Skip to content
Microsoft Secure

Taking apart a double zero-day sample discovered in joint hunt with ESET

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherepanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF....

Read more

Now you see me: Exposing fileless malware

  (Note: For a comprehensive categorization of fileless malware and a complete list of Microsoft technologies that can protect against these elusive threats, read the latest blog post: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV)   What exactly is fileless? Read latest blog post: Out of sight but...

Read more

Detecting reflective DLL loading with Windows Defender ATP

Today’s attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic...

Read more