I barely remember a security incident, that I worked on, where the adversary didn’t use web shells here or there. Web shells are effective, publicly available, and sort of hard to discover — they say.

In this piece, I will try to address the discovery challenge by sharing ideas and techniques for web shells hunting and ultimately turn the web shell from a capability to a liability for the adversary.


Web shell is any form of code (whether scripted or compiled) that provides the adversary access, over web, to the operating system services (e.g. shells). …

The Strategy Game that Incident Responders Play

Real story: a target received a tip-off from external party about a potential compromise. The target started an investigation, identified suspected patient zero and removed it from the network. Later, they discovered a backdoor on a server and removed it. Later, a system admin logged in to one server and found the adversary active on it. Whack-a-mole game that continued for quite some time.

Hasty, incomplete and unmeasured actions often fail in response to “targeted” intrusions from “adaptive” threat actors.

Targeted intrusion from adaptive threat actor is a methodical and organized work which is carried (for most of the intrusion…

In Windows OS, the system resources (e.g. processes, files, devices) that need to be named, shared, protected, or exposed to user mode, are managed by the OS as objects. User applications can’t access these objects/resources directly but through the Object Manager (Ob), the subsystem that manages the access to the system objects/resources. Windows 10 (build 16299), for example, has 64 different object types.

But what’s the Windows object?…

Windows object is a memory data structure that represents a system resource and it has two parts:

  1. Object header (OBJECT_HEADER): the first 0x30 bytes. The object manager owns and manages this part of the structure (Figure 1).


We —humans— who connect the real and cyber spaces.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store