EDRSilencer by netero1010 is a tool that utilizing Windows Filtering Platform (WFP) to block EDR agent to send out its event data to its server by adding both IPv4 and IPv6 WFP outbound block rule (Administrator access required). That is bad as most of the defenders are heavily depends on the event data from EDR to perform their operation task. In this blog, here are some of the indicators that we can go for if the EDR event data flow has been “blocked” due to any security events (e.g. red teaming or threat actor). Event Logs As usual, Security event logs contain event that is related to ..read more

Recently just came across with the JPCert blog which talks about MalDoc in PDF which is quite interesting and I’m just took the sample and start analyze on them. This blog will share my analysis and a interesting artifact that left behind when the maldoc starts an internet connection to next stage url. It is recommend to read through their blogs for better understanding on the file structure. Analysis Thanks for Will Dormann’s X post which mentioned that the link tab with rel attributeEdit-Time-Data will points to a base64 encoded ActiveMime blob. This would be a great start to begin the ..read more

When I was playing with some red teaming toolkit, found out conhost.exe 0xffffffff -ForceV1 process is quite interesting. Therefore, this blog will explain why this happened based on my understanding. Based on the Mandiant blog, conhost.exe is related with windows console host which is responsible in handling console input thread. For better understanding, it is encourage to read their blog. Since most of the windows based computer now is using Windows 10 (soon might move to Windows 11 ?), the finding will be stick to Windows 10 environment only or Windows version that follows the similar ..read more

There is a blog on CheckPoint Research and Sophos mentioned about this vulnerable driver has been abused in various incident to terminate protected process especially anti-malware related process. Here is the short note on the how does the driver able to terminate any process. To make things easier, I will just refer to the OSS project BackStab, protected process killer by Yaxser. There is a driver function that is responsible to open a protected process handle and determine the level of protected process level which I didn’t cover in this case. The binary will load a vulnerable ..read more

There is already a comprehensive analysis on Qakbot already from Elastic Security Labs, Kudos to them!! It seems like there is not much changes since 2022 in terms of Its core function. The obvious changes is the implementation of double RC4 encryption on the resource file and Mersenne Twister + Issac Random random number generator It does have a lot of adaptation on both 32/64-bit system, checking account privilege. This is my first time using ChatGPT to make my life easier also ? In general: Unpacker -> 1st stage -> 2nd stage * 1st stage and 2nd stage are from the same file with d ..read more

Due to my curiosity on the rundll32.exe that will trigger a COM execution via -sta/-localserver switch, I decided to dig into the rundll32.exe code further to understand why does it so. Investigation During the initial phase, rundll32.exe itself will parse the argument passed into it via RunDLL_ParseCommand. This function will determine which part of code will be execute based on the output of switch_flag that been processed by RunDLL_ParseCommand. There are only 3 switch type for rundll32.exe: -sta (represented by decimal value 1) -localserver (represented by decimal value 2 ..read more

The sample most probably related to CVE-2022-24521 which is related to CLFS parsing bug. The vulnerability is due to the parsing issue of the CLFS on specially crafted log file (.BLF / Base Log File) which allow user to alter the kthread.previous_mode and enable write permission on kernel memory address, in this case is token replacement. Please correct me if there is some misinformation from the post! General exploitation flow: Create 2 buffer that contains the address to setup the gadget ClfsSetEndofLog and previous mode address Create a new log file with a new container Modi ..read more

[CTF Series #12] Mini Linux Forensics — MUS22 Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for me to perform investigation from there. So, I’m thinking of mounting the image in my Linux machine to make my life easier. Therefore, after some google-fu and bash-fu, I managed to created a script to mount Linux partition from E01 image. \o/ RandomCodes/LinuxE01_mount ..read more

PDF file embedded with a “VelvetSweatshop” encrypted excel file which contains a payload that using CVE-2017-0199 to download its next payload from 2url[.]one shorten url link. The malicious sample is available in abuse.ch Screenshots Screenshot of PDF file opened in Acrobat.exe Press “Ok” and Excel 2010 launched (User will get infected if they are using vulnerable version of excel) Screenshot of the excel fileExecution Flow: Acrobat.exe (Latest version) -> Excel.exe (Tested on Excel 2010, CVE-2017–0199) -> 2url[.]one shorten url (Most probably download the paylo ..read more

I will be sharing some of my experiment on LLVM obfuscator and SysWhisper2 in Visual Studio 2019. This post is inspired by the llvm obfuscated malware mentioned in my previous post. In addition to it, I want to combine this obfuscator with one of the evasion tool which is SysWhisper2 :) I will be using process injection script from @m0rv4i as example: https://github.com/m0rv4i/SyscallsExample How To Setup For both LLVM obfuscator and SysWhisper2 setup, most of the steps are already mentioned in unknowncheats.me forum and SysWhisper2 github page. However, I will still point ..read more