www.hexacorn.com/blog/2023/09/16/analysing-nsrl-data-set-for-fun-and-because-curious-part-3/ www.secnews.physaphae.fr/article.php?IdArticle=8384252 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2023-09-09T00:09:28+00:00 https://www.hexacorn.com/blog/2023/09/09/lolbins-for-connoisseurs-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8380591 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche continuer la lecture & # 8594;/ span>

---

A recently came across a sample that included the following, mysterious string: I googled around and not only found a few more occurrences of this string, but also found a yara rule (PDF warning) that referenced it. I had to … Continue reading →]]> 2023-09-03T18:00:04+00:00 https://www.hexacorn.com/blog/2023/09/03/the-secret-of-961c151d2e87f2686a955a9be24d316f1362bf21/ www.secnews.physaphae.fr/article.php?IdArticle=8378414 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture →

---

In my previous post I mused about an impossible task – how to consolidate a large, unorganized yara ruleset (that lots of us, admittedly, collect and hoard – just downloading it all, randomly, from all the corners of the internet … Continue reading →]]> 2023-08-26T00:15:33+00:00 https://www.hexacorn.com/blog/2023/08/26/writing-better-yara-rules-in-2023/ www.secnews.physaphae.fr/article.php?IdArticle=8374715 False None None 4.0000000000000000 HexaCorn - Blog de recherche Continuer la lecture →

---

We are all quite fixated on a purity of lolbins. Best if it is a hidden/undocumented/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too. However… Living Off … Continue reading →]]> 2023-08-25T23:05:18+00:00 https://www.hexacorn.com/blog/2023/08/25/lolbins-for-connoisseurs/ www.secnews.physaphae.fr/article.php?IdArticle=8374664 False Technical None 3.0000000000000000 HexaCorn - Blog de recherche Have you ever wondered where all the threat intel feeds come from? How do these companies know that this, or that email account has been compromised? How do they identify […]]]> 2023-07-14T23:34:32+00:00 https://www.hexacorn.com/blog/2023/07/14/how-to-start-your-own-threat-intel-company/ www.secnews.physaphae.fr/article.php?IdArticle=8356761 False Threat None 3.0000000000000000 HexaCorn - Blog de recherche It’s been nearly 4 years since I published my last article in this series providing the community with a large corpora of sandbox reports (apilog_2019-07-14). One of the less known […]]]> 2023-07-13T23:36:15+00:00 https://www.hexacorn.com/blog/2023/07/13/enter-sandbox-27-account-creation/ www.secnews.physaphae.fr/article.php?IdArticle=8356270 False None None 3.0000000000000000 HexaCorn - Blog de recherche The cyber consulting world delivers a lot of useful security work. They do workshops, trainings, table top exercises, they write playbooks, red team, provide assessments, and help companies with gap […]]]> 2023-06-22T23:54:19+00:00 https://www.hexacorn.com/blog/2023/06/22/the-myth-of-knowing-your-org-know_your_org-docx/ www.secnews.physaphae.fr/article.php?IdArticle=8348306 False None None 2.0000000000000000 HexaCorn - Blog de recherche I love JSON-formatted data so much that… anytime I see something valuable stored in this format I really can’t resist the temptation of converting it to CSV so that I […]]]> 2023-06-14T23:21:58+00:00 https://www.hexacorn.com/blog/2023/06/14/mitre-attck-from-json-to-csv/ www.secnews.physaphae.fr/article.php?IdArticle=8345534 False None None 2.0000000000000000 HexaCorn - Blog de recherche One of the most important (basic) technical skills in cybersecurity are: Knowing Excel (or Google sheets) Knowing basic programming/scripting (bash, cmd, powershell, vbs, vba, autoit, python, perl, etc.) Knowing and […]]]> 2023-06-09T23:33:10+00:00 https://www.hexacorn.com/blog/2023/06/09/perl-and-python-scripting-templates/ www.secnews.physaphae.fr/article.php?IdArticle=8343811 False None None 2.0000000000000000 HexaCorn - Blog de recherche I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even […]]]> 2023-06-07T21:54:04+00:00 https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ www.secnews.physaphae.fr/article.php?IdArticle=8343149 False None None 2.0000000000000000 HexaCorn - Blog de recherche Many PHP webshells are encrypted, encoded, obfuscated in many different ways, but most use a rudimentary approach relying on engaging the same sequence of code ‘hiding’ routines repetitively, sequences that […]]]> 2023-06-03T22:07:18+00:00 https://www.hexacorn.com/blog/2023/06/03/analyzing-nested-obfuscated-php-files/ www.secnews.physaphae.fr/article.php?IdArticle=8341834 False None None 3.0000000000000000 HexaCorn - Blog de recherche In my older posts I have shown how to deal with ‘encrypted’ or otherwise ‘protected’ script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate […]]]> 2023-06-01T22:52:56+00:00 https://www.hexacorn.com/blog/2023/06/01/analysing-ps2exe-executables/ www.secnews.physaphae.fr/article.php?IdArticle=8341346 False None None 3.0000000000000000 HexaCorn - Blog de recherche Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part […]]]> 2023-05-23T22:56:08+00:00 https://www.hexacorn.com/blog/2023/05/23/dexray-dfir-and-the-art-of-ambulance-chasing/ www.secnews.physaphae.fr/article.php?IdArticle=8338854 False Tool None 4.0000000000000000 HexaCorn - Blog de recherche A decade ago blue teaming was … easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, […]]]> 2023-05-17T22:57:44+00:00 https://www.hexacorn.com/blog/2023/05/17/blue-teaming-its-data-complicated/ www.secnews.physaphae.fr/article.php?IdArticle=8337471 False None None 2.0000000000000000 HexaCorn - Blog de recherche I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and […]]]> 2023-05-12T22:50:39+00:00 https://www.hexacorn.com/blog/2023/05/12/da-lil-world-of-dll-exports-and-entry-points-part-6/ www.secnews.physaphae.fr/article.php?IdArticle=8336213 False None None 2.0000000000000000 HexaCorn - Blog de recherche I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of […]]]> 2023-05-12T21:35:49+00:00 https://www.hexacorn.com/blog/2023/05/12/matlab-persistent-lolbin-2-years-too-late-but-always/ www.secnews.physaphae.fr/article.php?IdArticle=8336192 False None None 2.0000000000000000 HexaCorn - Blog de recherche In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that […]]]> 2023-05-11T23:16:10+00:00 https://www.hexacorn.com/blog/2023/05/11/pe-section-names-re-visited-again-in-2023/ www.secnews.physaphae.fr/article.php?IdArticle=8335783 False None None 3.0000000000000000 HexaCorn - Blog de recherche Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileA ElfBackupEventLogFileW ElfChangeNotify ElfClearEventLogFileA ElfClearEventLogFileW ElfCloseEventLog ElfDeregisterEventSource ElfFlushEventLog ElfNumberOfRecords ElfOldestRecord ElfOpenBackupEventLogA ElfOpenBackupEventLogW ElfOpenEventLogA ElfOpenEventLogW ElfReadEventLogA ElfReadEventLogW ElfRegisterEventSourceA ElfRegisterEventSourceW ElfReportEventA ElfReportEventAndSourceW ElfReportEventW And I […]]]> 2023-05-11T22:29:20+00:00 https://www.hexacorn.com/blog/2023/05/11/an-elf-walks-into-the-bar/ www.secnews.physaphae.fr/article.php?IdArticle=8335764 False None None 2.0000000000000000 HexaCorn - Blog de recherche I have read Ali‘s question with a great interest, because it’s the questions like this that make you pause and think. In my reply I suggested that the context is […]]]> 2023-05-05T23:23:12+00:00 https://www.hexacorn.com/blog/2023/05/05/malware-some-musings-about-the-meaning-of-the-word/ www.secnews.physaphae.fr/article.php?IdArticle=8333897 False Malware None 2.0000000000000000 HexaCorn - Blog de recherche In my recent post I focused on localization issues, but there is (always!) more… Take a look at the Windows 11 ARM version – when you install it you will […]]]> 2023-05-04T23:23:19+00:00 https://www.hexacorn.com/blog/2023/05/04/threat-hunting-architecture-issues/ www.secnews.physaphae.fr/article.php?IdArticle=8333645 False Threat None 3.0000000000000000 HexaCorn - Blog de recherche I love Detect It Easy. It’s my go-to tool when it comes to triaging malicious samples and it continuously exceeds my expectations… Except the times when I forgot to use […]]]> 2023-04-21T23:49:48+00:00 https://www.hexacorn.com/blog/2023/04/21/using-detect-it-easy-to-detect-it-easy/ www.secnews.physaphae.fr/article.php?IdArticle=8330094 False Tool None 2.0000000000000000 HexaCorn - Blog de recherche Long time ago (when I used to make my own cross-words), one of my favorite targets was building them in a way that made them either have some special properties, […]]]> 2023-04-20T22:46:15+00:00 https://www.hexacorn.com/blog/2023/04/20/the-words-that-go-adapataadadapata/ www.secnews.physaphae.fr/article.php?IdArticle=8329804 False None None 3.0000000000000000 HexaCorn - Blog de recherche I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread. After downloading it, trying it, tinkering with it… I actually found it far more confusing than […]]]> 2023-04-14T21:47:41+00:00 https://www.hexacorn.com/blog/2023/04/14/beyond-good-ol-run-key-part-142/ www.secnews.physaphae.fr/article.php?IdArticle=8327947 False None None 2.0000000000000000 HexaCorn - Blog de recherche One of my old hobbies is playing with words. I love all sort of dad jokes, “the longest” words, “the weirdest” words, “foreign words”, homonyms, homophones, palindromes, synonyms, antonyms, metonyms, […]]]> 2023-04-01T22:56:02+00:00 https://www.hexacorn.com/blog/2023/04/01/the-words-that-go-a-z1a-z1a-z1a-z1a-z1/ www.secnews.physaphae.fr/article.php?IdArticle=8324066 False None None 3.0000000000000000 HexaCorn - Blog de recherche Social media are full of questions that are formulated in a passive, passive-aggressive, or upfront aggressive way, often using common fallacies in a manipulative way to discourage dialogue. It is […]]]> 2023-03-28T22:14:05+00:00 https://www.hexacorn.com/blog/2023/03/28/converting-questionable-questions-into-unquestionable-opportunities/ www.secnews.physaphae.fr/article.php?IdArticle=8322673 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2023-03-12T00:03:36+00:00 https://www.hexacorn.com/blog/2023/03/12/list-of-clean-mutexes-and-mutants/ www.secnews.physaphae.fr/article.php?IdArticle=8317690 False Malware None 4.0000000000000000 HexaCorn - Blog de recherche 2023-03-10T23:47:21+00:00 https://www.hexacorn.com/blog/2023/03/10/threat-hunting-localization-issues/ www.secnews.physaphae.fr/article.php?IdArticle=8317391 False Threat None 4.0000000000000000 HexaCorn - Blog de recherche 2023-02-25T23:55:35+00:00 https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/ www.secnews.physaphae.fr/article.php?IdArticle=8313420 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2023-01-22T00:56:23+00:00 https://www.hexacorn.com/blog/2023/01/22/excelling-at-excel-part-3/ www.secnews.physaphae.fr/article.php?IdArticle=8303159 False Malware None 5.0000000000000000 HexaCorn - Blog de recherche 2023-01-21T00:12:05+00:00 https://www.hexacorn.com/blog/2023/01/21/yara-rules-pageant/ www.secnews.physaphae.fr/article.php?IdArticle=8303015 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2023-01-13T23:37:28+00:00 https://www.hexacorn.com/blog/2023/01/13/decrypting-shell-compiled-shc-elf-files/ www.secnews.physaphae.fr/article.php?IdArticle=8301008 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2023-01-08T00:01:01+00:00 https://www.hexacorn.com/blog/2023/01/08/excelling-at-excel-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8298877 False Threat None 3.0000000000000000 HexaCorn - Blog de recherche 2023-01-07T00:18:24+00:00 https://www.hexacorn.com/blog/2023/01/07/excelling-at-excel-part-1/ www.secnews.physaphae.fr/article.php?IdArticle=8298684 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2023-01-03T00:20:48+00:00 https://www.hexacorn.com/blog/2023/01/03/putting-elf-on-the-shelf/ www.secnews.physaphae.fr/article.php?IdArticle=8297298 False None None 4.0000000000000000 HexaCorn - Blog de recherche 2023-01-01T00:44:53+00:00 https://www.hexacorn.com/blog/2023/01/01/a-bunch-of-old-school-rce-tricks/ www.secnews.physaphae.fr/article.php?IdArticle=8296809 False None None 4.0000000000000000 HexaCorn - Blog de recherche 2022-12-30T23:29:04+00:00 https://www.hexacorn.com/blog/2022/12/30/beyond-good-ol-run-key-part-140/ www.secnews.physaphae.fr/article.php?IdArticle=8296334 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2022-12-15T00:12:54+00:00 https://www.hexacorn.com/blog/2022/12/15/how-to-be-a-good-quitter/ www.secnews.physaphae.fr/article.php?IdArticle=8291396 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2022-12-09T22:51:12+00:00 https://www.hexacorn.com/blog/2022/12/09/marrying-client-side-windows-based-cryptencrypt-and-server-sidelinux-based-cryptopensslrsa/ www.secnews.physaphae.fr/article.php?IdArticle=8289681 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2022-12-08T23:32:52+00:00 https://www.hexacorn.com/blog/2022/12/08/the-future-of-soc/ www.secnews.physaphae.fr/article.php?IdArticle=8289378 False None None 2.0000000000000000 HexaCorn - Blog de recherche 2022-12-03T22:43:03+00:00 https://www.hexacorn.com/blog/2022/12/03/using-make_sc_hash_db-py-to-create-api-hashing-dbs/ www.secnews.physaphae.fr/article.php?IdArticle=8287376 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2022-12-02T23:15:00+00:00 https://www.hexacorn.com/blog/2022/12/02/environment-is-variable/ www.secnews.physaphae.fr/article.php?IdArticle=8286887 False None None 3.0000000000000000 HexaCorn - Blog de recherche 2022-11-19T23:29:55+00:00 https://www.hexacorn.com/blog/2022/11/19/cracking-zeppelin/ www.secnews.physaphae.fr/article.php?IdArticle=8221900 False Ransomware None None HexaCorn - Blog de recherche 2022-11-19T22:53:09+00:00 https://www.hexacorn.com/blog/2022/11/19/beyond-good-ol-run-key-part-139/ www.secnews.physaphae.fr/article.php?IdArticle=8221901 False None None None HexaCorn - Blog de recherche 2022-10-08T21:49:42+00:00 https://www.hexacorn.com/blog/2022/10/08/dealing-with-alert-fatigue-part-2/ www.secnews.physaphae.fr/article.php?IdArticle=8221902 False None None None HexaCorn - Blog de recherche 2022-10-01T23:43:03+00:00 https://www.hexacorn.com/blog/2022/10/01/dealing-with-alert-fatigue-part-1/ www.secnews.physaphae.fr/article.php?IdArticle=8221903 False None None None HexaCorn - Blog de recherche 2022-09-21T22:05:59+00:00 https://www.hexacorn.com/blog/2022/09/21/inserting-data-into-other-processes-address-space-part-1a/ www.secnews.physaphae.fr/article.php?IdArticle=8221904 False None None None