Intro: Welcome back. I've been asked lately if I know any techniques to investigate fileless attacks using free tools and I shamefully replied with a "No". I wasn't aware of any free and good tools that can accomplish this task of logging PowerShell scripts, WMI commands, process creation , parent processes and command lines. Lately … Continue reading Windows event logging and Fileless attacks →

Hello and welcome back. After a few weeks I managed to find time and write a new blog post. Someone suggested an article about fileless malware and here it is. The thing with fileless malware if that it runs completely in memory (if the name wasn't obvious enough), thus it can evade security software that … Continue reading Fileless malware and WMI →

Intro: A couple of weeks ago, I spotted a suspicious binary on VT, it then had only 11 hits and still has a valid digital signature. In this blogpost I'm going to demonstrate how to statically deobfuscate strings using IDAPython. Let's play with it inside IDA. Reverse it: After opening IDA, one of the first … Continue reading Deobfuscating strings with IDAPython →

  The hunt: I do my searches on VirusTotal for this blog. After a quick search I managed to find a cute sample to play with. The file is a piece of Windows Batch script, you can view it's contents down bellow: Reverse it If you look closely you'll rapidly see at the end of … Continue reading Powershell 2 Shellcode Part I →