Introduction In the same spirit as my last article about “F-Secure FSDIAG”, let’s continue our search for LOLBINs in known products. This time I’m taking a look at CyberGhost VPN Note: Since the CyberGhost team doesn’t have a vulnerability program, I’ve reported this issue to the support team which they forwarded…

Introduction I’ve been doing some “stupid research” recently on a lot of tools in my quest to find LOLBins everywhere. This short blog is about one of those tools called “fsdiag.exe”. Note: This issue has been reported at the start of the year in January 2022 and has been fixed in…

Introduction While working on “Malicious Command-Line”(MAL-CL), documenting and researching the many use cases different tools can be (ab)used via the command line. I noticed a trend that in hindsight seems “obviously obvious” but is I believe worth saying nonetheless. You don’t drop things just because they’re old and dusty, you drop…

Introduction Often time sysadmins are managing multiple servers and machines at once or doing some other shenanigans. So they tend to download and use tools that ease their process. …

Today Microsoft started rolling out the newest version of Windows to computers around the world. I wanted to check what new and interesting ETW providers were included in this official release. Note: to get these results I did a diff between providers from windows version 21H1 (Win 10) and 21h2…

Introduction Hello and welcome to this follow-up blog on ETW. If you haven't read the first part I highly suggest you do because this will be a direct build-up on the concepts introduced there. (Link below) A Primer On Event Tracing For Windows (ETW) nasbench.medium.com Last time we talked about ETW and its different components. This time I thought I’ll…

Introduction The holy grail for defenders is being able to detect /stop every attack before / when it happens and to know exactly the how’s no matter the techniques or tools. Unfortunately, we’re still far from this holy grail, but as defenders, we’ve come a long way in being able to…

Hello and welcome to part 5 of “Understanding & Detecting C2 Frameworks”. You can read the previous blog posts below Understanding & Detecting C2 Frameworks — TrevorC2 Understanding & Detecting C2 Frameworks — Ares Understanding & Detecting C2 Frameworks — HARS (HTTP/S Asynchronous Reverse Shell) Understanding & Detecting C2 Frameworks…

In the first post of this series about Symantec EDR Internals, I've talked about “Criterion” a machine learning engine used by SEDR to detect files in the gray area. If you haven't read it please do (Link below) Symantec EDR Internals — Criterion Deep Dive Into The Technologies Behind Symantec EDRnasbench.medium.com For this post we’ll talk about a feature of SEDR called enrichment…