Open in app

Sign In

Write

Sign In

Nasreddine Bencherchali
Nasreddine Bencherchali

1.6K Followers

Home

Lists

About

Aug 16

LOLBINed — Abusing Sysinternals BgInfo

In 2017 Oddvar Moe published a blog post on how he was able to use BgInfo to bypass application whitelisting. This finding is documented on LOLBAS and it still works today. While looking at this Lolbin this past week. I found that you can achieve the same effect by using…

Lolbin

3 min read

LOLBINed — Abusing Sysinternals BgInfo
LOLBINed — Abusing Sysinternals BgInfo
Lolbin

3 min read


Published in

Sigma_HQ

·May 17

Sigma Rule Repository Enhancements— New Folder Structure & Rule Types

In the past few months we’ve been busy doing a major overhaul of the Sigma project, which includes rules re-writes, metadata enhancements (titles, descriptions, false positives notes) and much more. Last month we introduced the logsource-guides a new addition that aims to ease the process…

Sigma

4 min read

SIGMA Rule Repository Enhancements— New Folder Structure & Rule Types
SIGMA Rule Repository Enhancements— New Folder Structure & Rule Types
Sigma

4 min read


May 16

LOLBINed — Finding “LOLBINs” In AV Uninstallers

This blog was originally written in February 2022 and update through out the year as vendors responded Introduction Usually when people think of LOLBINs they tend to think of built-in OS only binaries. …

Lolbin

8 min read

LOLBINed — Finding “LOLBINs” In AV Uninstallers
LOLBINed — Finding “LOLBINs” In AV Uninstallers
Lolbin

8 min read


Published in

Sigma_HQ

·Apr 26

Community Contribution Highlights — SentinelOne Joins PySIGMA

We’re happy to announce a new backend addition to the growing list of PySIGMA supported backends thanks to a community contribution by Cori Smith (7RedViolin). Using the latest and greatest version of sigma-cli you can immediately make use of this backend and start converting SIGMA rules into SentinelOne Deep Visibility…

3 min read

Community Contribution Highlights — SentinelOne Joins PySIGMA
Community Contribution Highlights — SentinelOne Joins PySIGMA

3 min read


Nov 1, 2022

LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands

Introduction At the start of the year, I was doing some research into AV uninstaller tools, understanding how they work, and trying to find misconfigurations and other ways they can be abused I’ve compiled my findings in the repository that I’ll make public soon. One AV uninstaller, in particular, we’ll be…

Lolbin

8 min read

LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands
LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands
Lolbin

8 min read


Aug 1, 2022

Behind The Detection — Schtasks

Part I: Getting Started — Hello and welcome to this brand new blog series that I'm starting where I’ll be looking at some different techniques/tools used in the wild by different actors from the lens of Sysmon and the Windows Event Log and build/showcase available SIGMA rules to detect them. This post will serve as…

Windows

7 min read

Behind The Detection — Schtasks
Behind The Detection — Schtasks
Windows

7 min read


Jul 29, 2022

Persistence Using Windows Terminal “Profiles”

While doing some research on persistence, I stumbled upon an interesting technique to persist on a windows machine using Windows Terminal profiles. I’ve tweeted about this technique as the method fits in a single tweet 😅 But I decided to formalize everything in a blog so here it goes. Windows Terminal …

Windows

4 min read

Persistence Using Windows Terminal “Profiles”
Persistence Using Windows Terminal “Profiles”
Windows

4 min read


Jun 16, 2022

Persistence With “Fiddler Classic” Extensions

Inspired by Rasta Mouse blog on Notepad++ Plugins for Persistence this blog talks about how to use Fidder Classic extensions/plugins as a persistence mechanism. First a quick definition from the website: Fiddler Classic and fiddler Everywhere are special-purpose proxy server tools for debugging web traffic from applications like browsers. …

Persistence

2 min read

Persistence With “Fiddler Classic” Extensions
Persistence With “Fiddler Classic” Extensions
Persistence

2 min read


Mar 20, 2022

LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)

Introduction Continuing with the same idea as my last two articles about “F-Secure FSDIAG” and “CyberGhost VPN”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at 360 Total Security Note: This issue has been reported to the 360 Total Security team but no response…

Lolbin

3 min read

LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)
LOLBINed — 360TotalSecurity (360AdvToolExecutor.exe)
Lolbin

3 min read


Mar 19, 2022

LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)

Introduction In the same spirit as my last article about “F-Secure FSDIAG”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at CyberGhost VPN Note: Since the CyberGhost team doesn’t have a vulnerability program, I’ve reported this issue to the support team which they forwarded…

Lolbin

3 min read

LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)
LOLBINed — CyberGhost VPN (PeLauncher.exe/Dashboard.exe)
Lolbin

3 min read

Nasreddine Bencherchali

Nasreddine Bencherchali

1.6K Followers

I write about #Detection #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Following
  • Greg Satell

    Greg Satell

  • Florian Roth

    Florian Roth

  • Anton Chuvakin

    Anton Chuvakin

  • Thomas Roccia

    Thomas Roccia

  • Jose E Hernandez

    Jose E Hernandez

See all (58)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams