In this part we will analyze the same obfuscated powershell code in another way. Here is the 1st and 2nd part: How to analyze powershell obfuscated code, Part-1 Nowadays its very much certain that you will get obfuscated type of powershell code while analyzing any APT behavior or…mahim-firoj.medium.com How to analyze powershell obfuscated code (this one is base64), Part-2 This is the continuation of my previous part-1.mahim-firoj.medium.com

LOKI is a IR tool created by Florian Roth. This tool will help you during the incident response situation when you are tasked to find malicious activity on the compromised system. After download the repo for linux, you will get loki.py tool there. Download for Linux: GitHub - Neo23x0/Loki: Loki - Simple IOC and YARA Scanner Loki - Simple IOC and YARA Scanner. Contribute to Neo23x0/Loki development by creating an account on GitHub.github.com

Nowadays more websites are compromised and the data are exposed to the hackers or in the dark web. Most of these incidents are due to misconfiguration or lack of protection from the server or system team. Because from the system side they just want for the website to work only…

In this post, I tried to consolidate informations of thor-lite that I think will be helpful for IR folks. First we need to know what is Thor lite scanner? It is a compromise assessment tool developed by Nextron-systems and Florian Roth. This tool is used for detecting malicious activity in…

Challenge link: https://app.letsdefend.io/challenge/powershell-script Let’s explain some of the powershell parameters. -NoP: This parameter stands for "NoProfile." It tells PowerShell not to load the user's profile (profile scripts) when starting. This can be useful for running scripts without interference from user-specific settings.

I have download the challenge from letsdefend and put it on my sansforensics machine. Don’t execute the pdf files in your machine. Its malicious. Challenge link: https://app.letsdefend.io/challenge/pdf-analysis Note: I will be telling you the answers here. But that does not mean you will not try it by yourself. So please…

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(0(){4 1="5 6 7 8";0 2(3){9(3)}2(1)})();',10,10,'function|b|something|a|var|some|sample|packed|code|alert'.split('|'),0,{})) How will you know this is javascript code? When you see, eval(function(p,a,c,k,e,r), replace, while, new RegExp are used then it is JavaScript code. Or you can verify this by using various online tools. Even in medium, when you paste this in…

I am assuming that you have already installed visual studio 2022 with necessary dot net frameworks and updates. Let’s start visual studio 2022 Click continue without code.

Cname is the canonical name. Say your nick name is Avi and your full name is Md. Mahim Bin Firoj. So when people call Avi then actually Md. Mahim Bin Firoj replies. Here Avi is the alias and cname is Md. Mahim Bin Firoj. Cname records always points a domain…