{"id":7046,"date":"2014-10-04T13:33:57","date_gmt":"2014-10-04T13:33:57","guid":{"rendered":"http:\/\/www.bsk-consulting.de\/?p=1006"},"modified":"2022-10-04T15:53:00","modified_gmt":"2022-10-04T13:53:00","slug":"smart-dll-execution-malware-analysis-sandbox-systems","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/","title":{"rendered":"Smart DLL execution for Malware Analysis in Sandbox Systems"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;4.16&#8243; global_colors_info=&#8221;{}&#8221; da_is_popup=&#8221;off&#8221; da_exit_intent=&#8221;off&#8221; da_has_close=&#8221;on&#8221; da_alt_close=&#8221;off&#8221; da_dark_close=&#8221;off&#8221; da_not_modal=&#8221;on&#8221; da_is_singular=&#8221;off&#8221; da_with_loader=&#8221;off&#8221; da_has_shadow=&#8221;on&#8221; da_disable_devices=&#8221;off|off|off&#8221;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;4.16&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.16&#8243; custom_padding=&#8221;|||&#8221; global_colors_info=&#8221;{}&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.18.0&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn&#8217;t perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called &#8220;InstallM&#8221;. I had to run &#8220;rundll32.exe malware.dll,InstallM&#8221; to trigger the malicious activity.<br \/>\nIn order to automate the process of A) analyzing the exported functions and B) run the various DLL functions I created a script called &#8220;DLLRunner&#8221;. What it does is rather simple:<\/p>\n<ol>\n<li>First, it uses the Python module pefile to analyze the PE and retrieve a list of all exported functions with name and ordinal.<\/li>\n<li>Second, it executes the various exported functions by name or ordinal<\/li>\n<li>Third, it passes a set of parameters to the function in order to satisfy requirements and trigger any activity (simple &#8220;fuzzing&#8221;)<\/li>\n<\/ol>\n<p>This is what it does:<\/p>\n<pre>\nrundll32.exe path\/to\/file.dll,exportedfunc1\nrundll32.exe path\/to\/file.dll,exportedfunc2\nrundll32.exe path\/to\/file.dll,exportedfunc3\n<\/pre>\n<p>The simple fuzzing mode looks like this:<\/p>\n<pre>\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"0\"\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"1\"\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"http:\/\/evil.local\"\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"Install\"\n...\n<\/pre>\n<h2>Examples<\/h2>\n<p>I tested the script on &#8220;url.dll&#8221; which is typically located in the system32 folder.<\/p>\n<pre>\npython dllrunner.py -f C:\\Testing\\url.dll --debug\n<\/pre>\n<div id=\"attachment_1007\" style=\"width: 594px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1007\" class=\"wp-image-1007 size-full\" src=\"\/wp-content\/uploads\/2014\/10\/ishot-141003-091550.png\" alt=\"Run DLL in Sandbox\" width=\"584\" height=\"301\" \/><p id=\"caption-attachment-1007\" class=\"wp-caption-text\">DLLRunner executing all exported functions<\/p><\/div>\n<p>It caused a function called &#8220;TelnetProtocolHandler&#8221; and &#8220;TelnetProtocolHandlerA&#8221; to pop a telnet shell.<\/p>\n<div id=\"attachment_1008\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1008\" class=\"size-large wp-image-1008\" src=\"\/wp-content\/uploads\/2014\/10\/ishot-141003-091608.png\" alt=\"DLL in Sandbox\" width=\"620\" height=\"412\" \/><p id=\"caption-attachment-1008\" class=\"wp-caption-text\">DLLRunner popping telnet windows via exported function\u00a0&#8220;TelnetProtocolHandler&#8221;<\/p><\/div>\n<p>If you pass &#8220;&#8211;fuzz&#8221; DLLRunner will pass several params to the functions. This caused a function in &#8220;url.dll&#8221; to pop browser windows with a fuzz parameter &#8220;http:\/\/evil.local&#8221;.<\/p>\n<pre>\npython dllrunner.py -f C:\\Testing\\url.dll --debug --fuzz\n<\/pre>\n<div id=\"attachment_1012\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1012\" class=\"size-large wp-image-1012\" src=\"\/wp-content\/uploads\/2014\/10\/ishot-141004-154557.png\" alt=\"DLLRunner in Fuzzing\" width=\"620\" height=\"452\" \/><p id=\"caption-attachment-1012\" class=\"wp-caption-text\">Running DLLRunner in Fuzzing mode<\/p><\/div>\n<p>I am still not sure if this is something useful. I have to do further testing to improve the fuzzing idea. I am open to any advice and would like to see something like this integrated in common sandboxes like cuckoo.<\/p>\n<h2>Download<\/h2>\n<p><a title=\"DLL Execution in Sandbox Systems\" href=\"https:\/\/github.com\/Neo23x0\/DLLRunner\" target=\"_blank\" rel=\"noopener noreferrer\">DLLRunner on Github<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn&#8217;t perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called &#8220;InstallM&#8221;. I had to run &#8220;rundll32.exe malware.dll,InstallM&#8221; to trigger the malicious activity. In order to automate the process of A) analyzing the exported functions and B) run the various DLL functions I created a script called &#8220;DLLRunner&#8221;. What it does is rather simple: First, it uses the Python module pefile to analyze the PE and retrieve a list of all exported functions with name and ordinal. Second, it executes the various exported functions by name or ordinal Third, it passes a set of parameters to the function in order to satisfy requirements and trigger any activity (simple &#8220;fuzzing&#8221;) This is what it does: rundll32.exe path\/to\/file.dll,exportedfunc1 rundll32.exe path\/to\/file.dll,exportedfunc2 rundll32.exe path\/to\/file.dll,exportedfunc3 The simple fuzzing mode looks like this: rundll32.exe path\/to\/file.dll,exportedfunc1 &#8220;0&#8221; rundll32.exe path\/to\/file.dll,exportedfunc1 &#8220;1&#8221; rundll32.exe path\/to\/file.dll,exportedfunc1 &#8220;http:\/\/evil.local&#8221; rundll32.exe path\/to\/file.dll,exportedfunc1 &#8220;Install&#8221; &#8230; Examples I tested the script on &#8220;url.dll&#8221; which is typically located in the system32 folder. python dllrunner.py -f C:\\Testing\\url.dll &#8211;debug It caused a function called [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"While analysing several suspicious DLL files I noticed that some of these files (which were obviously malicious) didn't perform their malicious activity unless a certain function was triggered. The malware used a registry entry to execute a certain function that is exported by the DLL called \"InstallM\". I had to run \"rundll32.exe malware.dll,InstallM\" to trigger the malicious activity.\r\nIn order to automate the process of A) analyzing the exported functions and B) run the various DLL functions I created a script called \"DLLRunner\". What it does is rather simple:\r\n<ol>\r\n\t<li>First, it uses the Python module pefile to analyze the PE and retrieve a list of all exported functions with name and ordinal.<\/li>\r\n\t<li>Second, it executes the various exported functions by name or ordinal<\/li>\r\n\t<li>Third, it passes a set of parameters to the function in order to satisfy requirements and trigger any activity (simple \"fuzzing\")<\/li>\r\n<\/ol>\r\nThis is what it does:\r\n[cc lang=\"bash\"]\r\nrundll32.exe path\/to\/file.dll,exportedfunc1\r\nrundll32.exe path\/to\/file.dll,exportedfunc2\r\nrundll32.exe path\/to\/file.dll,exportedfunc3\r\n[\/cc]\r\nThe simple fuzzing mode looks like this:\r\n[cc lang=\"bash\"]\r\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"0\"\r\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"1\"\r\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"http:\/\/evil.local\"\r\nrundll32.exe path\/to\/file.dll,exportedfunc1 \"Install\"\r\n...\r\n[\/cc]\r\n<h2>Examples<\/h2>\r\nI tested the script on \"url.dll\" which is typically located in the system32 folder.\r\n[cc lang=\"bash\"]\r\npython dllrunner.py -f C:Testingurl.dll --debug\r\n[\/cc]\r\n[caption id=\"attachment_1007\" align=\"alignnone\" width=\"584\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/10\/ishot-141003-091550.png\"><img class=\"wp-image-1007 size-full\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/10\/ishot-141003-091550.png\" alt=\"Run DLL in Sandbox\" width=\"584\" height=\"301\" \/><\/a> DLLRunner executing all exported functions[\/caption]\r\nIt caused a function called \"TelnetProtocolHandler\" and \"TelnetProtocolHandlerA\" to pop a telnet shell.\r\n[caption id=\"attachment_1008\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/10\/ishot-141003-091608.png\"><img class=\"size-large wp-image-1008\" src=\"http:\/\/www.bsk-consulting.de\/wp-content\/uploads\/2014\/10\/ishot-141003-091608-620x412.png\" alt=\"DLL in Sandbox\" width=\"620\" height=\"412\" \/><\/a> DLLRunner popping telnet windows via exported function\u00a0\"TelnetProtocolHandler\"[\/caption]\r\nIf you pass \"--fuzz\" DLLRunner will pass several params to the functions. This caused a function in \"url.dll\" to pop browser windows with a fuzz parameter \"http:\/\/evil.local\".\r\n[cc lang=\"bash\"]\r\npython dllrunner.py -f C:Testingurl.dll --debug --fuzz\r\n[\/cc]\r\n[caption id=\"attachment_1012\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2014\/10\/ishot-141004-154557.png\"><img class=\"size-large wp-image-1012\" src=\"http:\/\/www.bsk-consulting.de\/wp-content\/uploads\/2014\/10\/ishot-141004-154557-620x452.png\" alt=\"DLLRunner in Fuzzing\" width=\"620\" height=\"452\" \/><\/a> Running DLLRunner in Fuzzing mode[\/caption]\r\nI am still not sure if this is something useful. I have to do further testing to improve the fuzzing idea. I am open to any advice and would like to see something like this integrated in common sandboxes like cuckoo.\r\n<h2>Download<\/h2>\r\n<a title=\"DLL Execution in Sandbox Systems\" href=\"https:\/\/github.com\/Neo23x0\/DLLRunner\" target=\"_blank\" rel=\"noopener noreferrer\">DLLRunner on Github<\/a>","_et_gb_content_width":"","footnotes":""},"categories":[255,264],"tags":[90,475,476,477,478,124,479,480,481,217,482,173],"class_list":["post-7046","post","type-post","status-publish","format-standard","hentry","category-command-line","category-tool","tag-analysis","tag-dll","tag-execution","tag-exported","tag-functions","tag-malware","tag-ordinal","tag-rundll32","tag-rundll32-exe","tag-sandbox","tag-smart","tag-system"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Smart DLL execution for Malware Analysis in Sandbox Systems - Nextron Systems<\/title>\n<meta name=\"description\" content=\"Smart DLL execution for Malware Analysis in Sandbox Systems\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Smart DLL execution for Malware Analysis in Sandbox Systems\",\"datePublished\":\"2014-10-04T13:33:57+00:00\",\"dateModified\":\"2022-10-04T13:53:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\"},\"wordCount\":439,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"analysis\",\"dll\",\"execution\",\"exported\",\"functions\",\"malware\",\"ordinal\",\"rundll32\",\"rundll32.exe\",\"sandbox\",\"smart\",\"system\"],\"articleSection\":[\"Command Line\",\"Tool\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\",\"name\":\"Smart DLL execution for Malware Analysis in Sandbox Systems - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2014-10-04T13:33:57+00:00\",\"dateModified\":\"2022-10-04T13:53:00+00:00\",\"description\":\"Smart DLL execution for Malware Analysis in Sandbox Systems\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Smart DLL execution for Malware Analysis in Sandbox Systems - Nextron Systems","description":"Smart DLL execution for Malware Analysis in Sandbox Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Smart DLL execution for Malware Analysis in Sandbox Systems","datePublished":"2014-10-04T13:33:57+00:00","dateModified":"2022-10-04T13:53:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/"},"wordCount":439,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["analysis","dll","execution","exported","functions","malware","ordinal","rundll32","rundll32.exe","sandbox","smart","system"],"articleSection":["Command Line","Tool"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/","url":"https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/","name":"Smart DLL execution for Malware Analysis in Sandbox Systems - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2014-10-04T13:33:57+00:00","dateModified":"2022-10-04T13:53:00+00:00","description":"Smart DLL execution for Malware Analysis in Sandbox Systems","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2014\/10\/04\/smart-dll-execution-malware-analysis-sandbox-systems\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7046"}],"version-history":[{"count":4,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7046\/revisions"}],"predecessor-version":[{"id":14661,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7046\/revisions\/14661"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}