Sign in

Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.


Some notes that I’ve used when to identify suspicious activity searching through packet captures.

Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. …

File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.

Files that are encrypted will…

Malware infection via malicious macros (or scripts within Microsoft Office products such as Word and Excel) are some of the most successful attacks to date.

For example, current APT campaigns such as Emotet, QuickBot infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However…

PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:

We can use peepdf to analyze a pdf file to see if there is JavaScript.

remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf 
Warning: PyV8 is not installed!!
File: notsuspicious.pdf

My notes on THM Room.

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

Enumeration with Nmap

Scan the machine with nmap, how many ports are open?


Not shown: 993 closed ports

Notes on THM Room

Enumeration through nmap

nmap -p- -A

How many ports are open?

3 — Port 80, 6498, 65534

What is the version of nginx?


What is running on the highest port?


Compromising the Machine

Using GoBuster, find flag 1.

DIRB v2.22
By The Dark Raver
START_TIME: Thu Sep 23 20:40:33 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: ----

My Notes on THM Room.

Data Acquisition & Trust Certificates

The analysis of iPhone backups made with iTunes is an interesting topic, to say the very least. When backing up an iPhone, iTunes accesses the iPhone in a privileged state — similar to using the sudocommand on Linux to run a command with root privileges.

My notes on THM room.

Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.

Introduction to Yara Rules:

Using a Yara rule is simple. Every yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file…

My notes on THM room.

You’ve likely encountered a website that requires you to have Special Characters, Capital Letters, and a Number in your password. These are password rules, aimed to make your account more secure and harder for attackers to guess. If you’re trying to bruteforce someones password and…


cyber enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store