Deobfuscating PHP Webshell
zam It started with a person in one of Telegram group that I’ve joined; asking help to reverse the code given & explains what the code does. The code as follow:…
Analysis Write-Ups
Extracting Quarantine Files from Windows Defender
Recently, I got an incident related to Windows Defender detected & quarantined file related to some backdoor. The MDE alert details show something like this: Usually, we go with the…
Interesting Request – Log4J JNDI Exploit
Recently, I saw a person asking question on one of Telegram group that I’ve joined. The person said that if anyone know what kind of request is this. The person…
Decrypting QBot/QakBot Registry
Recently, we have host machine that been infected with QBot/QakBot. Upon investigation, we found that it added a registry with some random name. Based on Googling, I found this article…
Windows Credentials Manager – Looking for cached Zip Passwords
Intro When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of…
Hunting for Log4j RCE (CVE-2021-44228) using RSA Netwitness
So, if you read my previous article; Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel, last time we leveraging Splunk as our platform to hunt event/logs related to this…
Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel
As you are aware, there are new Log4j vuln (CVE-2021-44228) vuln been disclosed and exploited in the wild currently. So, I’m using Splunk query as below; based from Splunk blog…
Carbon Black query searching for malicious NPM library – coa & rc
Based on GitHub Advisory Database:https://github.com/advisories/GHSA-g2q5-5433-rhrf – Embedded malware in rchttps://github.com/advisories/GHSA-73qr-pfmq-6rp8 – Embedded malware in coa rc affected versions:= 1.2.9= 1.3.9= 2.3.9 coa affected versions:= 2.0.3= 2.0.4= 2.1.1= 2.1.3= 3.0.1= 3.1.3…
Break-In Analyzer – Quickly analyze auth.log, secure, utmp & wtmp logs for possible SSH break-in attempts
Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.…
Carbon Black query for Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)
Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more): Search if any assets making connections towards IOCs (known IOCs…