September 2024 | Why bother with argv[0]? |
August 2022 | Save the Environment (Variable) |
July 2021 | Windows Command-Line Obfuscation |
June 2020 | Hijacking DLLs in Windows |
January 2020 | PowerShell Obfuscation using SecureString |
January 2019 | Spoofing Google Search results |
PresentationCommand-Line Obfuscation: You Can Run AND You Can Hide – BSides Dublin Also presented at BSides Prishtina (), MCTTP Munich () and SecSea 2k24 (). |
|
PresentationSave the Environment (Variable): Hijacking Legitimate Applications with a Minimal Footprint – DEF CON 30 Also presented at BSides Roma (), HackCon Norway (), BSidesNYC () and Hack in Paris (). |
|
BlogHow Defenders Can Hunt for Malicious JScript Executions – CrowdStrike Research Blog |
|
PaperA Single Sub-Technique for DLL Hijacking – A proposal for MITRE® ATT&CK®
|
|
PresentationExploring
Windows Command-Line Obfuscation – SANS DFIR Summit 2021
|
|
PresentationHijacking
DLLs in Windows – EU MITRE ATT&CK® Community Workshop |
|
BlogThe
Imitation Game: Attacker Emulation – PwC UK Research Blog |
|
PresentationThe
Imitation Game: Attacker Emulation – BSides London 2019 |
|
BlogSignal
the ATT&CK: Part 2 - Security
Orchestration and Alert Fatigue – PwC UK Research Blog |
|
BlogSignal
the ATT&CK: Part 1 - Tanium Signals
and MITRE Caldera – PwC UK Research Blog |
|
DissertationEnhancing
Network Intrusion Detection through Host Clustering |
|
PaperChanging
People's Behaviour towards
Unsecured Wi-Fi Hotspots |
|
PaperStrong
cryptography in the 21th century: the key to
democracy? |
|
PaperPrivacy-centric
cryptocurrencies |
|
PaperOnline
Certificate Status Protocol (OCSP) - An evaluation |
|
PaperCensorship-avoidance for
Tor |
|
DissertationFormalising
the Bitcoin Protocol: making it a bit
better |
HijackLibs.net provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.
For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts. Although detecting DLL Hijacking isn't always without challenge, it is certainly possible to monitor for behaviour that may be indicative of abuse. To further support defenders, out-of-the-box Sigma rules are provided through this website. A Sigma feed containing detection rules for all entries part of this project is available too.
For red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking. The aim of this project is not to make it easy to abuse the recorded vulnerabilities; as such, PoCs, code templates or tuturials are not provided.
Project start | - see Tweet |
Technology | GitHub Actions, HTML/JavaScript/CSS, YAML |
Source Code | github.com/wietze/HijackLibs |
Project Website | HijackLibs.net |
Project start | |
Platform | Windows (native), Mac OS X en Linux (Mono) |
Technology | C#, .NET, JSON, XML, PHP, Python |
Media | ComputerIdee, Computer!Totaal, ComputerEasy, PCM, Tips&Trucs, CHIP, BNR Nieuwsradio, De Pers |
Reviews |
DutchCowboys: "Niet zomaar een
mashup van TV-downloadgereedschap, maar een van de meest stabiele downloadtools
die ik heb kunnen testen."
ComputerTotaal: "[...] het gratis programma GemistDownloader [is] echt een uitkomst!" - beoordeling 9/10 |
Download | » GemistDownloader 2.9 |
Project start | |
Platform | Windows Phone 7.x, 8.x |
Technology | C#, .NET, JSON, XML, MS-push |
Reviews | Persbericht AMBER Alert Nederland: "Meer dan 7.000 downloads Windows Phone App voor AMBER Alert" |
Marketplace | » Windows Phone Marketplace |
Project start | |
Platform | Windows Phone 7.x, 8.x |
Technology | C#, .NET, JSON, Bol.com API |
Reviews |
Bol.com: showcase
WP7.nl: "De Blauwe App is een simpel-ogende, maar erg goed functionerende app." |
Marketplace | » Windows Phone Marketplace |