malmoeb.bsky.social
@malmoeb.bsky.social
Head of Investigations at InfoGuard AG - dfir.ch
taskhostw.exe writes a PE file (see the classic TVqQAAMAAAA sequence there) inside the UCPD\DR registry key?
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
November 12, 2025 at 5:33 PM
taskhostw.exe writes a PE file (see the classic TVqQAAMAAAA sequence there) inside the UCPD\DR registry key?
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
Microsoft implemented a driver-based protection to block changes to http/https and .pdf associations by 3rd party utilities, the so-called UCPD driver (UserChoice Protection Drive).
This slide also didn't make the cut. Yes, anyone who has spent more than five minutes on a Hack The Box machine will know pspy, but what about my blue-team colleagues?
November 11, 2025 at 7:53 AM
This slide also didn't make the cut. Yes, anyone who has spent more than five minutes on a Hack The Box machine will know pspy, but what about my blue-team colleagues?
The following slide hasn't made it into my "Fantastic cleartext password" talk, however, it's still a good one to share 🤓
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
November 10, 2025 at 2:37 PM
The following slide hasn't made it into my "Fantastic cleartext password" talk, however, it's still a good one to share 🤓
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
"This simple tool logs usernames and passwords from authentication attempts against an OpenSSH server you control.
Dropping ngrok in a ZIP file onto disk results in the file being removed and an alert being raised, but installing ngrok via winget works just fine? 🤔🤷♂️
November 2, 2025 at 7:12 PM
Dropping ngrok in a ZIP file onto disk results in the file being removed and an alert being raised, but installing ngrok via winget works just fine? 🤔🤷♂️
This one here is a goodie! A customer called us because they had several incidents where the system time "magically" jumped days, sometimes even months, back and forth (see screenshot). You can imagine the issues inflicted by this behavior. So the question was.. Cyber? Attacker? Misconfiguration?
November 1, 2025 at 12:56 PM
This one here is a goodie! A customer called us because they had several incidents where the system time "magically" jumped days, sometimes even months, back and forth (see screenshot). You can imagine the issues inflicted by this behavior. So the question was.. Cyber? Attacker? Misconfiguration?
Coming back to Maester! Do you know about the awesome Conditional Access What-If tests? [1]
The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.
The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.
October 24, 2025 at 8:22 AM
Coming back to Maester! Do you know about the awesome Conditional Access What-If tests? [1]
The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.
The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.
What is Maester? [1]
Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.
Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.
October 23, 2025 at 6:14 AM
What is Maester? [1]
Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.
Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.
Lately, I’ve talked about (alternative) forensic artifacts where the retention time might be higher than your classical Security Event Logs, or might not be the first artifact to be deleted in an "anti-forensics" operation by a threat actor.
October 21, 2025 at 5:58 AM
Lately, I’ve talked about (alternative) forensic artifacts where the retention time might be higher than your classical Security Event Logs, or might not be the first artifact to be deleted in an "anti-forensics" operation by a threat actor.
In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies.
October 20, 2025 at 6:18 AM
In various business email compromise (BEC) cases, we later discovered that although the customer had set up a conditional access (CA) policy to enforce multi-factor authentication, mistakes had been made during the implementation of said policies.
Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?
October 18, 2025 at 6:46 AM
Second story from a recent coffee break with my pentest colleague. During a retest for a client, they discovered the same ESC1 vulnerability they had reported before. Why is that dangerous and also super critical?
1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].
October 17, 2025 at 6:45 AM
1/ Coffee break with one of our pentesters. He casually mentioned to me, "The last attack simulation was pretty cool. We used gowitness (a website screenshot utility written in Golang, to generate screenshots of web interfaces) to find internal services [1].
1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).
October 16, 2025 at 8:52 AM
1/ During a recent engagement, the customer provided us with access to their extensive data collection in Splunk. One thing I checked was Sysmon’s Event ID 13 (Registry - Value Set) for modifications to various keys used for credential stealing (NetworkProvider, Notification- &, Security Packages).
1/
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.
September 28, 2025 at 7:47 AM
1/
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.
Love that Minesweeper reference here :) They tried hard to blend in; however, certain metadata about a file is baked into the PE header. Attackers can rename binaries all they want, but fields like original_file_name or inconsistencies in headers often give them away.
1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
September 27, 2025 at 7:43 AM
1/
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
In today's BEC (Business E-Mail Compromise) case, I stumbled (again) over the "Set-MailboxJunkEmailConfiguration" operation. I talked about it a while back. [1]
The attacker also created a new Inbox rule for moving incoming emails for target personnel to a designated folder.
1/
My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:
My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:
September 26, 2025 at 10:27 AM
1/
My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:
My first keynote will be about how we spend billions on (cyber) security but remain insecure. I’ll use a recent case as an example, which my colleague Asger Deleuran Strunk investigated:
1/
Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).
Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).
September 25, 2025 at 10:18 AM
1/
Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).
Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation).
1/ PingCastle now highlights when no policy is in place to prevent scripting files (such as .js) from being executed via double-click.
September 21, 2025 at 11:06 AM
1/ PingCastle now highlights when no policy is in place to prevent scripting files (such as .js) from being executed via double-click.
3/ And indeed, a quick check on Baazar showed no hits for the file ending .pif. Process starts from a ".pif" file might be a good indicator for hunting/detection 🕵️♂️
[1] threatresearch.ext.hp.com/wp-content/u...
[1] threatresearch.ext.hp.com/wp-content/u...
September 20, 2025 at 7:37 AM
3/ And indeed, a quick check on Baazar showed no hits for the file ending .pif. Process starts from a ".pif" file might be a good indicator for hunting/detection 🕵️♂️
[1] threatresearch.ext.hp.com/wp-content/u...
[1] threatresearch.ext.hp.com/wp-content/u...
1/ XWorm, as described in the latest HP Wolf Security report [1], goes to great lengths to evade security products.
.chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮
.chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮
September 19, 2025 at 4:48 PM
1/ XWorm, as described in the latest HP Wolf Security report [1], goes to great lengths to evade security products.
.chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮
.chm file, VBScript, PowerShell, batch file, JavaScript, PowerShell, Steganography (the data from the image is used to reflectively load a .NET assembly).. 😮
1/ Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.
August 18, 2025 at 8:20 AM
1/ Not all web browsers support the passkey (FIDO2) authentication method with Microsoft Entra ID. For instance, FIDO is not supported when using Safari on Windows.
1/ ASEC has recently discovered the massive distribution of SmartLoader malware through GitHub repositories.
Upon searching for keywords such as game hacks, software crack, and automation tool,
Upon searching for keywords such as game hacks, software crack, and automation tool,
August 17, 2025 at 7:11 PM
1/ ASEC has recently discovered the massive distribution of SmartLoader malware through GitHub repositories.
Upon searching for keywords such as game hacks, software crack, and automation tool,
Upon searching for keywords such as game hacks, software crack, and automation tool,
1/ Remove discoverable passwords in Active Directory account attributes
A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.
A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.
August 15, 2025 at 11:49 AM
1/ Remove discoverable passwords in Active Directory account attributes
A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.
A nice feature of Microsoft Defender for Identity is its ability to detect potential credential exposure in Active Directory by analyzing commonly used free-text attributes.
3/ I was not sure if AutoRuns would cover this persistence, so I quickly tested it on a lab machine, and hooray, it is 🤓🥳
Full blog post here:
ics-cert.kaspersky.com/publications...
Full blog post here:
ics-cert.kaspersky.com/publications...
August 8, 2025 at 6:52 AM
3/ I was not sure if AutoRuns would cover this persistence, so I quickly tested it on a lab machine, and hooray, it is 🤓🥳
Full blog post here:
ics-cert.kaspersky.com/publications...
Full blog post here:
ics-cert.kaspersky.com/publications...
1/ Coming back to the Defender Portal. Malicious File? OMG 😱 Nope. Don't panic.
What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].
What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].
August 5, 2025 at 2:47 PM
1/ Coming back to the Defender Portal. Malicious File? OMG 😱 Nope. Don't panic.
What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].
What you see in the "Additional information" is exactly that, additional information. LNK files can be used by adversaries to execute code, as outlined in the corresponding MITRE technique [1].
1/ Do your Incident Response team a favour: If you are using the Defender Portal and sending screenshots, please set your timezone within your account to UTC.
The following (redacted) image was sent to me yesterday by a client.
The following (redacted) image was sent to me yesterday by a client.
August 5, 2025 at 6:15 AM
1/ Do your Incident Response team a favour: If you are using the Defender Portal and sending screenshots, please set your timezone within your account to UTC.
The following (redacted) image was sent to me yesterday by a client.
The following (redacted) image was sent to me yesterday by a client.