malmoeb.bsky.social
@malmoeb.bsky.social
Head of Investigations at InfoGuard AG - dfir.ch
basically on the fly – no driver update or reboot needed!" [1]
That pattern update apparently comes in the form of a PE file. And suuurpise, EDRs are picking up that behaviour (i.e., writing a PE file to a registry key) as malicious. 🤷♂️
[1] kolbi.cz/blog/2025/07...
That pattern update apparently comes in the form of a PE file. And suuurpise, EDRs are picking up that behaviour (i.e., writing a PE file to a registry key) as malicious. 🤷♂️
[1] kolbi.cz/blog/2025/07...
November 12, 2025 at 5:33 PM
basically on the fly – no driver update or reboot needed!" [1]
That pattern update apparently comes in the form of a PE file. And suuurpise, EDRs are picking up that behaviour (i.e., writing a PE file to a registry key) as malicious. 🤷♂️
[1] kolbi.cz/blog/2025/07...
That pattern update apparently comes in the form of a PE file. And suuurpise, EDRs are picking up that behaviour (i.e., writing a PE file to a registry key) as malicious. 🤷♂️
[1] kolbi.cz/blog/2025/07...
"This feature uses a registry key to load a kind of pattern update for the driver. It can include a DenyList, AllowList, and other content that extends the driver’s functionality.
With this, Microsoft can block unwanted apps from modifying protected registry keys,
With this, Microsoft can block unwanted apps from modifying protected registry keys,
November 12, 2025 at 5:33 PM
"This feature uses a registry key to load a kind of pattern update for the driver. It can include a DenyList, AllowList, and other content that extends the driver’s functionality.
With this, Microsoft can block unwanted apps from modifying protected registry keys,
With this, Microsoft can block unwanted apps from modifying protected registry keys,
pspy is an amazing tool, and if you're interested in how 0xdf used it to solve some boxes, here's the link to his website:
0xdf.gitlab.io/tags#pspy
As shown on the slide below, it's a great tool for demonstrating to your co-workers why passing secrets as command-line arguments is a bad idea. 🤓
0xdf.gitlab.io/tags#pspy
As shown on the slide below, it's a great tool for demonstrating to your co-workers why passing secrets as command-line arguments is a bad idea. 🤓
November 11, 2025 at 7:53 AM
pspy is an amazing tool, and if you're interested in how 0xdf used it to solve some boxes, here's the link to his website:
0xdf.gitlab.io/tags#pspy
As shown on the slide below, it's a great tool for demonstrating to your co-workers why passing secrets as command-line arguments is a bad idea. 🤓
0xdf.gitlab.io/tags#pspy
As shown on the slide below, it's a great tool for demonstrating to your co-workers why passing secrets as command-line arguments is a bad idea. 🤓
Key-based authentication might reduce the risk here, but be careful to always set a passphrase on the private key(s).
[1] github.com/braindead-se...
[2] dfir.ch/posts/strace/
[1] github.com/braindead-se...
[2] dfir.ch/posts/strace/
November 10, 2025 at 2:37 PM
Key-based authentication might reduce the risk here, but be careful to always set a passphrase on the private key(s).
[1] github.com/braindead-se...
[2] dfir.ch/posts/strace/
[1] github.com/braindead-se...
[2] dfir.ch/posts/strace/
And yes - before somebody asks, you must be root to "grab" passwords. And no, that's not the only goal of an attacker, because you could breach an edge device, sniff (ssh) passwords, and use those passwords to move laterally to other servers.
November 10, 2025 at 2:37 PM
And yes - before somebody asks, you must be root to "grab" passwords. And no, that's not the only goal of an attacker, because you could breach an edge device, sniff (ssh) passwords, and use those passwords to move laterally to other servers.
On the slide, we see that ssh-graber is using strace under the hood to fetch the hex-encoded password. [2] Decoded back with CyberChef, we see my root password in cleartext (don't worry - I changed it 😋).
November 10, 2025 at 2:37 PM
On the slide, we see that ssh-graber is using strace under the hood to fetch the hex-encoded password. [2] Decoded back with CyberChef, we see my root password in cleartext (don't worry - I changed it 😋).
It demonstrates how easy it can be for an attacker to obtain credentials in cleartext after compromising a host that is running SSH with password authentication instead of private keys, facilitating lateral movement within a network." [1]
November 10, 2025 at 2:37 PM
It demonstrates how easy it can be for an attacker to obtain credentials in cleartext after compromising a host that is running SSH with password authentication instead of private keys, facilitating lateral movement within a network." [1]
November 8, 2025 at 9:49 AM
Matthew Green continues rocking here at InfoGuard by publishing the Windows.Detection.HyperV artifact, designed to “scope suspicious Hyper-V worker processes and activity on Windows workstations.” [2]
Well done! 👏 Thank you both 🥇
Well done! 👏 Thank you both 🥇
November 8, 2025 at 9:49 AM
Matthew Green continues rocking here at InfoGuard by publishing the Windows.Detection.HyperV artifact, designed to “scope suspicious Hyper-V worker processes and activity on Windows workstations.” [2]
Well done! 👏 Thank you both 🥇
Well done! 👏 Thank you both 🥇
You can turn this feature off, as our client did. [2]
[1] arstechnica.com/security/202...
[2] learn.microsoft.com/en-us/window...
[1] arstechnica.com/security/202...
[2] learn.microsoft.com/en-us/window...
November 1, 2025 at 12:56 PM
You can turn this feature off, as our client did. [2]
[1] arstechnica.com/security/202...
[2] learn.microsoft.com/en-us/window...
[1] arstechnica.com/security/202...
[2] learn.microsoft.com/en-us/window...
on data inside an SSL handshake the machine makes with remote servers.
Despite the checks and balances built into STS to ensure it provides accurate time estimates, the time jumps indicate the feature sometimes makes wild guesses that are off by days, weeks, months, or even years.
🤯
Despite the checks and balances built into STS to ensure it provides accurate time estimates, the time jumps indicate the feature sometimes makes wild guesses that are off by days, weeks, months, or even years.
🤯
November 1, 2025 at 12:56 PM
on data inside an SSL handshake the machine makes with remote servers.
Despite the checks and balances built into STS to ensure it provides accurate time estimates, the time jumps indicate the feature sometimes makes wild guesses that are off by days, weeks, months, or even years.
🤯
Despite the checks and balances built into STS to ensure it provides accurate time estimates, the time jumps indicate the feature sometimes makes wild guesses that are off by days, weeks, months, or even years.
🤯
it cannot obtain time securely over the network as well, unless you choose to ignore network security or at least punch some holes into it by making exceptions.”
To avoid making security exceptions, Secure Time Seeding sets the time based
To avoid making security exceptions, Secure Time Seeding sets the time based
November 1, 2025 at 12:56 PM
it cannot obtain time securely over the network as well, unless you choose to ignore network security or at least punch some holes into it by making exceptions.”
To avoid making security exceptions, Secure Time Seeding sets the time based
To avoid making security exceptions, Secure Time Seeding sets the time based
“You may ask - why doesn’t the device ask the nearest time server for the current time over the network?” Microsoft engineers wrote. “Since the device is not in a state to communicate securely over the network,
November 1, 2025 at 12:56 PM
“You may ask - why doesn’t the device ask the nearest time server for the current time over the network?” Microsoft engineers wrote. “Since the device is not in a state to communicate securely over the network,
Windows systems with clocks set to the wrong time can cause disastrous errors when they can’t properly parse timestamps in digital certificates or they execute jobs too early, too late, or out of the prescribed order.
November 1, 2025 at 12:56 PM
Windows systems with clocks set to the wrong time can cause disastrous errors when they can’t properly parse timestamps in digital certificates or they execute jobs too early, too late, or out of the prescribed order.
If you have never heard of Secure Time Seeding, you might want to read the article on Ars Technica. It might save your day eventually. [1]
Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate.
Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate.
November 1, 2025 at 12:56 PM
If you have never heard of Secure Time Seeding, you might want to read the article on Ars Technica. It might save your day eventually. [1]
Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate.
Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate.
Unfortunately, nobody paid attention to this alert. I just checked our customer alert database, and this detection was not present in the last few months, but it was raised in several of our IR cases. I consider this alert critical and recommend responding to it immediately once it is raised.
October 31, 2025 at 10:07 AM
Unfortunately, nobody paid attention to this alert. I just checked our customer alert database, and this detection was not present in the last few months, but it was raised in several of our IR cases. I consider this alert critical and recommend responding to it immediately once it is raised.
My teammate Evgen Blohm analyzed a ransomware incident in which the threat actor used rclone to exfiltrate data from the network. Detected by Defender: behavior:process: C:\PerfLogs\rclone.exe.
October 31, 2025 at 10:07 AM
My teammate Evgen Blohm analyzed a ransomware incident in which the threat actor used rclone to exfiltrate data from the network. Detected by Defender: behavior:process: C:\PerfLogs\rclone.exe.