Home
Tony Lambert
Cancel

Analyzing an IcedID Loader Document

In this post I’m going to walk through an analysis of a malicious document that distributes and executes an IcedID DLL payload. The original document can be found on MalwareBazaar here: https://ba...

Analyzing a Log4Shell log4j Exploit from Muhstik

In this post I set out to analyze a simple chunk of Log4Shell log4j exploit code to see how it works. Finding the Exploit I wasn’t running a honeypot or anything, I just figured I could rustle ar...

Smarter, Not Harder: Getting Malware to Help You Analyze It

When analyzing even non-advanced malware nowadays it’s common to find pretty heavy levels of obfuscation within samples. PowerShell and .NET malware for Windows can be obfuscated easily using vario...

Getting PE Rich Header Hashes with pefile in Python

If you’ve performed Windows malware analysis using Python tools, you’ve almost certainly worked with the Python pefile library. This library allows analysts to parse, manipulate, and dump informati...

Extracting Malicious Payloads from SFX Self-Extracting Installers

Self-extracting installers are an awesome way to distribute software because they require very little overhead and minimal configuration. Because of this, some malware threats use these SFX files t...

Analyzing an Empire macOS PKG Stager

Command and control (C2) frameworks often support multiple platforms, and PowerShell Empire is no different. In older days, there was a Python Empyre version that eventually merged into the full Em...

How Qbot Uses Esentutl

A colleague asked me a question today about the relationship between Qbot and a Windows system utility: esentutl.exe. It’s been sparsely documented via tweet, and I want to more fully explain why Q...

Linux EDR Evasion With Meterpreter and LD_PRELOAD

Everyone has their favorite adversary technique to research and mine is LD_PRELOAD process injection because it’s pretty versatile. It lets you hook functions to manipulate output, and it can also ...

Exploiting Yum and DNF Plugins for Persistence

Two Metasploit Framework modules have held my interest in the last few weeks: the ones for persistence using Linux package managers apt and Yum. While they require root privileges to exploit, they ...

When Local Password Resets Aren't Local

When You Reset a Domain Administrator Instead of Local During an IR engagement, one of my colleagues identified malicious activity where an adversary reset the password for a local administrator a...