BLOG
Meterpreter reverse_http(s) “It Works” fingerprint
I stumbled on an article from . In his description he has reliazed that the meterpreter return "It works" return one byte short the standard message. The original sha256 of the index.html is : f2dcc96deec8bca2facba9ad0db55c89f3c4937cd6d2d28e5c4869216ffa81cf and 45...
Unhide Excel Sheet tab
Little trick a great colleague showed me to unhide a sheet in Excel : In powershell $objExcel = New-Object -ComObject Excel.Application $objExcel.Visible = $true $WorkBook = $objExcel.Workbooks.Open("C:\Temp\hiddensheet.xls") $WorkBook.Sheets.Item(2).Visible = 1...
Zloader Malicious Excel File analysis
I got given by a friend a malicious Excel file that he analyzed as I'm eager to learn more I'm not familiar with MS-Office forensic techniques, hencewhy I found this interesting to look into during my evenings. First, when uploading to VirusTotal, today I'm writing...
Sysmon hide and seek
Sysmon is an official SysInternals driver that let's you log all what is happening to a Windows machine. I will not drill down here what it is capable of and how important it is to have it running on your company assets and to get them to log to a WEC (Windows Event...
Powershell usefull commands
powershell Get-ExecutionPolicy powershell Get-Authenticode c:\temp\myscript.ps1 Specify version powershell -Version 2 cat powershell Get-Content C:\Windows\System32\Inetsrv\Config\administration.config ls powershell Get-ChildItem -Path...
IOCs are dead ?
With the cloud technologies, i think one can slowly come to the conclusion that IOCs should not be relied only ! Bad actors can move of source IP so easily and the fact that all Threat Intelligence do their own lists, there is a great discrepancy in the lists. I'll...