Sign in

The article aims to provide the fundamentals of Kusto query language to search for complex data patterns as well as generate complicated analytics in the Azure cloud.

As a cybersecurity analyst, Splunk is one of the most important tools for my daily tasks. Automatically over years, I become comfortable with Splunk SPL (Search Processing Language). However, I have always been opening myself for Splunk SPL alternatives or a better query language. With cloud popularity, I have recently participated in Azure training on Azure Sentinel and the Kusto query language, which offers at least (if not more) the capabilities available in…


Shellcode is a sequence of machine code that is commonly abused to execute malicious codes after vulnerability exploitation, download the next payload, or beacon back to its C2 server. This article presents various techniques and tools to analyze Windows shellcode. It contains are 3 main parts:

  • Shellcode Introduction
  • Dynamic Analysis via Emulation and Real Execution
  • Code Analysis via Debugging and Static Analysis

Shellcode Introduction

Shellcode is a sequence of hex-value CPU instructions that can be interpreted and executed directly by the CPU. Below is an example of a 32-bit shellcode:

56 64 a1 30 00 00 00 8b 40 0c 8b 70…

Threat hunting (TH) is a new trend in cybersecurity when companies, from small to large spending from few thousands to millions, soon realize that their detection system containing all expensive tools (such as AV, IDS/IPS, Firewall, EDR, SIEM, etc.) can’t detect all intrusions. They need a specialized squad to patrol the environment and hunt for abnormal events.

eLearnSecurity is one of the first training providers offering a specialized course for threat hunting, namely Threat Hunting Profession (THP), and the associated certificate eCTHPv2.
P/S: If you are interested in becoming a threat hunter, penetration testing skills are certainly vital. …


VBA is one of the most common attack vectors against MS office; hence, adversaries have been finding ways to evade Anti-virus, forensic tools and even static analysis. In this article, I cover two interesting approaches, namely VBA Stomping and VBA Purging.

P/S: for details of MS document analysis, please refer to my previous article “Malicious Microsoft Office Document Analysis and Analyze a Cobalt Sample

The article contains three parts as below:

  • VBA Hierarchy Explanation
  • VBA Stomping
  • VBA Purging

VBA Hierarchy Explanation

Microsoft provides rich details about VBA storage in its documentation page . …


This article provides instructions to build a safe environment that you can use to learn the behavior of a malware sample. The article contains 2 parts as below:

  • Malware lab: provides guides to build a safe and isolated environment to analyze Windows malware.
  • Behavioral analysis: introduces steps to records traces/footprints left by a running malware sample. From the recorded data such as PCAP, process monitor (ProcMon) logs, DNS queries, web proxies requests, and registry changes, you can learn the behaviors of the examined malware.

Malware Lab

The lab can be built via a hypervisor such as VMware or VirtualBox on…


mpeepdf is a modified version of a powerful Python tool — peepdf to analyze PDF documents. The ultimate goal of mpeepdf is to provide a unique, all-you-need framework for security researchers and analysts to investigate a PDF file.

When analyzing a PDF document, there are multiple options in the toolkit like pdf-id, pdf-parser, pdfwalker (to view PDF structures via GUI), and especially peepdf which is just a great, all-in-one tool to analyze PDF. Thumbs up to the author — Jose Miguel Esparza. However, there are still some features that I want to add to peepdf. …


In the previous article, I have provided an introduction to PDF forensics, which explains PDF structure and introduces some important object types to examine.

Javascript (JS) is a common attack vector. Furthermore, it can be highly obfuscated, which makes it quite “interesting” to analyze. Hence, this article presents more details of JS analysis.

In general, there are two approaches:

  • Approach 1 — Code analysis: Go through and understand the script This approach is quite time-consuming but is usually helpful to deal with a sophisticated and/or new way of Javascript obfuscation.
  • Approach 2 — Behaviour analysis: Focus only on interesting functions…

This article is a quick overview of the Penetration Testing Professional (PTP) course and the eCPPTv2 exam by eLearnSecurity. Its purpose is to provide some insight into this penetration testing course and my sharing about the exam

It contains 3 sections as below:

  • Why do I choose PTP?
  • Overview of PTP course
  • eCPPTv2 exam and my walkthrough

Why do I choose PTP?

As an incident responder, I start to be interested in knowing more about my enemies. Specifically, I want to understand my adversaries’ thought process and what they need to do to achieve their goals. …


The article aims to share some insights into analyzing malicious Microsoft Office files. It contains 3 parts as below:

  • Microsoft Office Document Analysis: provides an overview of Office file formats and tools to analyze.
  • Macro (VBA — Visual Basic for Application) Analysis: presents some tips to analyze and debug Macros.
  • Analyze a Cobalt sample: applies knowledge shared above to deal with a real sample.

Microsoft Office Document Analysis

Prior to Microsoft Office 2007, Microsoft Office files are under a legacy format, namely OLE2, which is a compound file technology (for example, *.doc, *.xls and *.ppt).

Starting from Office 2007, Microsoft uses the XML-based file…


While Windows forensics is widely covered via a number of courses and articles, there are fewer resources introducing to the Linux Forensics world. I have recently had an opportunity to handle a Linux-based case. Hence, the article aims to share some useful artifacts which can be used as a checklist to assist a Linux forensics case and as a lead to further investigation.

OS forensics is the art of finding evidence/artifacts left by systems, apps and users’ activities to answer a specific question. Windows Forensics is well researched, in which there are multiple places for evidence (some of them are…

Tho Le

Senior Cyber Security Analyst — For the secure world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store