malmoeb.bsky.social
@malmoeb.bsky.social
Head of Investigations at InfoGuard AG - dfir.ch
In the Metasploit Wrap-Up from last week, a new Python Site-Specific Hook Persistence module was released. [1]
I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it.
I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it.
January 13, 2026 at 5:47 PM
In the Metasploit Wrap-Up from last week, a new Python Site-Specific Hook Persistence module was released. [1]
I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it.
I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it.
To quote my teammate Evgen Blohm (@ChaplinSec): "Shadow IT at its best."
He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us:
He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us:
January 9, 2026 at 9:45 AM
To quote my teammate Evgen Blohm (@ChaplinSec): "Shadow IT at its best."
He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us:
He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us:
My teammate Asger Deleuran Strunk worked on a case where the TA tried to dump LSASS with procdump on a server, resulting in Defender blocking the attempt:
December 31, 2025 at 8:14 AM
My teammate Asger Deleuran Strunk worked on a case where the TA tried to dump LSASS with procdump on a server, resulting in Defender blocking the attempt:
This was an interesting alert, raised by an EDR:
****
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path.
****
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path.
December 30, 2025 at 8:55 AM
This was an interesting alert, raised by an EDR:
****
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path.
****
Uncommon creation or access operation of sensitive shadow copy by a high-risk process
The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path.
I recently thought about the different pop-ups I receive every day on my Mac, AND how malware does the same to trick people into entering their password.. and I wondered if I could tell a legitimate prompt from a malicious one. I found a good article, depicting exactly this topic:
December 28, 2025 at 9:18 AM
I recently thought about the different pop-ups I receive every day on my Mac, AND how malware does the same to trick people into entering their password.. and I wondered if I could tell a legitimate prompt from a malicious one. I found a good article, depicting exactly this topic:
As last time, the TA brought infected files into the compromised network, helping spread the infection. The file and registry paths have not changed in our case and are still the same as in my old X post.
December 27, 2025 at 8:13 AM
As last time, the TA brought infected files into the compromised network, helping spread the infection. The file and registry paths have not changed in our case and are still the same as in my old X post.
Companies frequently approach us to discuss their security posture, playbooks, architecture, etc., but I wonder how many of them also regularly check basic configuration settings? An example from a recent case:
December 26, 2025 at 1:48 PM
Companies frequently approach us to discuss their security posture, playbooks, architecture, etc., but I wonder how many of them also regularly check basic configuration settings? An example from a recent case:
During a recent engagement, we reviewed the collected AutoRuns data from all endpoints on the network. In that dataset, we identified the following scheduled task:
Name: 523135538
Command Line: C:\programdata\cp49s\pythonw.exe
Name: 523135538
Command Line: C:\programdata\cp49s\pythonw.exe
December 25, 2025 at 9:01 AM
During a recent engagement, we reviewed the collected AutoRuns data from all endpoints on the network. In that dataset, we identified the following scheduled task:
Name: 523135538
Command Line: C:\programdata\cp49s\pythonw.exe
Name: 523135538
Command Line: C:\programdata\cp49s\pythonw.exe
My team colleague, Yann Malherbe, worked on a case where the attacker used Everything [1] (locate files and folders by name instantly) to search for password files on the beachhead.
December 14, 2025 at 7:18 AM
My team colleague, Yann Malherbe, worked on a case where the attacker used Everything [1] (locate files and folders by name instantly) to search for password files on the beachhead.
The picture below depicts a (malicious) Inbox Rule. I slightly modified this Inbox Rule to protect our customer, but the gist is that it filters incoming mail from a specific bank employee, moves it to the RSS Folder, and marks it as read.
December 13, 2025 at 9:39 AM
The picture below depicts a (malicious) Inbox Rule. I slightly modified this Inbox Rule to protect our customer, but the gist is that it filters incoming mail from a specific bank employee, moves it to the RSS Folder, and marks it as read.
For a new project, I started to dig into older threat reports, like for example, "The ProjectSauron APT" from 2016. [1]
The interesting thing about these old reports is that you see techniques mentioned before that are still used 10 years later.
The interesting thing about these old reports is that you see techniques mentioned before that are still used 10 years later.
December 12, 2025 at 9:15 AM
For a new project, I started to dig into older threat reports, like for example, "The ProjectSauron APT" from 2016. [1]
The interesting thing about these old reports is that you see techniques mentioned before that are still used 10 years later.
The interesting thing about these old reports is that you see techniques mentioned before that are still used 10 years later.
We are familiar with eMClient and axios, so let me introduce Trufflehog, the new kid on the block.
Trufflehog made headlines during the recent "Shai-Hulud" campaign, in which threat actors used it to search for passwords and sensitive information. [1] According to the Trufflehog GitHub page:
Trufflehog made headlines during the recent "Shai-Hulud" campaign, in which threat actors used it to search for passwords and sensitive information. [1] According to the Trufflehog GitHub page:
December 11, 2025 at 6:08 AM
We are familiar with eMClient and axios, so let me introduce Trufflehog, the new kid on the block.
Trufflehog made headlines during the recent "Shai-Hulud" campaign, in which threat actors used it to search for passwords and sensitive information. [1] According to the Trufflehog GitHub page:
Trufflehog made headlines during the recent "Shai-Hulud" campaign, in which threat actors used it to search for passwords and sensitive information. [1] According to the Trufflehog GitHub page:
I was playing around with bincrypter from THC (The Hackers Choice) [1]. The interesting points, as you can see in the screenshot below, are that the binary is encrypted, obfuscated, and 100% in memory. No temporary files, etc.
December 7, 2025 at 10:20 AM
I was playing around with bincrypter from THC (The Hackers Choice) [1]. The interesting points, as you can see in the screenshot below, are that the binary is encrypted, obfuscated, and 100% in memory. No temporary files, etc.
Look at my tweet from February 2022. As simple as putting NG into the country field.
Guess what I found in this week's Business E-Mail Compromise? Successful logins from NG. Oh well..
Guess what I found in this week's Business E-Mail Compromise? Successful logins from NG. Oh well..
November 30, 2025 at 4:47 PM
Look at my tweet from February 2022. As simple as putting NG into the country field.
Guess what I found in this week's Business E-Mail Compromise? Successful logins from NG. Oh well..
Guess what I found in this week's Business E-Mail Compromise? Successful logins from NG. Oh well..
Reading a report from a recent Incident Response case from my teammate, Asger Strunk.
"It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network."
"It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network."
November 26, 2025 at 6:29 PM
Reading a report from a recent Incident Response case from my teammate, Asger Strunk.
"It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network."
"It was observed that an unknown hostname “DESKTOP-LDIG48N” from the VPN DHCP IP address 192.168.128.149 made multiple failed login attempts using the username “admin” against various hosts within the network."
I was reading an older report from CrowdStrike the other day:
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
November 25, 2025 at 9:40 AM
I was reading an older report from CrowdStrike the other day:
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
"CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords." [1]
A customer sent malware over. The file magic was CART.. What's that? Turns out, something pretty cool.
"This is where CaRT (which stands for Compressed and RC4 Transport) comes in. CaRT is used to store and transfer malware, as well as its metadata.
"This is where CaRT (which stands for Compressed and RC4 Transport) comes in. CaRT is used to store and transfer malware, as well as its metadata.
November 24, 2025 at 3:23 PM
A customer sent malware over. The file magic was CART.. What's that? Turns out, something pretty cool.
"This is where CaRT (which stands for Compressed and RC4 Transport) comes in. CaRT is used to store and transfer malware, as well as its metadata.
"This is where CaRT (which stands for Compressed and RC4 Transport) comes in. CaRT is used to store and transfer malware, as well as its metadata.
I analyzed and recreated (a simpler version) of a PHP backdoor we detected in a recent Incident Response engagement. I used the backdoor to install an RMM agent on the compromised machine; the installed EDR did not raise a single alert.
November 17, 2025 at 8:09 AM
I analyzed and recreated (a simpler version) of a PHP backdoor we detected in a recent Incident Response engagement. I used the backdoor to install an RMM agent on the compromised machine; the installed EDR did not raise a single alert.
I love reading Incident Response reports from my colleagues. This one here from Matthieu Chatelan:
"Note that over 1700 lines (of risky sign-ins) were generated for this user account over the last 3 months.
"Note that over 1700 lines (of risky sign-ins) were generated for this user account over the last 3 months.
November 15, 2025 at 8:33 AM
I love reading Incident Response reports from my colleagues. This one here from Matthieu Chatelan:
"Note that over 1700 lines (of risky sign-ins) were generated for this user account over the last 3 months.
"Note that over 1700 lines (of risky sign-ins) were generated for this user account over the last 3 months.
Craig Rowland never disappoints 🥇
He is showing us cool tricks for finding inconsistencies in the output from different Linux commands, pointing to an active Kernel rootkit.
He is showing us cool tricks for finding inconsistencies in the output from different Linux commands, pointing to an active Kernel rootkit.
November 14, 2025 at 1:10 PM
Craig Rowland never disappoints 🥇
He is showing us cool tricks for finding inconsistencies in the output from different Linux commands, pointing to an active Kernel rootkit.
He is showing us cool tricks for finding inconsistencies in the output from different Linux commands, pointing to an active Kernel rootkit.
This is wild. From a recent IR engagement led by my teammate Florian Scheiber:
"The investigation showed that the attacker first compromised the Administrator’s personal Gmail account, redacted@gmail.com. Those credentials appeared in a combolist leaked on 2 June 2025.
"The investigation showed that the attacker first compromised the Administrator’s personal Gmail account, redacted@gmail.com. Those credentials appeared in a combolist leaked on 2 June 2025.
November 14, 2025 at 9:49 AM
This is wild. From a recent IR engagement led by my teammate Florian Scheiber:
"The investigation showed that the attacker first compromised the Administrator’s personal Gmail account, redacted@gmail.com. Those credentials appeared in a combolist leaked on 2 June 2025.
"The investigation showed that the attacker first compromised the Administrator’s personal Gmail account, redacted@gmail.com. Those credentials appeared in a combolist leaked on 2 June 2025.
taskhostw.exe writes a PE file (see the classic TVqQAAMAAAA sequence there) inside the UCPD\DR registry key?
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
November 12, 2025 at 5:33 PM
taskhostw.exe writes a PE file (see the classic TVqQAAMAAAA sequence there) inside the UCPD\DR registry key?
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
This slide also didn't make the cut. Yes, anyone who has spent more than five minutes on a Hack The Box machine will know pspy, but what about my blue-team colleagues?
November 11, 2025 at 7:53 AM
This slide also didn't make the cut. Yes, anyone who has spent more than five minutes on a Hack The Box machine will know pspy, but what about my blue-team colleagues?
The following slide hasn't made it into my "Fantastic cleartext password" talk, however, it's still a good one to share 🤓
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
November 10, 2025 at 2:37 PM
The following slide hasn't made it into my "Fantastic cleartext password" talk, however, it's still a good one to share 🤓
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
Two of my teammates published artifacts on the Velociraptor Exchange this week 💪
Yann Malherbe released several VHDX artifacts, as described in his detailed blog post. [1]
Yann Malherbe released several VHDX artifacts, as described in his detailed blog post. [1]
November 8, 2025 at 9:49 AM
Two of my teammates published artifacts on the Velociraptor Exchange this week 💪
Yann Malherbe released several VHDX artifacts, as described in his detailed blog post. [1]
Yann Malherbe released several VHDX artifacts, as described in his detailed blog post. [1]