Axelarator's Blog

This research was originally conducted in 2022. An eternity I know. When looking at my notes preparing to add them to this blog, they were lacking a lot of context and in-depth details of what the analysis was revealing. I also hadn't investigated an OLE file in a

When looking for suspicious network connectivity, it's important to understand what other services might be running on the destination IP. It could be a harmless Python server with an open directory hosting files but additional analysis revealed it's running Empire at the same time. That open

EDR bypassing has become a technique of choice for threat actors and has enabled a market of tools being sold on cybercrime forums: * Unit42 uncovered a variant of EDRSandBlast being sold on XSS and Exploit. * CheckPoint Research uncovered the use of a vulnerable driver, Truesight.sys, which evaded the Microsoft

There's a never ending list of homelab projects, ways to build one, hardware requirements, goals for running one, single server or 24U rack, the list goes on. I started my journey long ago when I thought VirtualBox and an external HDD was all I needed. Fast forward to

This PoC provided by Elastic is about LNK Stomping. Currently Microsoft has not provided a CVE for this method; however, they did release CVE-2024-38212, a MotW bypass vulnerability, but only included SmartScreen, not Smart App Control (SAC). As this testing is done on Windows 10 with build number 19045, I

Cyber Threat Intelligence is about communicating the latest information on threat actors and incidents to organizations in a timely manner. Analysis in these areas allows an organization to maintain situational awareness of the current threat landscape, organizational impacts, and threat actor motives. The level of information that needs to be

Overview For a long time now, I’ve been using Censys/Shodan and DomainTools to look up hosts, attempt to correlate infrastructure to find overlaps and potentially attribute to C2s and other malicious hosts. There are so many data points to look at like JARM signatures, certificate data including historical

Discovered in 2019, Mozi is a P2P botnet using the DHT protocol that spreads via Telnet with weak passwords and known exploits. Evolved from the source code of several known malware families; Gafgyt, Mirai and IoT Reaper, Mozi is capable of DDoS attacks, data exfiltration and command or payload execution.

Authenticode Signature The point of code signing certificates is to verify the file came from a trusted source, the file was not tampered with prior to receiving it, and the file’s origin can be validated. Code signing creates a hash of the code and encrypts it with a private

This is a quick guide to Identify Service * Use OSINT to determine the provider and region your target is located in. * Shodan for example has a cloud.region filter that lists what region the IP is located in. Some examples: * GCP: us-central1 * Azure: northeurope * AWS: us-east-1 * Download corresponding IP ranges

This idea came from a combination of an Intezer guide on building a honeypot and a Sysdig article on triaging malicious Docker containers. I decided to test it myself and stood up an EC2 instance running Ubuntu Server 18.04 w/ Docker running an Alpine Linux container. The actual telemetry

Executive Summary * In mid-April 2022, Mandiant observed UNC2500 campaigns using MSI packages to distribute Qakbot payloads. * This change comes shortly after Microsoft’s announcement that macros from Office documents downloaded from the internet (ZoneIdentifier ADS) will be blocked by default. * This new payload uses a botnet ID AA, which is