Category Archives: Windows Security

Analyze memory dump files with YARA signatures in Windbg

Intro Imagine, that you know that attackers are on a particular host but you have no idea whether they are persisted on another ones, servers, domain controllers. Detecting fileless artifacts, such as beacons in the case of Cobalt Strike, is not as easy as it may seem. Two interesting techniques that can be used here are: Below are… Read More »

The story of one attack on Windows infrastructure

Intro Some time ago, I was involved in defending against a cyber attack (or perhaps an attack simulation) at Company X. I believe this example will be particularly interesting for those who want to deepen their understanding of how attackers operate and what defense approaches can help companies protect themselves. This story is a real-world example of an… Read More »

Dism.exe and shellcode injecting technique to bypass Applocker rules

Intro Correctly configured AppLocker rules prevent the execution of untrusted executable files, scripts, and other potentially harmful content. However, it is essential to simplify the process of creating these rules by minimizing the overhead required to maintain them. And one of the popular way to do that is allowing execution of files signed by Microsoft and/or other well-known… Read More »

The story of one attack / shell decryption

This is one of the posts related to the attack on Company X, and it discusses shellcode decryption. A popular technique to avoid AV detection is using simple XOR encryption. In our case, the attacker used encrypted shellcode, and to understand what code was executed by this shell, I needed to decrypt it first. I don’t remember all… Read More »

Demonstration of how antivirus detection based on the signature method works

I found my old note about signature detection apporach that typically used by AV products and I thought that it may be interested, so let’s dive in. As an example, let’s consider Mimikatz (one of the most popular hacking tools) – Mimikatz 2.2.0 branch, tagged as version 2.2.0. Interestingly, the simplest part of this tool is the kernel-mode… Read More »

How to track processes running with administrative rights in Windows

To gather information about processes running with administrator privileges on endpoints, it’s important to understand Windows Integrity Levels, introduced by Microsoft in Windows Vista (see Mandatory Integrity Control). Mandatory Integrity Control (MIC) is a security feature that enforces access control by assigning integrity levels to processes and objects. It uses integrity levels: Low, Medium, High, and System to… Read More »