Improving Malware Analysis Workflows by Modifying the default Ghidra UI.

Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what youR…

A 2 part series on creating a basic EDR detection system and then a bypass implementation. In part one we cover how to create a basic EDR.

A PowerShell script that attempts to help malware analysts hide their VMware Windows VM's from malware that may be trying to evade analysis. - d4rksystem/VMwareCloak

The first-ever guide to analyzing malicious Windows software designed to avoid detection and forensic tools.

A PowerShell script that attempts to help malware analysts hide their Windows VirtualBox Windows VM's from malware that may be trying to evade analysis. Guaranteed to bring down your pafish...

Defences against Cobalt Strike. Contribute to MichaelKoczwara/Awesome-CobaltStrike-Defence development by creating an account on GitHub.

SentinelLabs sets off to dispel the myth that Go malware is hard to reverse engineer. This suite of IDApython scripts will set you well on your way

Get up to speed on state-of-the-art malware with this first-ever guide to analyzing malicious Windows software designed to actively avoid detection and forensic tools.We’re all aware of Stuxnet,...

I was recently analyzing a malware sample that abuses the Beep function as an interesting evasion tactic. The Beep function basically plays an audible tone notification for the user. The Beep funct…

A PowerShell script that attempts to help malware analysts hide their VMware Windows VM's from malware that may be trying to evade analysis. - d4rksystem/VMwareCloak

Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine - peasead/elastic-container

Sometimes I come across a tool that makes me stop and think what I have been doing all my life life without it. This is how I feel about hollows_hunter. Hollows_hunter is essentially a tool for aut…

Author: @d4rksystem It has been a while since I’ve touched a malicious RTF document and I’ve been itching to refresh my knowledge in this area. The tricky part was finding a maldoc wort…

A collection of tools Neil and Andy have been working on released in one place and interlinked with previous tools - LaresLLC/OffensiveSysAdmin

Modern malware has gotten better and better at detecting sandbox and analysis environments, and at evading these environments. Malware can circumvent defenses, sandboxes, and analysts by using vari…

I was investigating a malware sample that uses an interesting trick to circumvent sandboxes and endpoint defenses by simply deleting its zone identifier attribute. This led me on a tangent where I …

This post is about how to protect your identity and cover your tracks when conducting security investigations. The recommendations here are part of on operational security (opsec) approach, conduct...

Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what youR…

A quick and dirty script to change the local username, hostname, and DNS name (domain) of the host. Designed for malware sandboxes :) - d4rksystem/hostname-changer

I was digging into a new version of Strela Stealer the other day and I figured it may help someone if I wrote a quick blog post about it. This post is not an in-depth analysis of the packer. ItR…

This is a quick post to outline a few ways to extract and identify useful strings for creating quality Yara rules. This post focuses on Windows executable files, but can be adapted to other files t…

Find out how to conduct malware analysis effectively from the team behind ANY.RUN, a leading malware analysis sandbox.

Get up to speed on state-of-the-art malware with this first-ever guide to analyzing malicious Windows software designed to actively avoid detection and forensic tools.We’re all aware of Stuxnet,...

Signature-based detection of malware features based on Windows API call sequences. It's like YARA for sandbox API traces! - 0x534a/dynmx

Get up to speed on state-of-the-art malware with this first-ever guide to analyzing malicious Windows software designed to actively avoid detection and forensic tools.We’re all aware of Stuxnet,...

A PowerShell script that attempts to help malware analysts hide their VMware Windows VM's from malware that may be trying to evade analysis. - d4rksystem/VMwareCloak

Reverse engineering Spybot's Terminator tool (Zemana Antimalware driver) to achieve LPE as SYSTEM and unrestricted raw SCSI disk read/write.

Understanding Internals of SmokeLoader

In this video, I show how to analyze a .doc malicious document using CyberChef only. This is possible, because the payload is a very long string that can be extracted without having to parse the st…

The following are a series of mini-tutorials that can help you get the most out of your YARA rules! Introduction YARA is an open-source tool used for identifying and classifying malware samples. It's...

Since my new book “Evasive Malware: Understanding Deceptive and Self-Defending Threats” pre-order just launched, I wanted to write up a quick summary of the book, including what youR…

Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It's written primarily in Go, making it fast, portable, and easy to customize. This...