Be inquisitive: a Thread by @cyb3rops on Thread Reader App – The act of hiding is often more suspicious than what’s being hidden.
Posted by jpluimers on 2025/11/19
[Wayback/Archive] Thread by @cyb3rops on Thread Reader App – Thread Reader App
If your agent gets flooded – detect the flooding.
If code gets obfuscated – detect the obfuscation.
If ETW gets silenced – detect the silence.
If the EDR gets killed – detect the killing.
If logs get cleared – detect the clearing.The act of hiding is often more suspicious than what’s being hidden.
It’s like a surveillance camera going black or freezing.
That is the signal.
I’ve been doing this successfully for years.I detect obfuscated crap all the time.
People ask, “What is it?”
I say, “No fucking clue. Could be:
– a Themida-packed sample with a Microsoft copyright,
– a UPX-packed ELF with a 1-char filename,
– a PowerShell script that looks like static noise, or
– a fake svchost.exe with no Microsoft copyright.”I don’t need to know what it is.
It’s obviously shady.
That’s enough to detect it – and deal with it.
There’s a Chinese saying that fits perfectly: 欲蓋彌彰
The more you try to hide it, the more obvious it becomes.
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment