Ben FollandGootoader —Extracting IOCsGootLoader is a JScript based Initial-Access-as-a-Service (IAaaS) strain of malware, typically used to host other further malicious…Nov 9, 2023Nov 9, 2023
Ben FollandBasic Malware RE — TryHackMeThis is a writeup of my solutions to the Basic Malware RE CTF challenges. Hope you enjoy!Jun 19, 2023Jun 19, 2023
Ben FollandUnmasking Defence Evasion: Unmanaged PowerShell / C# / .NET process injectionOver the past few days, I have been engrossed in researching various defence evasion techniques used by red team operators and APT groups…Jun 10, 20231Jun 10, 20231
Ben FollandDetecting DLL hijacking with Sysmon, Chainsaw & custom Sigma rulesIn my last article I went into detail on what DLL hijacking is, how it can happen, and how one can use Sysmon to log the event…Jun 9, 2023Jun 9, 2023
Ben FollandDetecting DLL hijacking with Sysmon logsBefore I explain the details on the detection of DLL hijacking let’s explain what it is & why you should care.Jun 7, 2023Jun 7, 2023
Ben FollandBehind The Scenes — HTB Reverse EngineeringWe are given a file behindthescenes and we are given the task to recover the flag. Let’s first identify the file type and start with some…Jun 4, 20232Jun 4, 20232
Ben FollandDe-obfuscating another Cobalt Strike beacon stagerYou may have recently seen this article of mine where I covered de-obfuscating and extracting a Cobalt Strike beacon from a PowerShell…Jun 3, 2023Jun 3, 2023
Ben FollandDe-obfuscating a PowerShell Cobalt Strike beacon stagerI recently discovered this malicious PowerShell script from a Twitter post by @xorJosh. In his tweet he described an Oracle related service…Jun 3, 2023Jun 3, 2023
Ben FollandDe-obfuscating a .JS based RAT #1I recently discovered a .JS malware sample from MalwareBazaar which looked interesting. This is an article describing the steps I took to…Jun 1, 2023Jun 1, 2023