KoreLogic Security
Blog
66 Security Insights and Updates from KoreLogic's Team
Latest Articles
Heads Up. CyberConVA 2026 Lands February 12, 2026 in Richmond, Virginia
CyberConVA 2026 brings together cybersecurity leaders and professionals on February 12th, 2026 at the Museum of Science in Richmond, Virginia.
CyberConVA 2025!
CyberConVA 2025 brings cybersecurity leaders and practitioners to Richmond for sessions on AI red teaming, security program strategy, executive perspectives, and regional networking.
66 articles found
2024: What KoreLogic Has Been Up To
A year-in-review covering KoreLogic work across CMIYC, CyberConVA, penetration testing, AI security research, vulnerability disclosure, ISO 27001 certification, and team growth.
WMkick - MITM MS-RPC, WMI, WinRM to Capture NetNTLMv2 Hashes
WMkick captures NetNTLMv2 hashes from WMI, MS-RPC, and WinRM traffic, extending MITM coverage for protocols not fully handled by tools like Responder.
WePresent... vulnerabilities!
Exploit-chain research showing how unauthenticated vulnerabilities in Barco WePresent WiPG-1600 firmware led to root shell access.
Cellebrite Good Times, Come On: Reverse-Engineering Phone Forensics Tools
How can vulnerabilities in technologies used by our judicial system affect the outcome of cases brought to the courts?
FTimes, KLEL, and File Hooks
A practical FTimes guide to using KLEL and file hooks to run external programs or scripts on matching files during dig, map, or mad stages.
Building FTimes With Lua
A hands-on guide to building FTimes with XMagic and an embedded Lua interpreter so file hooks can perform more complex searches.
FTimes 3.13.0 Released
FTimes 3.13.0 adds Linux BTRFS support, new encoder and decoder routines, and KLEL-based include and exclude filters.
Unpatched Fringe Infrastructure Bits
An internal penetration testing discussion of overlooked fringe infrastructure devices that can remain unpatched and introduce security risk.
Password Audits - Focus on the Admins
A practical argument for periodic password audits, with emphasis on administrator accounts and the risk reduction they can provide.
Building FTimes With Python3
A hands-on guide to building FTimes with XMagic and an embedded Python interpreter so file hooks can perform more complex searches.
Building FTimes With Perl
A hands-on guide to building FTimes with XMagic and an embedded Perl interpreter so file hooks can perform more complex searches.
FTimes 3.12.0 Released
FTimes 3.12.0 collects several years of fixes and enhancements, including depth-limited mapping and digging plus additional encoding and decoding support.
New LibPathWell Release, and an Updated Talk
PathWell 0.7.0 release notes plus an updated talk highlighting new features in the password topology enforcement project.
Virtual Appliance Spelunking
A virtual appliance reversing case study based on Cisco Firepower Management Center research that resulted in multiple CVEs.
Nothing To See Here, Move Along
Vendors often have interesting ways to facilitate support for their appliances. Today, I'll discuss a few ways we have seen it implemented: one that is vulnerable to exploitation and others that aren't so bad.
Cracking Grid - Essential Attributes
A look at KoreLogic password cracking operations and the infrastructure attributes that matter for sustained cracking workloads.
LinkedIn Revisited - Full 2012 Hash Dump Analysis
KoreLogic revisits the full 2012 LinkedIn password hash dump, analyzing the separate email and password lists without linking identities to passwords.
Update on Crack Me If You Can - DEFCON 2016
KoreLogic answers common questions about the DEF CON 2016 Crack Me If You Can password cracking contest.
Hacking an Arris Cablemodem
Part four of KoreLogic firmware research, covering a remote root vulnerability discovered in a popular Arris cable modem.
The importance of access to firmware files
Part three of the firmware series explains why access to usable device firmware matters for IoT security research and vulnerability analysis.
Unplugging An IoT Device From The Cloud
Part two of the firmware series examines Blossom, a cloud-connected smart watering device, and the security implications of IoT cloud dependence.
Q: Can I have your password? A: Yes you can.
Part one of a firmware and embedded device research series, introducing the security themes and device-analysis approach for the posts that follow.
LibPathWell 0.6.3 Released
LibPathWell 0.6.3 release announcement for the PathWell password topology library and PAM module for dynamic password-strength enforcement.
MASTIFF Output Plug-ins
An update on MASTIFF output plug-ins and how they advance the project goal of automated static analysis for submitted files.
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #9 - #11
Walkthrough of the final three Black Hat YARA CTF puzzles, covering puzzle logic and YARA rule analysis.
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #5 - #8
Walkthrough of solving puzzles five through eight from the Black Hat YARA CTF challenge, continuing the earlier puzzle analysis.
How I Solved (Most Of) the Yara CTF Puzzles: Puzzle #1 - #4
Walkthrough of solving the first four logic and YARA-based puzzles from the Black Hat YARA CTF challenge.
LibPathWell 0.6.1 Released
First public release of LibPathWell and its PAM module for dynamic password-strength enforcement using password topology histograms.
Hacking Team Documents Claim BIOS-based Persistence
Analysis of leaked Hacking Team material indicating BIOS-based persistence capabilities in the company Remote Control System spyware platform.
Giles at Black Hat and in the ISSA Journal
The Giles production rule system compiler (which we described ) has gotten some good press lately!
MASTIFF Online Updated to Add pyOLEScanner
MASTIFF Online added pyOLEScanner support for Office document analysis, refreshed search controls, and reprocessed existing samples to expose the new plugin results.
The WebJob Framework: An Endpoint Security Solution
Overview of the WebJob framework, a centralized endpoint security system for executing programs across managed systems in production environments.
One Month of MASTIFF Online!
One month after opening MASTIFF Online, KoreLogic released MASTIFF 0.7.1 with bug fixes and new analysis plug-ins.
What Did CCleaner Wipe?
Forensic analysis of CCleaner secure deletion behavior and the artifacts it can leave behind when filenames, file contents, and free space are wiped.
MASTIFF Online Free 1.0.0 Released
MASTIFF Online 1.0.0 introduced a free web interface for uploading files and receiving static analysis results from the MASTIFF framework.
SSD Storage - Ignorance of Technology is No Excuse
A forensic storage discussion on why SSD behavior changes assumptions about long-term preservation of digital evidence.
Windows 2003 Privilege Escalation via tcpip.sys
Discussion of a Windows Server 2003 SP2 TCP/IP driver vulnerability that could allow local privilege escalation from unprivileged access.
Giles 3.0.0 Released
Announcement of the Giles 3.0.0 production rule system compiler release and availability for users of the KoreLogic toolset.
Brain Bleeding JavaScript Obfuscation
A malware-analysis walkthrough showing how heavily obfuscated JavaScript can hide web-based attacks and how analysts can reason through deobfuscation.
Using Windows Resource Language Codes for Attribution
A malware-attribution discussion of Windows resource language codes and how they were interpreted in reporting around the Sony compromise.
VMware: "It's not a vulnerability, mmkkkayyy"
Research on VMware Workstation behavior that allowed members of the __vmware__ group to extract arbitrary sections of kernel memory.
im in ur scm, bein a ninja
A follow-up on source code repository tampering risks and why compromised developer or administrator access can undermine trusted code.
Password Security Research Featured in the Huffington Post
Coverage of Huffington Post reporting on KoreLogic password topology research and the risk of users overusing common password patterns.
Vuln Analysis: Classic write-what-where in XP's BthPan
Vulnerability analysis of a write-what-where flaw in the BthPan.sys Bluetooth driver on 32-bit Windows XP SP3.
CISO's Corner: Password Cracking Best Practices and Myths
A CISO-focused discussion of password cracking risks, breach lessons, authentication assumptions, and practical controls for reducing password exposure.
FTimes 3.11.0 Released
FTimes 3.11.0 adds embedded Python file hook support, introduces the ftimes-bimvl tool, and includes cleanup and bug fixes.
KLogTail 1.2.0 Released
KLogTail 1.2.0 adds bug fixes, clearer warning and error messages for log analysis workflows, a basic man page, and project restructuring.
Repository Tampering: What You Don't Know Can Hurt You
A security scenario showing how compromised developer or sysadmin accounts can be used to tamper with revision control systems and trusted code.
Callback Functions in Malware
KoreLogic analyzes malware downloaders that use API callback functions to redirect execution flow and complicate reverse engineering.
MASTIFF Updates and Git SSL Issue
A MASTIFF development update covering recent repository changes, SSL access notes, and a major change to the analysis plug-in architecture.
Mini-Crack Me If You Can for ISSW 2014
KoreLogic ran a mini Crack Me If You Can password cracking contest for ISSW 2014 attendees, with a gift card prize for participants.
PathWell Topologies
PathWell identifies and blocks common passwords by modeling password topologies and learned user behavior from the DARPA Cyber Fast Track project.
MASTIFF in KoreLogic Git Repository
KoreLogic moved MASTIFF development into a public Git repository so users can access and clone newer development versions.
ShmooCon Epilogue Prologue: PathWell
Preview of a ShmooCon Epilogue talk on PathWell, KoreLogic password topology research, and dynamic password-strength enforcement.
Converting IDA PAT to Yara Signatures
A technique for converting IDA pattern files into YARA signatures to help identify library code in stripped, statically linked Linux malware.
MASTIFF on Mac OS X
A walkthrough of running MASTIFF on Mac OS X and the portability considerations behind its Python-based design.
CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints
We've just published details about the Crack Me If You Can 2013 encrypted file challenges : the passphrase for each encrypted file, and the hints that are included in each one.
Mini-Password Cracking Challenge for LOLBitCoin Party
A mini DEF CON password cracking challenge built around a small NTLM hash list and the story behind its significance.
CMIYC 2013 Post-game
A post-game introduction to KoreLogic coverage of the 2013 Crack Me If You Can password cracking contest and follow-up analysis.
Submerging a GPU Cluster in Mineral Oil
KoreLogic consultants describe submerging a GPU cracking system in mineral oil and running it continuously for password research workloads.
Crack Me If You Can 2013 Is On!
Announcement that KoreLogic would bring the Crack Me If You Can password cracking contest back for DEF CON 21.
MASTIFF 0.6.0 Released
MASTIFF 0.6.0 release announcement for KoreLogic static analysis users, with updated project files and release materials.
FTimes 3.10.0 Released
FTimes 3.10.0 adds updated file hook support, introduces KLEL-based XMagic, fixes bugs, and raises the minimum required libklel version.
KLEL 1.1.0 Released
KLEL 1.1.0 release announcement for KoreLogic Expression Language users, with updates to the language and supporting documentation.