Lab notebook
In-depth analyses of malware samples, technique deep-dives, and lab notes from the field. Long-form, technical, no fluff.
46 articles in "Education" — page 2 of 6
How fileless malware executes entirely in memory using PowerShell download cradles, .NET reflection, WMI event subscriptions, and registry-resident payloads — with detection strategies and multi-technology attack chain analysis.
Base64 encoded commands, string concatenation, compression streams, AMSI bypass techniques, Script Block Logging, and de-obfuscation tools — how to recover the cleartext payload from any PowerShell obfuscation layer.
The Original Entry Point concept, the ESP hardware breakpoint technique for finding it, and the Scylla workflow for dumping and rebuilding the Import Address Table into an analysable PE.
The four structural indicators of packing, how packers work, common packer families from UPX to VMProtect, and how to use Detect-It-Easy to identify the packer before attempting to unpack.
VBA macro infection chains, document format identification, olevba analysis, P-Code, Excel 4.0 XLM macros, DDEAUTO, remote template injection, and malicious OneNote files — with a complete triage workflow.
RTF file structure, why attackers prefer it, CVE-2017-11882 and CVE-2017-0199, OLE object extraction with rtfobj, shellcode analysis with scdbg, and high-risk indicator recognition.
PDF file structure, attack vectors — embedded JavaScript, launch actions, embedded files — and a practical triage workflow using pdfid.py and pdf-parser.py to extract and analyse malicious content.
How to recover the cleartext payload from obfuscated JavaScript using eval interception, browser DevTools breakpoints, and CyberChef — with patterns for Base64, string concatenation, character codes, and nested eval.
Drive-by download attack chains, URL deception techniques, exploit kits, and safe investigation tools — how to analyse a suspicious URL without visiting it.