{"version":1,"pages":[{"id":"-MQdiiuotTcxLNrwrInC","title":"Blog Overview","pathname":"/","siteSpaceId":"sitesp_ZnR2p","description":""},{"id":"-MQdjtBaS8zxrPz3bbPJ","title":"Cobalt Strike Staging and Extracting Configuration Information","pathname":"/cobaltstrike/extracting-config-from-cobaltstrike-stager-shellcode","siteSpaceId":"sitesp_ZnR2p","description":"This post covers how Cobalt Strike staging works, how to replicate a staging request to obtain beacon shellcode, and then how to extract the Cobalt Strike config from the shellcode.","breadcrumbs":[{"label":"CobaltStrike","emoji":"1f4a3"}]},{"id":"FTLGxMHGRWRxqyXPo4X9","title":"Fighting Back Against Cobalt Strike - Detection Ideas","pathname":"/cobaltstrike/fighting-back-against-cobalt-strike-detection-ideas","siteSpaceId":"sitesp_ZnR2p","description":"","breadcrumbs":[{"label":"CobaltStrike","emoji":"1f4a3"}]},{"id":"-MRv2psb7uhR92FAW-RC","title":"Tool-Less Extraction of IOCs from an Emotet Maldoc","pathname":"/malware-analysis/tool-less-extraction-of-iocs-from-an-emotet-maldoc","siteSpaceId":"sitesp_ZnR2p","description":"This blog post covers how to examine and extract the underlying payload from a recent Emotet delivery campaign. We will cover how to use basic dynamic analysis to quickly step over VBA obfuscation.","breadcrumbs":[{"label":"Malware Analysis","emoji":"1f52c"}]},{"id":"-MStEeqMyMFB25c5xD3X","title":"Extracting the Cobalt Strike Config from a TEARDROP Loader","pathname":"/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader","siteSpaceId":"sitesp_ZnR2p","description":"This blog post will cover how to use dynamic analysis to extract the underlying Cobalt Strike config from a recent TEARDROP sample","breadcrumbs":[{"label":"Malware Analysis","emoji":"1f52c"}]},{"id":"-MRw46OwQz8AL7vc6NFO","title":"Shellcode Execution via EnumSystemLocalA","pathname":"/process-injection/shellcode-execution-via-enumsystemlocala","siteSpaceId":"sitesp_ZnR2p","description":"This post covers a shellcode execution technique that leverages the UuidFromStringA and EnumSystemLocalA APIs to load and execute shellcode","breadcrumbs":[{"label":"Process Injection and Similar Topics","emoji":"1f489"}]},{"id":"-MVlhYxlBaI6fZoWY4bM","title":"Manually Implementing Inline Function Hooking","pathname":"/process-injection/manually-implementing-inline-function-hooking","siteSpaceId":"sitesp_ZnR2p","description":"This post covers the general process of implementing a simple inline function hook for an x86 Win32 API.","breadcrumbs":[{"label":"Process Injection and Similar Topics","emoji":"1f489"}]},{"id":"-MVrsNbJLYulJ2eXMhef","title":"Detecting Process Injection using Microsoft Detour Hooks","pathname":"/process-injection/detecting-process-injection-using-microsoft-detour-hooks","siteSpaceId":"sitesp_ZnR2p","description":"This blog post discusses using Microsoft Detours to add hooks for common APIs in an attempt to detect and prevent process injection.","breadcrumbs":[{"label":"Process Injection and Similar Topics","emoji":"1f489"}]},{"id":"-MYBlhx1CGQcNPEflTlz","title":"Detecting Parent Process Spoofing using KrabsETW","pathname":"/detection-experiments/detecting-parent-process-spoofing-using-krabsetw","siteSpaceId":"sitesp_ZnR2p","description":"This blog post covers how to build a simple PoC program that will use the KrabsETW library to subscribe to an ETW provider in order to detect parent process spoofing.","breadcrumbs":[{"label":"Detection Experiments","emoji":"1f50d"}]},{"id":"suZy0BDZtNHZ6wSVeRF8","title":"Chainsaw Tool - Search and Hunt Through Event Logs","pathname":"/detection-experiments/chainsaw-tool-search-and-hunt-through-event-logs","siteSpaceId":"sitesp_ZnR2p","description":"A few months ago I wrote a tool in my day job that helps analysts to search and hunt through Windows Event Logs. The relevant blog post and tool links are below.","breadcrumbs":[{"label":"Detection Experiments","emoji":"1f50d"}]},{"id":"tWeEpeyTTnQKaqeBiKYU","title":"Hunting for C3 Activity","pathname":"/detection-experiments/hunting-for-c3-activity","siteSpaceId":"sitesp_ZnR2p","breadcrumbs":[{"label":"Detection Experiments","emoji":"1f50d"}]},{"id":"qHGpKoABG0EkbPHttHYo","title":"Scaling Detection and Response Operations","pathname":"/high-level-blue-team-topics/scaling-detection-and-response-operations","siteSpaceId":"sitesp_ZnR2p","description":"A couple of blog posts that I wrote in my day job:","breadcrumbs":[{"label":"High Level Blue Team Topics","emoji":"1f4d8"}]}]}