During last week’s private maldoc training, I got the idea to update base64dump with 2 extra encodings, and add YARA support. The new encodings are “bx = backslash hexadecimal” like \x90\x90… and “ah = ampersand hexadecimal” like &H90&H90… Support … [Continue Reading]
Introducing WxTCmd!
WxTCmd is a parser for the new Windows 10 Timeline feature database.We have been hearing about it for several weeks now, but with 1803 finally final, I had a chance to update my system and let the feature do its thing. See here and here for more … [Continue Reading]
Tools, Books, Lessons Learned
ToolsAs part of my Sunday morning reading a bit ago, I was fascinated by an evolving tweet thread...Eric recently tweeted some random threat hunting advice involving shimcache data. In response, Nick tweeted regarding an analytic approach to using … [Continue Reading]