0xThiebaut's Blog

0xThiebaut's Bloghttps://thiebaut.dev/A dump for security-related thoughts and content.000000enTue, 07 Nov 2023 00:00:00 +0100Generating IDA Type Information Libraries from Windows Type Librarieshttps://thiebaut.dev/articles/generating-ida-type-information-libraries-from-windows-type-libraries/Tue, 07 Nov 2023 00:00:00 +0100https://thiebaut.dev/articles/generating-ida-type-information-libraries-from-windows-type-libraries/In this quick-post, we’ll explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL).IcedID & Qakbot's VNC Backdoors: Dark Cat, Anubis & Keyholehttps://thiebaut.dev/articles/icedid-and-qakbot-vnc-backdoors-dark-cat-anubis-keyhole/Mon, 20 Mar 2023 00:00:00 +0100https://thiebaut.dev/articles/icedid-and-qakbot-vnc-backdoors-dark-cat-anubis-keyhole/In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We’ll follow by exposing common TTPs before revealing information leaked through the attackers’ clipboard data.Diffing Sysmon's v14.11 ClipboardChange Event for Arbitrary Writehttps://thiebaut.dev/articles/diffing-sysmon-clipboardchange-for-arbitrary-write/Mon, 14 Nov 2022 11:15:00 +0100https://thiebaut.dev/articles/diffing-sysmon-clipboardchange-for-arbitrary-write/My first BinDiff: Checking the Sysmon v14.11 patch to turn a ClipboardChange event into arbitrary writing.Enforcing a Sysmon Archive Quotahttps://thiebaut.dev/articles/enforcing-a-sysmon-archive-quota/Thu, 30 Jun 2022 15:19:00 +0100https://thiebaut.dev/articles/enforcing-a-sysmon-archive-quota/This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.Detecting & Preventing Rogue Azure Subscriptionshttps://thiebaut.dev/articles/detecting-and-preventing-rogue-azure-subscriptions/Wed, 18 May 2022 18:41:00 +0100https://thiebaut.dev/articles/detecting-and-preventing-rogue-azure-subscriptions/In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft’s Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.Automated Sigma Rule Generation from MISP Threat Intelligencehttps://thiebaut.dev/articles/automated-sigma-rule-generation-from-misp-threat-intelligence/Tue, 09 Jun 2020 21:00:00 +0100https://thiebaut.dev/articles/automated-sigma-rule-generation-from-misp-threat-intelligence/Introducing the Sigma Importer – a way of generating thousands of qualitative vendor-agnostic Sigma rules from threat intelligence feeds such as MISP.Automated Anomaly-Detection in DNS Recordshttps://thiebaut.dev/articles/automated-anomaly-detection-in-dns-records/Fri, 17 Jan 2020 14:00:00 +0100https://thiebaut.dev/articles/automated-anomaly-detection-in-dns-records/Audit and monitor DNS zones using Dnsbeat. This article introduces Dnsbeat’s working and how it can be used to create a DNS honeypot.