Skip to main content


Web shell hunting: Meet the web shell analyzer

In continuation of my prior work on web shells (Medium/Blog), I wanted to take my work a step further and introduce a new tool that goes beyond my legacy webshell-scan tool. The “webshell-scan” tool was written in GoLang and provided threat hunters and analysts alike with the ability to quickly scan a target system for web shells in a cross platform fashion. That said, I found it was lacking in many other areas. Allow me to elaborate below…Requirements of web shell analysisIn order to perform proper web shell analysis, we need to define some of the key requirements that a web shell analyzer would need to include. This isn’t a definitive list but more of a guide on key requirements based on my experience working on the front lines:Static executable: Tooling must include all dependencies when being deployed. This ensures the execution is consistent and expected.Simple and easy to use: A tool must be simple and straightforward to deploy and execute. Nothing is more frustrating than tryi…
Recent posts

Top Readings for InfoSec

Over the years, I’ve been asked what books and/or websites I’d recommend to those getting into the field of cyber security, focusing on malware analysis and incident response. While it’s hard to beat “on the job experience”, other materials such as hands-on labs, capture the flag events, books and other free online resources are a great start. Of course, reading a book is only good if you enjoy the topic ;). I’ve broken down the topics below based on category. I highly recommend working through the labs and rereading any chapters that need additional clarification.

This blog can also be found on Medium: ( Incident Response: Incident Response & Computer Forensics, Third EditionWindows Registry Forensics: Advanced Digital Forensic Analysis of the Windows RegistryThe Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac MemoryRed Team Field ManualIf your goal is to work in the IR field (or ma…

Basic Dynamic Analysis - PE

As mentioned in my prior post (Medium / StillzTech), malware analysis can be grouped into four categories:
Basic Static Basic Dynamic - PE File (what this post will cover)Advanced StaticAdvanced Dynamic
As stated in my prior post, we perform basic static analysis first to understand the executable’s “potential” capabilities and structure. Some questions we aim to answer during basic static analysis: What libraries does the PE file import, including functions / ordinals?Why? This may indicate the file has the “capability” to log to a text file and read credit card track data from memory, indicating you’re dealing with some point of sale malware.What unique strings stand out?Why? Some malware may contain the PDB file (debugger symbols) or original code file path, which can be used to find related malware or identify the malware itself.What language was the PE file written in?Why? Depending on the language the executable was written in, you might be able to reassemble the source. Languages …

Revealing malware relationships with GraphDB: Part 1

In this post, we will learn how using a Graph Database like Neo4j can help visualize malware relationships and extend these relationships to identify patterns between samples. Before we dig into Neo4j, let’s start with some fundamental graph terminologies:   
Nodes represent entities such as a human, car, laptop or phone. Properties are attributes nodes can contain. A steering wheel or tires would be a property of the “car” node. Labels are a way to group together nodes of a similar type. For example, a label of “FastFood” may include nodes such as “Taco Bell, McDonald’s, and Chipotle”. Edges (or vertices) represent the relationship connection between two nodes. Relationships can also have their own properties. Getting started with Neo4jLink:
Neo4j is a Graph Database commonly known for its pure simplicity and easy to use interface. I find the structure of a graph database quite fascinating, on top of learning how to normalize malware analysis data for each sample into a …