Photo of Wietze

Wietze Beukema

Cyber Threat Detection & Response
Tech enthusiast, security fanatic with an interest in politics and society
London, United Kingdom
Twitter logo @Wietze: See my latest tweets here.
Why bother with argv[0]?
Save the Environment (Variable)
Windows Command-Line Obfuscation
Hijacking DLLs in Windows
PowerShell Obfuscation using SecureString
Spoofing Google Search results
PresentationCommand-Line Obfuscation: You Can Run AND You Can Hide – BSides Dublin
Also presented at BSides Prishtina (), MCTTP Munich () and SecSea 2k24 ().
PresentationSave the Environment (Variable): Hijacking Legitimate Applications with a Minimal Footprint – DEF CON 30 Also presented at BSides Roma (), HackCon Norway (), BSidesNYC () and Hack in Paris ().
BlogHow Defenders Can Hunt for Malicious JScript Executions – CrowdStrike Research Blog
PaperA Single Sub-Technique for DLL Hijacking – A proposal for MITRE® ATT&CK®
PresentationExploring Windows Command-Line Obfuscation – SANS DFIR Summit 2021
PresentationHijacking DLLs in Windows – EU MITRE ATT&CK® Community Workshop
BlogThe Imitation Game: Attacker Emulation – PwC UK Research Blog
PresentationThe Imitation Game: Attacker Emulation – BSides London 2019
BlogSignal the ATT&CK: Part 2 - Security Orchestration and Alert Fatigue – PwC UK Research Blog
BlogSignal the ATT&CK: Part 1 - Tanium Signals and MITRE Caldera – PwC UK Research Blog
DissertationEnhancing Network Intrusion Detection through Host Clustering
PaperChanging People's Behaviour towards Unsecured Wi-Fi Hotspots
PaperStrong cryptography in the 21th century: the key to democracy?
PaperPrivacy-centric cryptocurrencies
PaperOnline Certificate Status Protocol (OCSP) - An evaluation
PaperCensorship-avoidance for Tor
DissertationFormalising the Bitcoin Protocol: making it a bit better
ico

HijackLibs.net

Screenshot of HijackLibs

HijackLibs.net provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.

For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts. Although detecting DLL Hijacking isn't always without challenge, it is certainly possible to monitor for behaviour that may be indicative of abuse. To further support defenders, out-of-the-box Sigma rules are provided through this website. A Sigma feed containing detection rules for all entries part of this project is available too.

For red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking. The aim of this project is not to make it easy to abuse the recorded vulnerabilities; as such, PoCs, code templates or tuturials are not provided.

Project start - see Tweet
Technology GitHub Actions, HTML/JavaScript/CSS, YAML
Source Code github.com/wietze/HijackLibs
Project Website HijackLibs.net

ico

GemistDownloader

Screenshot of GemistDownloader
Freeware program for Windows. GemistDownloader helps users download Dutch TV shows; although it is designed for starting computer users, advanced users can use the more powerful features.

GemistDownloader has been featured in many Dutch computer magazines.

Project start
Platform Windows (native), Mac OS X en Linux (Mono)
Technology C#, .NET, JSON, XML, PHP, Python
 
Media ComputerIdee, Computer!Totaal, ComputerEasy, PCM, Tips&Trucs, CHIP, BNR Nieuwsradio, De Pers
Reviews DutchCowboys: "Niet zomaar een mashup van TV-downloadgereedschap, maar een van de meest stabiele downloadtools die ik heb kunnen testen."
ComputerTotaal: "[...] het gratis programma GemistDownloader [is] echt een uitkomst!" - beoordeling 9/10
 
Download » GemistDownloader 2.9

ico

AMBER Alert NL

Screenshot of AMBER Alert NL
When an AMBER Alert is issued, the photo of the missing child will appear in the users' homescreen. By opening the app, users can get more information about the missing person.

See also this press release.

Project start
Platform Windows Phone 7.x, 8.x
Technology C#, .NET, JSON, XML, MS-push
Reviews Persbericht AMBER Alert Nederland: "Meer dan 7.000 downloads Windows Phone App voor AMBER Alert"
 
Marketplace » Windows Phone Marketplace

ico

De Blauwe App

Screenshot of De Blauwe App
A Windows Phone app for Dutch webshop Bol.com, based on their open API. Search through complete collection, scan barcodes, see special offers and buy items in-app. A brief demo is available on YouTube.

Project start
Platform Windows Phone 7.x, 8.x
Technology C#, .NET, JSON, Bol.com API
Reviews Bol.com: showcase
WP7.nl: "De Blauwe App is een simpel-ogende, maar erg goed functionerende app."
 
Marketplace » Windows Phone Marketplace

LinkedIn Twitter GitHub Keybase