Saturday, April 23, 2016

Hunting Threats - regsvr32.exe example

I was recently at the Threat Hunting Summit in New Orleans.  It was great to meet some of you who read my posts, and to get feedback on my talk.

My slide deck is here:

ThreatHunting Summit

So, we hunt threats a bit differently.  Let me explain. We act out adversarial actions, and try to discover innovative tactics that adversaries might use.

I have published these on my blog and on my github page. The purpose in my publishing is to inform defenders of tactics that can be used against defensive systems...

I have mentioned in several talks, that I am interested mainly in architectural flaws, or oversights, that can allow attackers to use trusted tools, in unexpected ways.  These are not exploits... There is no patch coming... I am using the tools in the manner that they are meant to be used, mostly, for developers.

I really do enjoy what the DFIR community is doing, from Memory Forensics, to Continuous Monitoring, to Log Aggregation and analysis... And I get it, all that is good stuff.

But then there are hidden caves and corners in the OS, like regsvr32, and the other tools I've written about

These are on your box and nobody knows what the hell it does, or COULD do....

But likely someone has figured that out, and you are unaware...

So, my opinion, and it is purely that, is this, for those of us who do defense. I encourage you to start looking around, ask what can this do?  Do we ever use it, how often is this EVER executed?  If it does weird stuff.  Ban it perhaps...etc... There is a lot of interesting places to hide that you can find.

So, about regsvr32.exe.  Here's a native tool. Built into the OS, many of us didn't really understand what it could do, until a few days ago...

regsvr32.exe will be one of my favorite finds, and I am glad it got the attention is has.

I hope that some of you will take on the hunt for strange and interesting in your environment.

I grew up hunting in Colorado.  And I can tell you this. You hunt elk very differently than you hunt say Pheasants.  Each situation and industry requires diligence.

Maybe instead of investing in some new widget, we should step back, sit down with the output of "dir /s" and understand what the tools and binaries are on our systems...

Thats free. And a rather interesting exercise.

There's plenty more fun to be had here...

Hope that helps!

Ok, Thats all I got.




  1. Great to see your post.
    It is an awesome one.
    Thank you for giving the details own regsvr32.exe example .
    It is good to know about it.
    online nursing courses

  2. Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.

    Greenland & trophy hunting

  3. I agree with you. Thank you for sharing the update. It is interesting to have it discussed widely so that we can gain more objective opinions. Here I recommend a blog best gun safe which surely help you to keep their gun in safe place.

  4. Juggernox food, proteins, and fats into useful power. Juggernoxpeople with inadequate B vitamins intake have low strength. these folks may seemingly Juggernox show a small capability of labor but additionally in results of the nerve capabilities.these MMA muscle constructing exercise supplements also are.For more ==== >>>>>>

  5. In place of eating 3 massive feasts,Juggernox every day, you must apportion your consuming, for the duration of the day, into 5 or 6 food. Taking in meager, however greater normal meals, the human frame will release insulin, to lower your blood glucose degrees. For more ==== >>>>>>

  6. For your efforts after a few months. Mega Maximus So if you aren't dozing, accomplish that. This manual will help you in constructing muscle groups speedy, but do things that you feel comfortable with. Do not over enlarge your frame or your food plan as this could have a very negative impact in what you are trying to attain.For more ==== >>>>>>


  7. The basic factors of accurate field shooting are sight picture and trigger squeeze. But alone they are not enough. Have a peek at this web-site