Tony Lambert

@[email protected]
198 Followers
120 Following
66 Posts
Recovering sysadmin that now chases adversaries instead of uptime. Sr Malware Analyst
@redcanary
Bloghttps://forensicitguy.github.io
Twitterhttps://twitter.com/ForensicITGuy
Githubhttps://github.com/ForensicITGuy
Tony LambertMay 19, 2025
Do you miss @cobaltstrikebot? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with Shodan and some PowerShell: https://forensicitguy.github.io/squeezing-cobalt-strike-intel-from-shodan/
Squeezing Cobalt Strike Threat Intelligence from Shodan

One of my favorite Twitter accounts from the last several years was @cobaltstrikebot, mainly because it was an awesome source of threat intelligence for Cobalt Strike beacons in the wild. The account went dark in June 2023, but its tweets are still around.

Tony Lambert
Tony LambertMar 18, 2025

A fun yearly endeavor for me is contributing to the Red Canary Threat Detection Report, and the 2025 edition is out today! distilled into one report!

Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
https://redcanary.com/threat-detection-report/

Welcome to the Red Canary Threat Detection Report

Our Threat Detection Report takes a close look at the top techniques, threats, and trends to help security teams focus on what matters most.

Red Canary
Tony LambertJul 21, 2024

New blog post- not about Crowdstrike, but about tearing into a JPHP-based loader https://forensicitguy.github.io/decompiling-jphp-loader-binwalk-cfr/

#Malware

Decompiling a JPHP Loader with binwalk and cfr

It’s not unusual for adversaries to explore new and unusual ways to implement loader malware, and lately I’ve been looking at JPHP-based loader malware. This kind of loader doesn’t get a lot of attention from antimalware providers, likely because of its nature as a weird hybrid language. In this post, I dive into unpacking the loader (which I suspect is “d3f@ck” loader) and statically decompiling it. If you want to follow along, I’m working with this sample in MalwareBazaar: https://bazaar.abuse.ch/sample/94edf5396599aaa9fca9c1a6ca5d706c130ff1105f7bd1acff83aff8ad513164/.

Tony Lambert
Tony LambertMar 4, 2024
New blog post! In this one I look at a Java-based dropper for Pikabot that TA577 used in mid-February 2024.
https://forensicitguy.github.io/dissecting-java-pikabot-dropper/
#malware #pikabot #ta577
Dissecting a Java Pikabot Dropper

Tony’s blog about malware analysis and other security topics

Tony Lambert
Tony LambertAug 4, 2023

New blog post! Building on my last post about malware distro via VHD, I walk through creating a simple timeline of the VHD with Plaso to show how you can get more data for intelligence. https://forensicitguy.github.io/timelining-malware-vhd-intelligence/

#malware #plaso

Timelining a Malicious VHD for More Intelligence

In a previous blog post I mentioned how adversaries using VHD files to distribute malware can leave around a lot more data than they intend, including identifiable data for tracking. In this post I want to break out the best friend everyone made during SANS FOR508, Plaso, so I can process the filesystem data for a malicious VHD and illustrate how we can establish a timeline of operations for the adversary. Just like last time, the sample I’m working with is here in MalwareBazaar: https://bazaar.abuse.ch/sample/72ba4bd27c5d95912ac5e572849f0aaf56c5873e03f5596cb82e56ac879e3614/.

Tony Lambert
Show threadTony LambertJul 25, 2023
@MegaMichelle It's so slick and I love how simple it makes things
Tony LambertJul 25, 2023

Do you want to learn a little about infostealer malware, how it works, and which families Red Canary see most often? Because that's exactly what I'll cover in the next Threat Detection Series webinar on August 2! Come on in and get your seat here: https://redcanary.com/resources/webinars/grand-theft-creds-malware/?utm_source=speaker&utm_medium=referral&utm_campaign=grand-theft-creds-webinar

#malware #infostealer

[Webinar] Grand Theft Creds: Info-stealing malware edition

Join this webinar to learn about capabilities of common stealers, how to detect the malware, and how to respond. Register today!

Red Canary
Tony LambertJul 24, 2023

New blog post! I love when adversaries use VHD files to distribute malware because VHDs can potentially contain a lot more data than the adversary intends to distribute. To see what I mean, check out this post: https://forensicitguy.github.io/vhd-malware-an-excellent-choice/

#malware #vhd

Malware via VHD Files, an Excellent Choice

Adversaries use lots of different file formats to distribute malware and one of my favorites has to be Virtual Hard Disk (VHD) files. You may have seen VHD files used with virtualization solutions like Virtualbox, Hyper-V, VMWare, etc., but you can also use VHD file containers as portable storage files in a similar manner to ISOs. There are just a few catches though, you have to be much more careful when working with VHD files to avoid leaving additional evidence that can be used for tracking. That’s why I love this file format, sloppy adversaries leave me more data to use for intelligence.

Tony Lambert
Tony LambertJul 19, 2023
Chris Sanders 🔎 🧠Jul 19, 2023

I’m excited to launch our latest online course, YARA for Security Analysts.

We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intelligence research.

In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.

You can learn all about the course and register here: https://www.networkdefense.co/courses/yara/.

It's discounted right now for launch.

#Yara #DetectionEngineering #DFIR #Malware #Infosec

YARA for Security Analysts — Applied Network Defense

Applied Network Defense
Tony LambertJul 14, 2023
New blog post! In this one I take a quick look at how you can use YARA to quickly do things like generating hashes and possibly replace some initial triage tools. #yara https://forensicitguy.github.io/faster-malware-triage-yara
Faster Malware Triage with YARA

As folks get into malware analysis they naturally develop their own personal style of triage process based on data that is usually important to them. For example, I go through a process to determine what kind of file I have in front of me and what identifying hashes come from that file that I can use in services like VirusTotal and MalwareBazaar to find details about the sample or similar ones. Once you do this enough, you’ll get a little unhappy with having to visit all the different tools that generate this output and want to consolidate your triage process down to a minimum number of tools. I revisit this stage periodically and think of ways I can get details using things like Python scripts. Today, I want to introduce you to a fast way to perform some triage using YARA.

Tony Lambert