Profile avatar
hexacorn.bsky.social
Red Brain, Blue Fingers Malware Analysis, Reverse Engineering, Threat Hunting, Detection Engineering, DFIR, Security Research, Programming, Curiosities, Software Archaeology, Puzzles, Bad dad jokes https://www.hexacorn.com/blog/ [email protected]
168 posts 1,599 followers 269 following
Prolific Poster
Active Commenter
Posts 30 Comments 20

clever carding page hxxps://gov[.]comsitebab[.]life/gov when you visit from the desktop, it's just a regular website (although compromised) when you visit from a smartphone, you get a fake gov web site that harvests your CC details

submitted 6 days ago β€’ 0 comments

Did you know Windows has built-in RAM disk? And not just your regular RAM disk. It's pmem/nvdimm, via built-in scmbus.sys facility! That means you can make πŸ¦†πŸ¦†πŸ¦† #dax volume, so data/image mappings (section views) will use "drive" directly! No data persistence, no w10; only ws2022/w11+. EZ πŸ“€ create:

submitted 7 days ago β€’ 1 comment

VMwareResolutionSet.exe VMwareResolutionSet.dll lolbin www.hexacorn.com/blog/2025/06...

submitted 6 days ago β€’ 0 comments

wermgr.exe boot offdmpsvc.dll lolbin www.hexacorn.com/blog/2025/06... #lolbin

submitted 7 days ago β€’ 0 comments

wpr.exe boottrace phantom dll axeonoffhelper.dll lolbin www.hexacorn.com/blog/2025/06... #lolbin

submitted 7 days ago β€’ 1 comment

#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.

submitted 13 days ago β€’ 2 comments

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

submitted 15 days ago β€’ 1 comment

While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it. We checked the file and found it was signed by Google, so it’s a genuine Chrome installer.

submitted 16 days ago β€’ 1 comment

mscoree.dll, RunDll32ShimW lolbin www.hexacorn.com/blog/2025/05...

submitted 21 days ago β€’ 0 comments

youtu.be/5PCU48nqAIw?... start at 10:20 of the cross questioning the expert on their CV and credentials in the Karen Read trial. Shanon Burgess. #DFIR

submitted 33 days ago β€’ 2 comments

Shell32.dll, #44 lolbin www.hexacorn.com/blog/2025/05...

submitted 35 days ago β€’ 1 comment

We are VERY excited to announce that Volatility 3 has now reached feature parity with Volatility 2! With this parity release, Volatility 2 is now deprecated. Full details in the blog post linked below.

submitted 37 days ago β€’ 0 comments

Heard of #ContextJail? It's a nasty new technique: puts target thread into β“ͺ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right. The gist? Just spam NtGetContextThread(tgt).😸 Target will be jailed, running nt!PspGetSetContextSpecialApc πŸ”. Src & binary in [ALT]. Usecases: ‡️

submitted 46 days ago β€’ 1 comment

Glad Skype data deletion works

submitted 47 days ago β€’ 1 comment

Minority (forensic) report aka defending forward w/o hacking back www.hexacorn.com/blog/2025/05... #dfir

submitted 50 days ago β€’ 1 comment

AI worms in the making ;) www.cmdzero.io/blog-posts/i...

submitted 66 days ago β€’ 0 comments

Every once in a while I get a blast from the past Yesterday someone thanked me for creating Dexray - a perl script that decrypts many quarantine files created by security solutions - since it is an obsolete tool today - it was totally surprising/unexpected, but it also made my day. Thank you!

submitted 73 days ago β€’ 0 comments

2025 - the first April Fool's Year hence April Fool's Day should reverse its meaning

submitted 82 days ago β€’ 0 comments

Malware Source code string extraction www.hexacorn.com/blog/2025/03...

submitted 84 days ago β€’ 2 comments

1/ Section two of my Tear Down The Castle series is about highly privileged service accounts. [1] The screenshot below is from an Incident Response engagement we worked on recently. Yes, you guessed right, one of the service accounts has fallen, along with the whole domain.

submitted 86 days ago β€’ 1 comment

Someone has done an excellent job collecting RATs and documenting them by version. They also included images. A+ work. This is amazing (we're going to ingest this eventually) github.com/Cryakl/Ultim...

submitted 91 days ago β€’ 0 comments

A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u... - automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims

submitted 91 days ago β€’ 0 comments

THIS WEBSITE HAS BEEN SEIZED Discover domains tied to sinkhole NS servers at sinkholed.github.io Filter by TLD or NS, export in JSON/CSV, weekly update! Search for the known sinkhole Name Servers in DNS query logs and web access to the sinkholed domains to identify potentially compromised hosts!

submitted 106 days ago β€’ 1 comment

Hunting for the warez & other dodgy stuff people install / download, part 2 www.hexacorn.com/blog/2025/03...

submitted 105 days ago β€’ 0 comments

Just came back from US, finally saw my first cybertruck -- this thing should not be on the road for a simple reason (among many more) - this is the ugliest 'car' ever created

submitted 107 days ago β€’ 2 comments

I wanted a script I could run on a new Windows box that would install sysmon with @olafhartong.nl's configs, and set logging best practices with Zach Mathis' (Yamato Security) "EnableWindowsLogSettings" configs. So I made one! Feel free to inspect it and repurpose. gist.github.com/ecapuano/42f...

submitted 112 days ago β€’ 4 comments

Hunting for the warez & other dodgy stuff people install / download, part 1 www.hexacorn.com/blog/2025/03...

submitted 113 days ago β€’ 1 comment

New blog post: Today I Learned - Protected Symlinks dfir.ch/posts/today_... The protected_symlinks setting within the Linux Kernel helps prevent TOCTOU (time-of-check-time-of-use) vulnerabilities in privileged processes.

submitted 118 days ago β€’ 0 comments

"In this blogpost, we introduce TSforge, one of our most powerful activation exploits ever. Capable of activating every edition of every version of Windows since Windows 7, as well as every Windows addon and Office version since Office 2013" πŸ‘€πŸ‘€πŸ‘€πŸ‘€πŸ‘€ massgrave.dev/blog/tsforge

submitted 118 days ago β€’ 1 comment

#ESETresearch has released DelphiHelper, a plugin for #IDAPro that aids in analyzing Delphi binaries. Check it out on ESET’s GitHub: github.com/eset/DelphiH.... Proud to be recognized among the notable submissions of the 2024 x.com/HexRaysSA Plugin Contest: hex-rays.com/blog/2024-pl...

submitted 119 days ago β€’ 0 comments