This started out as a bit of an end-of-the-year grab bag of posts, but I don't like simply linking to things, dropping links with no explanation as to why; instead, I'd rather share the
why behind what I found interesting about the post or article.
And don't worry...I know after 2025, there are folks out there expecting a flaming bag full of dog poop dropped off on their doorstep, but rest assured...this isn't that.
Anyway, as I was working on this post, it just sort of rolled into 2026, so I'll start off my first post of the year with a grab bag of things I found interesting right there at the end of 2025.
What's in your Registry?
CloudSEK recently shared
this write-up on Silver Fox; what I found most interesting was from "Stage 4 - Valley RAT", "Stage 2". Apparently, Valley RAT maintains configuration information in the following Registry path:
HKCU\Console
In addition, downloaded plugins are stored in the following path:
HKCU\Console\0\d33f351a4aeea5e608853d1a56661059
All of this means that not only can you get a great deal of info, and develop a great deal of intel from the entries themselves, but they're also tied to a specific user account. When creating a timeline, paths like those used by the Valley RAT should really stand out.
Speaking of Registry and persistence, DeceptIQ shared
this write-up on Registry persistence on 27 Dec 2025. As long as I've been working with Windows systems...going back to about 1995, much further if we're talking about "using"...this isn't something that I've ever heard of, nor have I run across anything like this.
Interestingly enough, the authors didn't just talk about the technique and reference it, but they also linked to a means for creating an NTUSER.MAN file, and even shared how the whole process might look.
Information Sharing
If you're interested in how shellcode is "used" on Windows systems,
Valli-Nayagam Chokkalingam over at Adversary Craft shared
this "101" write-up that you might find useful. I can't say that the write-up leads to viable detection methodologies, as ultimately, finding the shellcode amounts to seeing the bytes in
Explorer.exe process memory. However, it is a good "101" level write-up for folks to start developing familiarity with the topic.
A bit of "saving the best for last", but keeping up the "info sharing" theme, Brett shared a look back to the early days of DF/IR, and how it was
built on PDFs and coffee. I remember those days, because at one point I was writing some of those PDFs, and reading many others. I was reading a lot of the docs that got shared not only to get the information from them, but also to help develop my writing style so that what I wrote up would be entertaining and useful to others.
One of the thoughts that Brett's post brought to mind is how we consume information has changed over time. Like Brett said, it used to be PDFs, and in some cases, meeting for coffee (or beer/adult beverages). I
started blogging in 2004 because at the time, it seemed like a great way to share information, in one easy-to-reach, easy-to-find location. I know that even since then, there have been folks who've been really successful with YouTube channels, some even getting to the point where they're sponsored. Also, training courses, even those that are self-paced and available online, have been available for some time.
In his book
Call Sign Chaos, Mattis said that "our own personal experiences are not enough to sustain us." While this statement was directed at warfighters, it remains true for other endeavors, as well, and in particular, the various aspects of cybersecurity. Mattis talked about reading thousands of books, and even described his own reading to expand his knowledge ahead of a campaign. Brett taled about PDFs as a means of sharing knowledge and experiences. In both cases, it's incumbent upon
someone to write, to document their experiences and share that knowledge.
