Sign in

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.


Hello and welcome to this follow up blog on ETW. If you haven't read the first part I highly suggest you do because this will be a direct build up on the concepts introduced there. (Link below)

Last time we talked about ETW and its different component. This time i thought i’ll take a look at some of the providers out there. With more than 1000+ providers available by default I started researching interesting events that can help us during detection and forensic investigations.

So let’s get started.

Note: Some of the telemetry mentioned here can be obtained via different…


The holy grail for defenders is being able to detect /stop every attack before / when it happens and to know exactly the how’s no matter the techniques or tools. Unfortunately we’re still far from this holy grail, but as defenders we’ve come a long way on being able to detect and understand some attacks. One of the ways this is achieved is by leveraging the different logs sources available on a system. One such log source is ETW.

What is ETW ?

It’s a general-purpose, high-speed tracing facility provided by the operating system. Using a buffering and logging mechanism implemented in the kernel…

Hello and welcome to part 5 of “Understanding & Detecting C2 Frameworks”. You can read the previous blog posts below

Today we’re going to analyze the C2 PoC “DarkFinger”


The “DarkFinger C2” was created by hyp3rlinx as a proof of concept to showcase how can someone use the “finger.exe” utility as a channel for command and control. The server portion is written in python and the agent is…

In the first post of this series about Symantec EDR Internals, I've talked about “Criterion” a machine learning engine used by SEDR to detect files in the gray area. If you haven't read it please do (Link below)

For this post we’ll talk about a feature of SEDR called enrichment and how it works.

Enrichment Overview

From the oxford dictionary enrichment is:

The action of improving or enhancing the quality or value of something

In the context of detection and EDR. Enrichment is the idea of adding / giving context to an event or any piece of collected data.

So let’s say…

Hello and welcome to the fourth blog post in this series about understanding and detecting C2 frameworks.

As always if you haven’t checked the previous blogs. Please do via the following links

without further ado let’s get started.


This is a basic C2 generic server written in Python and Flask.

This code has based ideia to GTRS, which uses Google Translator as a proxy for sending commands to the infected host. The BabyShark project aims…


Hello and welcome to the third blog post in this series about understanding and detecting C2 frameworks.

If you haven't checked the previous blogs please do as we’ve already analyzed both “Ares” and “TrevorC2”

Today we’re gonna take a look at framework created by “onSec-fr” called “HTTP/S Asynchronous Reverse Shell” (HARS). Still in a POC phase but interesting nonetheless. Without further ado let’s get started.

HTTP/S Asynchronous Reverse Shell

Before we dive into the code. …


Hello and welcome to the second blog post of this series about understanding and detecting C2 frameworks. If you haven't read the first blog i highly suggest you do to get a feel of what i’ll be talking about today.

The next C2 framework i decided to look at today is “Trevor C2” by TrustedSec. Let’s get started.


Here is a definition from their GitHub repository

TrevorC2 is a client/server model for masking command and control through a normally browsable website. Detection becomes much harder as time intervals are different and does not use POST requests for data exfil.



Hello and welcome to this new blog series titled “Understanding & Detecting C2 Frameworks”. In the coming weeks and months, i’ll be doing some analysis and deep dives into old and new open source C2 frameworks. Analyzing the source code and try to understand the inner workings in the hope to get more insights into the techniques being used in these different tools. So without further a do let’s start this one with a relatively simple and old framework (RAT) named “Ares” by “sweetsoftware”.


Here is a definition from their GitHub repository

Ares is a Python Remote Access Tool. …

In the recent weeks I’ve been doing some research into Symantec EDR and looking into the technologies that are used to generate the incidents and events inside of the platform. In the hope to get a better understanding of the detection process and mechanisms within.

Seeing a file classified as malicious or an incident being declared is all good and well. …

A couple of weeks ago I was tuning a log configuration in my lab and i encountered an event being generated quite often. (See below)

Seeing the “cscript” utility being used is always a point of interest for me especially in this case, since the process launching it was the the Symantec AV service host process (ccSvcHst.exe).

I decided to investigate and dig a little deeper behind the origin of this behavior. So i fired up process monitor on the host machine and waited a little bit. …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store