Forensic Blogs

An aggregator for digital forensics blogs

by

Using CveEventWrite From VBA (CVE-2020-0601)

Microsoft’s patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected.

This will write a Windows event entry in the Application event log.

For all of you out there in restricted corporate environments who need to test the processing of this event log entry, I wrote some VBA code to generate this event. The generated event will mimic a CVE-2020-0601 warning to some extent (didn’t bother getting para and otherPara right).

Copy the VBA code below in an Office application that supports VBA, like Word, and run the code. Then check your Application event log.

Option Explicit 'VBA7 Declare PtrSafe Sub CveEventWrite Lib "advapi32" (ByVal CveId As String, ByVal AdditionalDetails As String) Sub TestCveEventWrite() Dim strCveId As String Dim strAdditionalDetails As String strCveId = "[CVE-2020-0601] cert validation" strAdditionalDetails = "CA: <@DidierStevens> sha1: 7A036FBBDBF7F29A3821A8087CE177E60927A6F3 para: something otherPara: something" CveEventWrite StrConv(strCveId, vbUnicode), StrConv(strAdditionalDetails, vbUnicode) End Sub

 

by

Analysis Of Unusual ZIP Files

Intrigued by a blog post from SpiderLabs on a special ZIP file they found, I took a closer look myself.

That special ZIP file is a concatenation of 2 ZIP files, the first containing a single PNG file (with extension .jpg) and the second a single EXE file (malware). Various archive managers and security products handle this file differently, some “seeing” only the PNG file, others only the EXE file.

My zipdump.py tool reports the following for this special ZIP file:

zipdump.py is essentially a wrapper for Python’s zipfile module, and this module parses ZIP files “starting from the end of the file”. That’s why it finds the second ZIP file (appended to the first ZIP file), containing the malicious EXE file.

To help with the analysis of such special/malformed ZIP files, I added an option (-f –find) to zipdump. This option scans the content of the provided file looking for ZIP records. ZIP records start with ASCII string PK followed by 2 bytes to indicate the record type (byte values less than 16).

Here I use option “-f list” to list all PK records found in a ZIP file containing a single text file:

This is how a normal ZIP file containing a single file looks on the inside.

The file starts with a “local file header”, a PK record that starts with ASCII characters PK followed by bytes 0x03 and 0x04 (that’s 50 4B 03 04 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0304. This header is followed by the contained file (usually compressed).

Then there is a “central directory header”, a PK record that starts with ASCII characters PK followed by bytes 0x01 and 0x02 (that’s 50 4B 01 02 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0102. This header contains an offset pointing to the corresponding PK0304 record.

And at the end of the ZIP file, there is a “end of central directory”, a PK record that starts with ASCII characters PK followed by bytes 0x05 and 0x06 (that’s 50 4B 05 06 in hexadecimal). In zipdump’s report, such a PK record is identified with PK0506. This header contains an offset pointing to the first PK0102 record.

A ZIP file containing 2 files looks like this, when scanned with zipdump’s option -f list:

Starting with 2 PK0304 records (one for each contained file), followed by 2 PK0102 records, and 1 PK0506 record.

Armed with this knowledge, we take a look at our malicious ZIP file:

We see 2 PK0506 records, and this is unusual.

We see the following sequence of records twice: PK0304, PK0102, PK0506.

From our previous examples, we can now understand that this sample contains 2 ZIP files.

Remark that zipdump assigned an index to both PK0506 records: 1 and 2. This index can be used to select one of the 2 ZIP files for further analysis. Like in this example, where I select the first ZIP file:

Using option “-f 1” (in stead of “-f list”) selects the first ZIP file in the provide sample, and lists its content.

It can then be further analyzed with zipdump like usual, for example, selecting the first file (order.jpg) inside the first ZIP file for an hex/ascii dump:

Likewise, “-f 2” will select the second ZIP file found inside the sample:

-f is a new option that I added for special/malformed ZIP files, but this is a work in progress, as there are many ways to malform ZIP files.

For example, I created a PoC malformed ZIP file that contains a single file, with reversed PK record order. Here is the output for the normal and “reversed” zip files (malformed, e.g. PK records order reversed):

This file can be opened with Windows Explorer, but there are tools and libraries than can not handle it. Like Python’s zipfile module:

I will further develop zipdump to handle malformed ZIP files as best as possible.

The current version (zipdump 0.0.16) is just a start:

it parses only 3 PK record types (PK0304, PK0102 and PK0506), other types are ignored it does minimal parsing of these records: for example, there is no parsing/checking of offsets in this version

And finally, I also created a video showing how to use this new feature:

by

Overview of Content Published in the 2010s

Here is an overview of content I published in the 2010s:

Blog posts:

The Undeletable SafeBoot Key New Format for UserAssist Registry Keys Adobe Reader JavaScript Blacklist Framework Quickpost: New Versions of PDFiD and pdf-parser Update: XORSearch Version 1.6.0 Quickpost: PDF Header %!PS-Adobe-N.n PDF-M.m Quickpost: Shellcode to Load a DLL From Memory Quickpost: Quasi-Tautologies & SQL-Injection cmd.dll Excel with cmd.dll & regedit.dll MemoryLoadLibrary: From C Program to Shellcode Ping Shellcode Quickpost: NetworkMashup.xls PDF Info Stealer PoC Frisky Solitaire – Another Info Stealer Tweet Shellcode Escape From PDF “Escape From Foxit Reader” Update: Escape From PDF .NET Shellcode Update: PDFiD Version 0.0.11 to Detect /Launch Writing WIN32 Shellcode With a C-compiler Quickpost: More Malformed PDFs A Win7 Puzzle… Solving the Win7 Puzzle Quickpost: No Escape From PDF Quickpost: Preventing the /Launch Action “cmd.exe” Bypass The Hex Factor RE Challenge Mitigating .LNK Exploitation With Ariad Mitigating .LNK Exploitation With SRP Quickpost: 2 .LNK Tools Quickpost: .LNK Template Update Quickpost: Ariad & DLL Preloading PDFTemplate Integrity Levels and DLL Injection RunInsideLimitedJob Free Malicious PDF Analysis E-book LowerMyRights PDF, DEP, ASLR and Integrity Levels setdllcharacteristics Update: LoadDLLViaAppInit Quickpost: Adding Certificates to the Certificate Store EnforcePermanentDEP Password Auditing With a Password Filter Quickpost: Adobe Reader X Runasil HeapLocker HeapLocker: Private Memory Usage Monitoring HeapLocker: NOP Sled Detection Quickpost: “It Does No Harm…” or Does It? Quickpost: Checking ASLR Circumventing SRP and AppLocker, By Design Circumventing SRP and AppLocker to Create a New Process, By Design TaskManager.xls Update: WhoAmI? Version 0.1.5 HeapLocker: String Detection Update: TaskManager.xls Version 0.0.3 DumpStrings.1sc HeapLocker: Null Page Allocation Windows Security Center: Under the Hood LockIfNotHot Signed Spreadsheet with cmd.dll & regedit.dll Suspender.dll BackTrack 5 Includes PDFiD and pdf-parser Another PDF Puzzle Malicious PDF Analysis Workshop Screencasts Update: vs.py EMET Article Quickpost: Need a PoC to Test Your Security Setup? Not Necessarily… Integrating My CCTV DVR And Alarm System Teensy PDF Dropper Part 1 Quickpost: Blocking and Detecting a Teensy Dropper My Home Surveillance System My Home Surveillance System: Some Details Force “ASLR” on Shell Extensions So How Good is Pseudo-ASLR? Quickpost: CCTV Over UTP Bottom Up Randomization Saves Mandatory ASLR DEP Enforcing Shellcode Quickpost: create-remote-thread.py simple-shellcode-generator.py Add Bottom Up Randomization To (Your Own) Source Code The Matryoshka Router Update: USBVirusScan 1.7.4 TaskManager Runs on 64-bit Excel Quickpost: Some Windows 8 Observations HeapLocker: Preventing Heapsprays LoadDLLViaAppInit 64-bit RunInsideLimitedJob 64-bit HeapLocker 64-bit Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag Ariad 64-bit White Hat Shellcode Workshop: Enforcing Permanent DEP Hotfix For SRP/AppLocker Bypass Signed TaskManager LoadDLLViaAppInit with FORCE_INTEGRITY FORCE_INTEGRITY With DLLs Happy New Router Calculating a SSH Fingerprint From a (Cisco) Public Key Identifying IOS Analyzing IOS Core Dumps (SOPA-style) IOS: Let Me Truncate That Password For You… x64 Windows Shellcode Quickpost: Disassociating the Key From a TrueCrypt System Disk Article: White Hat Shellcode Peeking at NAFT Teensy PDF Dropper Part 2 Update: TaskManager.xls V0.1.2 NAFT Release Update: PDFid And pdf-parser Update: SE_ASLR Version 0.0.0.2 InteractiveSieve Update: TaskManager.xls V0.1.3 Killer Shellcode Why Isn’t my PoC Launching calc.exe? ExitProcess Shellcode Searching With VirusTotal Update: virustotal-search Flame: Before and After KB2718704 Flame Authenticode Dumps (KB2718704) Update: vs.py Version 0.5 _nomap, _nomap, _nomap, … Entropy.1sc Nmap McAfee ePO Agent Script InstalledPrograms.xls UserAssist Windows 2000 Thru Windows 8 My BlueHat Prize Entry: CounterHeapSpray Prefetch File 010 Template Video: Hardening Windows processes Update: InstalledPrograms.xls V0.0.2 Update: USBVirusScan 1.7.5 Update: InteractiveSieve 0.7.6 Update & Split: TaskManager.xls Version 0.1.4 New Authenticode Tools Didier Stevens Labs – Brucon 2012 Searching For That Adobe Cert Hack.lu 2012 XORSearch Video Workshops and Promo “Please Buy Our Competitor’s Products” XORSearch for OSX Quickpost: Spiders and CCTV Update: AnalyzePESig Version 0.0.0.2 Nmap 6.25 With McAfee ePO Agent Script Authenticode Tools Page ListModules V0.0.0.1 Crossbreeding Spiders: Baiduspider And Googlebot MVP – Promo – Datapipe.xls ISSA Journal Article ; HITB PDF Training Quickpost: TeamViewer and Proxies Update XORSearch V1.8.0: Shifting Looking Up Hosts and IP Addresses: Yet Another Tool Update: PDFiD Version 0.1.0 Update: pdf-parser Version 0.4.1 Update: PDFiD Version 0.1.2 Cisco IOS Patching: Defense and Offense New Tool: XORStrings shift.1sc fuzzer.1sc search-and-replace-with-wildcards.1sc pecheck.py js-unicode-escape.1sc js-unicode-unescape.1sc Howto: Add a Digital Signature to a PDF File – Free Software VirusTotal: Searching And Submitting Howto: Make Your Own Cert And Revocation List With OpenSSL Adobe Reader and CRLs Quickpost: Signed PDF Stego pdf-parser: Searching Inside Streams PDFiD: False Positives shellcode2vba Update: virustotal-search.py The Art Of Defuzzing Update: js-unicode-unescape.1sc Update: Lookup Tools MSI: The Case Of The Invalid Signature OHM2013 Quickpost: Rovnix PCAP A Bit More Than A Signature Quickpost: Proxy Cookies Brucon Hacking PDF Training Update: pdf-parser V0.4.3 Bugfix virustotal-submit.py Version 0.0.2 Finding Contained Files Update: XORSearch Version 1.9.2 Update: Suspender V0.0.0.4 NAFT: The Movie Update: naft-gfe.py Update: find-file-in-file.py Version 0.0.3 Quickpost: nmap & xml 4 Times Faster virustotal-search.py MS13-098: Fixing Authenticode Update: virustotal-submit.py V0.0.3 Update: Prefetch File 010 Template UltraEdit Scripts Video: Checking the Digital Signature of Windows Executables The Credentials Listener My Software Forensic Use of CAT Files Handling McAfee Quarantine Files XORSearch: Finding Embedded Executables “Network Device Forensics” Talk Recorded “Network Device Forensics” Talk Announcement: Wireshark Lua Dissectors Heartbleed: Packet Capture PDF Rainbow Tables Heartbleed: Packet Capture – Full TLS nmap Grepable Script Output – Heartbleed Heartbleed: Testing From a Cisco IOS Router – ssltest.tcl ssl-hearbleed.nse mod TCP Flags for Wireshark Video: “Packet Class: Wireshark – Lua Protocol Dissectors” WhoAmI: status-4-evar Packet Class: Wireshark – Import Hex Dump Wireshark-export Stoned Bitcoin Update: Stoned Bitcoin Update: translate.py Stoned Bitcoin: My Analysis Tools Videos EICARgen: An Arms Race A Return: The Puzzle Update: Calculating a SSH Fingerprint From a (Cisco) Public Key Introducing Filescanner.exe Update: SpiderMonkey FileScanner.exe Part 2 FileScanner.exe Part 3 FileScanner.exe Part 4 Update: XORSearch With Shellcode Detector Announcement: PDFiD Plugins Update: PDFiD With Plugins Part 1 Update: PDFiD With Plugins Part 2 XORSearch: Hexdump Support Update: pecheck.py Version 0.4.0 Update: find-file-in-file.py Version 0.0.4 XORSelection.1sc router-forensics.net YARA Rules Introducing oledump.py oledump: Extracting Embedded EXE From DOC Update: oledump.py Version 0.0.5 YouTube Video Promo Didier Stevens Suite Update: oledump.py Version 0.0.6 YARA Rule: Detecting JPEG Exif With eval() Converting PEiD Signatures To YARA Rules AirPcap Channel Hopping With Python Update: oledump.py Version 0.0.7 Update: YARA Rule JPEG_EXIF_Contains_eval Update EICARgen Version 2.1 Update: oledump.py Version 0.0.8 Analyzing A Fraudulent Document With Error Level Analysis Update: oledump.py Version 0.0.9 Update oledump.py Version 0.0.10 A New Type Of Malicious Document: XML VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC Quickpost: Metasploit User Agent Strings Update oledump.py Version 0.0.12 Update: peid-userdb-to-yara-rules.py split.py oledump And XML With Embedded OLE Object Howto: Make Your Own Cert With OpenSSL on Windows pdf-parser And YARA Quickpost: Maldocs: VBA And Pastebin Update: oledump.py Version 0.0.14 PDF Password Cracking With John The Ripper pdf-parser: A Method To Manipulate PDFs Part 1 MS15-034 Detection: Some Observations MS15-034: PoC Excel Video Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs pdf-parser: A Method To Manipulate PDFs Part 2 Update: NAFT Version 0.0.9 Detecting Network Traffic from Metasploit’s Meterpreter Reverse HTTP Module Howto: Install Wireshark Dissectors Regular Expressions With Comments pcap-rename.py Metasploit Meterpreter Reverse HTTPS Snort Rule Update: oledump.py Version 0.0.17 – ExitCode base64dump.py Version 0.0.1 Extracting Dyre Configuration From A Process Dump If You Have A Problem Running My Tools “Analysing Malicious Documents” Training At 44CON London Jump List Forensics Update: pdf-parser Version 0.6.4 Update: base64dump.py Version 0.0.2 Test File: PDF With Embedded DOC Dropping EICAR nsrl.py: Using the Reference Data Set of the National Software Reference Library Wireshark Wifi and Lua Training – Brucon 2015 PDF + DOC + VBAs Videos Dump Tools: Cut Cut Cut … Update: base64dump.py Version 0.0.3 Release: emldump.py Version 0.0.3 cut-bytes.py New workshop videos: Malicious Office Documents Part 1 Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty) Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean) Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin Update: translate.py V2.1.0 byte-stats.py Update: oledump V0.0.20 Update: emldump.py Version 0.0.4 Update: cut-bytes.py Version 0.0.2 Update: find-file-in-file.py Version 0.0.5 Maldoc Social Engineering Trick Update: nsrl.py Version 0.0.2 Update: emldump.py Version 0.0.5 Authenticode And Timestamping And sha256 Update: virustotal-search.py Version 0.1.3 Update: oledump.py Version 0.0.21 Update: Authenticode Tools Windows Backup Privilege: CMD.EXE BruCON Spring Training 2016: Analysing Malicious Documents Update: oledump.py Version 0.0.22 MIME File With “Header” Maldoc GET Range SHA256 Code Signing and Microsoft XOR Known-Plaintext Attack Update: shellcode2vba.py Version 0.4 BlackEnergy .XLS Dropper BlackEnergy .XLS Dropper Puzzle Update: base64dump.py Version 0.0.4 Update: emldump.py Version 0.0.6 Update: xor-kpa.py Version 0.0.2 Update: cut-bytes.py Version 0.0.3 Update: numbers-to-hex.py Version 0.0.2 Create Your Own CMD.XLS Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation More Obfuscated MIME Type Files Even More Obfuscated MIME Type Files Update: oledump.py Version 0.0.23 YARA Rule To Detect VBE Scripts Decoding VBE Update: decode-vbe.py Version 0.0.2 Update translate.py Version 2.3.0 Update: numbers-to-hex.py Version 0.0.3 MovingXORSelection.1sc Update: emldump.py Version 0.0.9 New YARA Rule: PE_File_pyinstaller Update: pecheck.py Version 0.5.0 Update: pecheck.py Version 0.5.1 Major Update For zipdump.py Recovering A Ransomed PDF Update:oledump.py Version 0.0.24 YouTube Video Promo hashcat 3.00 “fatal error: ‘inc_vendor.cl’ file not found” Practice ntds.dit File Part 1 Practice ntds.dit File Part 2: Extracting Hashes Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force Tool To Generate Hashcat Toggle Rules Practice ntds.dit File Overview Releasing rtfdump.py Bugfix: pdf-parser Version 0.6.5 Video: ntds.dit: Extract Hashes With secretsdump.py Update: re-search Version 0.0.2 rtfdump: Update And Videos Howto CreateCertGUI: Create Your Own Certificate On Windows (OpenSSL Library) mimikatz: Golden Ticket + DCSync Video: mimikatz: Golden Ticket + DCSync Update: xor-kpa.py Version 0.0.3 With Man Page Update: rtfdump Version 0.0.4 Update: translate.py Version 2.3.1 decoder-search.py Beta Quickpost: Enhancing Radare2 Disassembly Listing rtfdump Videos Analyzing Office Maldocs With Decoder.xls Update: oledump.py Version 0.0.25 Update: cut-bytes.py Version 0.0.4 Update: virustotal-search.py Version 0.1.4 Maldoc With Process Hollowing Shellcode Quickpost: Zone.Identifier Update: shellcode2vba.py Version 0.5 Update: byte_stats.py Version 0.0.4 Update: zipdump.py Version 0.0.4 Update: base64dump.py Version 0.0.5 Simple Ciphers: cipher-tool.py Update: xor-kpa.py Version 0.0.4 Update: pdf-parser Version 0.6.6 Update: pecheck.py Version 0.5.2 Update: oledump.py Version 0.0.26 Update: pecheck.py Version 0.6.0 – Overview Of Resources Hancitor Maldoc Videos Update: pdf-parser Version 0.6.7 Update: byte-stats.py Version 0.0.5 Update: FileScanner Version 0.0.0.4 Quickpost: Dropbox & Alternate Data Streams Update: zipdump.py Version 0.0.5 Quickpost: ClamAV and ZIP File Decryption Update: base64dump.py Version 0.0.6 Update: rtfdump.py Version 0.0.5 Update: translate.py Version 2.4.0 Password History Analysis Practice ntds.dit File Part 9: Extracting Password History Hashes New Tool: sets.py Update: re-search.py Version 0.0.3 Update: cut-bytes.py Version 0.0.5 Update: oledump.py Version 0.0.27 That Is Not My Child Process! Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine” Quickpost: Infinite Control For Bash Bunny Quickpost: Bash Bunny & Keyboard Layouts Update: re-search.py Version 0.0.4 CVE-2017-0199 Malicious Documents: The Matryoshka Edition New Tool: python-per-line Bash Bunny PDF Dropper Gzip Decompression Via Pipes Quickpost: Internet Zone IDs Crack A ZIP Password, And Fly To Dubai … Quickpost: ZIP Password Cracking With John The Ripper Quickpost: WannaCry Killswitch Check Is Not Proxy Aware Update: re_search.py Version 0.0.5 Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End) Update: re_search.py Version 0.0.7 Update: zipdump.py Version 0.0.7 Update: zipdump.py Version 0.0.8 WannaCry Simple File Analysis Update: xor-kpa.py Version 0.0.5 Update; base64dump.py Version 0.0.7 Update: zipdump.py Version 0.0.9 Update: pecheck.py Version 0.7.0 Update: re-search.py Version 0.0.8 I Will Follow (no, not talking about social media) Quickpost: mimikatz !bsod Video: mimikatz & !bsod Video: mimikatz & minesweeper Select Parent Process from VBA Update: zipdump.py Version 0.0.10 Analyzing ClamAV Signatures Analyzing ClamAV Signatures – Correction ClamAV sigtool –decode-sigs Mimikatz Videos Beta: format-bytes.py Quickpost: Analyzing .ISO Files Containing Malware .ISO Files With Zone.Identifier Update:zipdump.py Version 0.0.11 Update: oledump.py Version 0.0.28 Update: emldump.py Version 0.0.10 oledump.py *.vir Update: python-per-line.py Version 0.0.2 New Tool: headtail.py The Clip Command The Paste Command Update: count.py Version 0.2.0 Analyzing Password Dumps With My Tools – Part 1 .ISO Files & autorun.inf Quickpost: Trying Out JA3 Update: translate.py Version 2.5.0 Update: byte-stats.py Version 0.0.6 Reading Memory Of 64-bit Processes Using Metasploit On Windows Generating PowerShell Scripts With MSFVenom On Windows Wireshark: Follow Streams Quickpost: Using ClamAV On Windows Quickpost: Metasploit PowerShell BASE64 Commands Quickpost: PowerShell Options Order Abusing A Writable Windows Service Compiling a Windows Service With Mono on Kali Update: re-search.py Version 0.0.9 Running Windows Services on Linux with Mono Quickpost: DllDemo Quickpost: Keyboard Setting For pfSense PyBoard LCD160CR Text Scrolling Window 8 Quickpost: Update: Infinite Control For Bash Bunny Quickpost: GNU Radio On Windows Quickpost: Creating A Simple Flow Graph With GNU Radio Companion Quickpost: Mimikatz DCSync Detection Update: oledump.py Version 0.0.29 Update: base64dump.py Version 0.0.8 Update: pdf-parser.py Version 0.6.8 Update: pdfid.py Version 0.2.2 Analyzing A Malicious Document Cleaned By Anti-Virus Analyzing Metasploit’s Office Maldoc Update: byte-stats.py Version 0.0.7 Update: cut-bytes.py Version 0.0.6 Update: pecheck.py Version 0.7.1 Update: oledump.py Version 0.0.30 Update: numbers-to-string.py Version 0.0.3 WebDAV Traffic To Malicious Sites Update: pcap-rename.py Version 0.0.2 Update: pdfid.py Version 0.2.3 Update: rtfdump.py Version 0.0.6 New Tool: hash.py Update: plugin_biff.py Version 0.0.2 / oledump.py Version 0.0.31 New oledump Plugin: plugin_msg.py / oledump.py Version 0.0.32 New Tool: xmldump.py New Tool: format-bytes.py Cracking Encrypted PDFs – Part 1 Cracking Encrypted PDFs – Part 2 Cracking Encrypted PDFs – Part 3 Cracking Encrypted PDFs – Conclusion New Tool: What Is New? Update: xmldump.py Version 0.0.2 Update: format-bytes.py Version 0.0.4 Quickpost: Data Exfiltration With Tor Browser And Domain Fronting Quickpost: Retrieving Malware Via Tor On Windows New Tool: jpegdump.py Update: translate.py Version 2.5.2 Update: rtfdump.py Version 0.0.7 Quickpost: Code To Connect To Tor Onion Service Quickpost: Remote Shell On Windows Via Tor Onion Service Update: python-per-line version 0.0.3 Update: hash.py Version 0.0.2 Update: jpegdump.py Version 0.0.4 Update: pdfid.py Version 0.2.4 Update: translate.py Version 2.5.3 Update: oledump.py Version 0.0.33 Update: pecheck.py Version 0.7.2 Quickpost: Using nmap With Tallow (Tor proxy) Wireshark Comments Quickpost: Using Suricata on Windows CTRL-Z is EOF Update: xmldump.py Version 0.0.3 Quickpost: Email Server Simulator Update: XORSelection.1sc Version 4.0 Update: hash.py Version 0.0.3 Update: Patched SpiderMonkey Update: python-per-line.py Version 0.0.4 SpiderMonkey and STDIN Update: oledump.py Version 0.0.34 Update: base64dump.py Version 0.0.9 Video: SpiderMonkey Output Options Update: base64dump.py Version 0.0.10 Quickpost: Windows Debugger as Post Mortem Debugger – 32-bit & 64-bit PDFiD: GoToE and GoToR Detection (“NTLM Credential Theft”) Quickpost: John & Dummy Hashes Encrypted OOXML Documents Update: pecheck.py Version 0.7.3 “Here Files” and my Tools Update: jpegdump.py Version 0.0.5 Update: translate.py Version 2.5.4 Update: cut-bytes.py Version 0.0.7 Update: hash.py version 0.0.5 Validating Your Downloads Update: jpegdump.py Version 0.0.6 Update: zipdump.py Version 0.0.12 Quickpost: Decoding Certutil Encoded Files Update: re-search.py Version 0.0.10 Update: re-search.py Version 0.0.11 Update: oledump.py Version 0.0.35 Update: zipdump.py Version 0.0.13 Update: oledump.py Version 0.0.36 Update: zipdump.py Version 0.0.14 –jsonoutput Quickpost: Compiling DLLs with MinGW on Kali New Tool: file-magic.py !exploitable Crash Analyzer – Statically Linked CRT Update: sets.py Version 0.0.2 Update: base64dump.py Version 0.0.11 Extracting DotNetToJScript’s PE Files Update: re-search.py Version 0.0.12 Update: numbers-to-string.py Version 0.0.4 Update: python-per-line.py Version 0.0.5 Update: PDFiD.py Version 0.2.5 Update: oledump.py Version 0.0.37 Update: format-bytes Version 0.0.5 Quickpost: Revisiting JA3 Obtaining Malware Samples for Analysis Update: numbers-to-string.py Version 0.0.5 Quickpost: Compiling DLLs with MinGW on Windows Firmware Upgrade: WiFi Pineapple NANO WiFi Pineapple NANO: Persistent Recon DB Quickpost: Compiling EXEs and Resources with MinGW on Kali Update: pecheck.py Version 0.7.4 Quickpost: Signing Windows Executables on Kali KEIHash: Fingerprinting SSH Release: Python Tool Templates New tool: decompress_rtf.py Update: pdf-parser.py Version 0.6.9 Update: oledump.py Version 0.0.38 Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt Update: file-magic.py Version 0.0.3 Update: file-magic.py Version 0.0.4 Update: format-bytes.py Version 0.0.6 Quickpost: Using pcapy with Npcap on Windows Update: hash.py Version 0.0.6 Update: cut-bytes.py Version 0.0.8 Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt Quickpost: Compiling 32-bit Static ELF Files on Kali Quickpost: Compiling with Build Tools for Visual Studio 2017 Quickpost: Developing for ESP32 with the Arduino IDE Update: oledump.py Version 0.0.39 Release: strings.py Update: rtfdump.py Version 0.0.9 Update: numbers-to-string.py Version 0.0.6 Update:oledump.py Version 0.0.40 Update: XORSearch Version 1.11.2 Update: numbers-to-string.py Version 0.0.7 New Tool: SimpleEncoder Update: format-bytes.py Version 0.0.7 New Tool: msoffcrypto-crack.py Update: msoffcrypto-crack.py Version 0.0.2 Update: msoffcrypto-crack.py Version 0.0.3 Update: cut-bytes.py Version 0.0.9 Update: oledump.py Version 0.0.41 Update: translate.py Version 2.5.5 Update: pdf-parser.py Version 0.7.0 Update: pdf-parser.py Version 0.7.1 Analyzing a Phishing PDF with /ObjStm Update: re-search.py Version 0.0.13 Update: oledump.py Version 0.0.42 Maldoc: Excel 4.0 Macro Quickpost: PDF Tools Download Feature Update: pecheck.py Version 0.7.6 list-interfaces.xlsm Quickpost: Browsers & Content-Disposition Extracting “Stack Strings” from Shellcode Update: translate.py Version 2.5.6 Update: python-per-line.py Version 0.0.6 Update: format-bytes.py Version 0.0.8 Update: jpegdump.py Version 0.0.7 Quickpost: Retrieving an SSL Certificate with nmap WebDAV, NTLM & Responder DSSuite: A Docker Container With My Tools Update: zipdump Version 0.0.15 Update: hex-to-bin.py Version 0.0.2 Update: sets.py Version 0.0.3 Quickpost: C Random Functions in Other Languages Update: virustotal-search.py Version 0.1.5 New Tool: amsiscan.py Quickpost: nslookup Types Update: format-bytes.py Version 0.0.9 Quickpost: tcp-honeypot.py & Browser Tests Update: pdf-parser.py Version 0.7.2 Downloading Executables Over DNS: Capture Files Update: msoffcrypto-crack.py Version 0.0.4 Update: hash.py Version 0.0.7 Update: pecheck.py Version 0.7.7 Update: hex-to-bin.py Version 0.0.3 Update: strings.py Version 0.0.4 Update Of My PDF Tools Shark Jack Capture File PowerShell, Add-Type & csc.exe New Tool: simple_tcp_stats.py Quickpost: ExifTool, OLE Files and FlashPix Files Update: pecheck.py Version 0.7.8 Quickpost: Compiling Service DLLs with MinGW on Kali Quickpost: Running a Service DLL Update: cut-bytes.py Version 0.0.10 Update: numbers-to-string.py Version 0.0.10 Update: format-bytes.py Version 0.0.10 Steganography and Malware Update: tcp-honeypot.py Version 0.0.7 Update: numbers-to-string.py Version 0.0.9 Update: oledump.py Version 0.0.43 Analyzing .DWG Files With Embedded VBA Macros Update: oledump.py Version 0.0.44 zoneidentifier.exe Update: zipdump.py Version 0.0.16 Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7 YARA “Ad Hoc Rules”

YouTube videos:

Adobe Reader JavaScript Blacklist Framework Excel with cmd.dll & regedit.dll PDF: Launch a command LockIfNotHot Malicious PDF Analysis Workshop – Part 1 – Setup Malicious PDF Analysis Workshop – Part 2 – Exercise 1 Malicious PDF Analysis Workshop – Part 3 – Exercise 2 Malicious PDF Analysis Workshop – Part 4 – Exercise 3 Malicious PDF Analysis Workshop – Part 5 – Exercise 4 Malicious PDF Analysis Workshop – Part 6 – Exercise 4 and 5 Malicious PDF Analysis Workshop – Part 7 – Exercise 5 Malicious PDF Analysis Workshop – Part 8 – Exercise 6 HeapLocker: Preventing Heapsprays White Hat Shellcode Workshop: Enforcing Permanent DEP Happy New Router Announcing Didier Stevens Labs XORsearch Network Appliance Forensic Toolkit Using Process Explorer’s Find Window’s Process PDF Rainbow Tables – APDFPR Checking the Digital Signature of Windows Executables Network Device Forensics Meteor over Belgium 29/03/2014 Packet Class: Wireshark – Lua Protocol Dissectors Private IP Address or Public IP Address – netrouteview Packet Class: Wireshark – Import Hex Dump Cancale Flood Tide Lightning Middelkerke 18/07/2014 Middelkerke 06/06/2014 Jan De Nul Beach Replenishment I have a hidden game on my iPad iOS 7 – Hide the apps… Urban wildlife on CCTV Loosafe SDVR: Language Setup punbup.py: Analyzing McAfee Quarantine Files EICARgen v2 Mailmerge UltraEdit Script zipdump.py oledump.py beta count.py PDF Creation – Public Tools Kanonnen Gent 24/09/2014 Handheld Spectrum Analyzer Cisco ROMMON priv mode Malicious Word Document Analysis Excel: Example of Privilege Escalation – CVE-2014-4113 MS14-058 Excel: Privilege Escalation (CVE-2014-4113 MS14-058) & Mimikatz oledump With Plugins: Malicious Word Document Analysis YARA Registry Scanner oledump With Plugins (bis): Malicious Word Document Analysis oledump Decoders pdf-parser: YARA oledump plugin_biff Microsoft MVP Award 2015 Broken Harddisk FileContainer.xls iCounterCatLives– oclHashcat PDF Crypto Microsoft MVP 5 Years Disc Rapoo Transmitter FileContainer.xls 2 oledump XML Urban Wildlife: The Return Of The Marten oledump & ClipboardTransformer oledump And Yet Another XML Howto: Make Your Own Cert With OpenSSL oledump And Yet Another XML (Bis) CCTV, IR, Spiderwebs and Fog PoC: MS15-034 Exploited From Excel Maldoc: PDF With OLE Maldoc PDF With Embedded DOC: What You See When It’s Opened TCP Flags for Wireshark Magnet Viewer Malicious PDF: Just A URI base64dump.py re-search and Dyre Malware MacBook Screencast re-search Part 1 re-search Part 2 Analysing Malicious Documents – 44CON 2015 Training iPad Screencast Demo Electronic road signs used to warn for burning van The Making Of: PDF With Embedded DOC Dropping EICAR PDF With Embedded DOC And VBA: Reader Mitigation Wireshark Wifi and Lua Training – Brucon 2015 cmd.dll: dll /a FindWritableFiles iOS app to generate watercolor paintings from pictures Cut Cut Cut … Wireshark Hex Import byte-stats.py oledump.py –extra Maldoc Social Engineering Trick CMD.EXE: Backup Privilege SpiderMonkey: Dump MIME File With Header Analysis Of A Corrupt OLE File xor-kpa.py: XOR Known-Plaintext Attack Creating CMD.XLS CMD.DLL: From DLL To VBA BlackEnergy .XLS Dropper translate.py: With regex VBE oledump: VBA UserForm numbers-to-hex.py Mixing cold and hot water MovingXORSelection.1sc emldump: Filter Option translate.py: Regex Option Geocache “¿Y esto que es?” Madrid ntds.dit: Extract Hashes With secretsdump.py rtfdump: intro rtfdump: MS12-027 Maldoc rtfdump: MS10-087 Maldoc CreateCertGUI oledump xor kpa ntds.dit: Mimikatz Golden Ticket & DCSync Visual Studio 2013 & OpenSSL Visual Studio 2013 & MFC Maldoc: numbers-to-string.py Training: Attacking with Excel Malware: Process Explorer & Procmon Malware: FakeNet-NG Maldoc VBA: .pub File Maldoc VBA: decoder.xls Maldoc VBA: Shellcode Maldoc VBA: Decoding With Excel VBA Shellcode To Test EMET EMET vs Hancitor Maldoc Hancitor maldoc: Extracting URLs Hancitor Maldoc: Shellcode Dynamic Analysis Sleeping VBS Really Wants To Sleep sets.py Maldoc Deobfuscation: Character Removal Maldoc Deobfuscation: Plugin sub-str cut-bytes.py & Here Documents oledump & YARA Bash Bunny & QuickCreds CVE-2017-0199 Demo CVE-2017-0199 & Metasploit – Analysis Bash Bunny Dropping PDF Via HID Malicious Documents: The Matryoshka Edition WannaCry: Simple File Analysis xor-kpa.py Version 0.0.5 Ransomware: Very Simple IOC Extraction mimikatz & !bsod mimikatz & minesweeper Select Parent Process From VBA mimikatz & Protected Processes mimikatz RPC Mode mimikatz skeleton .ISO Files With Zone.Identifier .ISO Files & autorun.inf .ZIP Files With Zone.Identifier Emotet Maldoc & ViperMonkey It’s Not An Invoice Wireshark: Follow Streams Metasploit’s msf.docm Analysis Bash Bunny InfiniteControl Payload PyBoard LCD160CR Text Scrolling Window 8 PDF’s /URI Dealing with obfuscated rtf files .xlsm: Button & VBA & PowerShell & EXE VirusTotal Upload Wireshark comments PDF: April 1st 2018 VBA Maldoc: Form-Embedded PE File 360° 4K: Bamburg Battery Bunker Ost-W 016-235 SpiderMonkey Output Options New Output Options Fileless Input Options Analyzing XPS Files Retrieving and Processing JSON Data (BTC Example) Maldoc with DOSfuscation DotNetToJScript Analysis Dealing With Numeric Obfuscation Maldoc Analysis & Linux Tools Maldoc with DOSfuscation: example 2 oledump: plugin_msg Using scdbg to analyze shellcode When DOSfuscation Helps… oledump: plugin_ppt CyberChef: BASE64/XOR Recipe Dissecting a CVE-2017-11882 Exploit De-DOSfuscation Example msoffcrypto-crack Analyzing a Simple HTML Phishing Attachment Maldoc Analysis of the Weekend Finding Property Values in Office Documents PDF: Stream Objects (/ObjStm) Analyzing a Phishing PDF with /ObjStm Maldoc: Excel 4.0 Macro Maldoc Analysis: Excel 4.0 Macro Analysis of PDFs Created with OpenOffice/LibreOffice nmap Service Detection Customization Analyzing Compressed PowerShell Scripts Analyzing DAA Files Encrypted Sextortion PDFs Analyzing .DWG Files With Embedded VBA Macros AutoCAD & VBA

Videoblog posts:

Loosafe SDVR: Language Setup punbup.py: Analyzing McAfee Quarantine Files EICARgen v2 Retro Video: PiXiE Dust Mailmerge UltraEdit Script zipdump.py oledump.py beta count.py PDF Creation – Public Tools Cisco ROMMON Priv Mode Malicious Word Document Analysis Excel: Example of Privilege Escalation – CVE-2014-4113 MS14-058 Excel: Privilege Escalation (CVE-2014-4113 MS14-058) & Mimikatz oledump With Plugins: Malicious Word Document Analysis YARA Registry Scanner oledump With Plugins (bis): Malicious Word Document Analysis oledump Decoders pdf-parser: YARA oledump With plugin_biff Broken Harddisk Microsoft MVP Award 2015 FileContainer.xls oclHashcat PDF Crypto FileContainer.xls 2 oledump XML oledump & ClipboardTransformer oledump And Yet Another XML Howto: Make Your Own Cert With OpenSSL oledump And Yet Another XML (Bis) CCTV, IR, Spiderwebs and Fog PoC: MS15-034 Exploited From Excel Maldoc PDF With Embedded DOC: What You See When It’s Opened Maldoc: PDF With OLE TCP Flags for Wireshark Magnet Viewer Malicious PDF: Just A URI Maldoc With BASE64 re-search And Dyre Malware Analysing Malicious Documents – 44CON 2015 Training re-search Part 2 re-search Part 1 The Making Of: PDF With Embedded DOC Dropping EICAR PDF With Embedded DOC And VBA: Reader Mitigation CMD.DLL: DLL /A FindWritableFiles Cut Cut Cut … Wireshark Hex Import byte-stats.py oledump.py –extra CMD.EXE: Backup Privilege SpiderMonkey: Dump MIME File With Header Analysis Of A Corrupt OLE File BlackEnergy .XLS Dropper CMD.DLL: From DLL To VBA Creating CMD.XLS numbers-to-hex.py oledump: VBA UserForm translate.py: With regex VBE xor-kpa.py: XOR Known-Plaintext Attack MovingXORSelection.1sc emldump: Filter Option translate.py: Regex Option ntds.dit: Extract Hashes With secretsdump.py CreateCertGUI ntds.dit: Mimikatz Golden Ticket & DCSync oledump xor kpa rtfdump: intro rtfdump: MS10-087 Maldoc rtfdump: MS12-027 Maldoc Visual Studio 2013 & MFC Visual Studio 2013 & OpenSSL Maldoc: numbers-to-string.py Maldoc VBA: decoder.xls Maldoc VBA: .pub File Maldoc VBA: Shellcode Malware: FakeNet-NG Malware: Process Explorer & Procmon Training: Attacking with Excel Maldoc VBA: Decoding With Excel EMET vs Hancitor Maldoc Hancitor maldoc: Extracting URLs VBA Shellcode To Test EMET Hancitor Maldoc: Shellcode Dynamic Analysis Sleeping VBS Really Wants To Sleep sets.py cut-bytes.py & Here Documents Maldoc Deobfuscation: Character Removal Maldoc Deobfuscation: Plugin sub-str oledump & YARA Bash Bunny & QuickCreds Bash Bunny Dropping PDF Via HID CVE-2017-0199 Demo CVE-2017-0199 & Metasploit – Analysis Malicious Documents: The Matryoshka Edition WannaCry: Simple File Analysis xor-kpa.py Version 0.0.5 Ransomware: Very Simple IOC Extraction .ISO Files & autorun.inf .ISO Files With Zone.Identifier mimikatz & !bsod mimikatz & minesweeper mimikatz & Protected Processes mimikatz RPC Mode mimikatz skeleton Select Parent Process From VBA Emotet Maldoc & ViperMonkey .ZIP Files With Zone.Identifier It’s Not An Invoice Metasploit’s msf.docm Analysis Wireshark: Follow Streams Bash Bunny InfiniteControl Payload Dealing with obfuscated rtf files PDF’s /URI PyBoard LCD160CR Text Scrolling Fileless Input Options New Output Options PDF: April 1st 2018 SpiderMonkey Output Options VBA Maldoc: Form-Embedded PE File VirusTotal Upload Wireshark comments .xlsm: Button & VBA & PowerShell & EXE Analyzing XPS Files Retrieving and Processing JSON Data (BTC Example) Dealing With Numeric Obfuscation DotNetToJScript Analysis Maldoc Analysis & Linux Tools Maldoc with DOSfuscation oledump: plugin_msg Maldoc with DOSfuscation: example 2 Using scdbg to analyze shellcode CyberChef: BASE64/XOR Recipe De-DOSfuscation Example Dissecting a CVE-2017-11882 Exploit oledump: plugin_ppt When DOSfuscation Helps… msoffcrypto-crack Analyzing a Simple HTML Phishing Attachment Maldoc Analysis of the Weekend Finding Property Values in Office Documents PDF: Stream Objects (/ObjStm) Analyzing a Phishing PDF with /ObjStm Maldoc: Excel 4.0 Macro Maldoc Analysis: Excel 4.0 Macro Analysis of PDFs Created with OpenOffice/LibreOffice nmap Service Detection Customization Analyzing Compressed PowerShell Scripts Analyzing DAA Files Encrypted Sextortion PDFs Analyzing .DWG Files With Embedded VBA Macros AutoCAD & VBA

SANS ISC Diary entries:

XML: A New Vector For An Old Trick Maldoc VBA Sandbox/Virtualization Detection From PEiD To YARA Malicious XML: Matryoshka Edition YARA Rules For Shellcode SSH Fingerprints Are Important VMware Product Updates Address Critical Information Disclosure Issue In JRE Wireshark TCP Flags The Kill Chain: Now With Pastebin Memory Forensics Of Network Devices Handling Special PDF Compression Methods A Malicious Word Document Inside a PDF Document Malicious Word Document: This Time The Maldoc Is A MIME File Wireshark TCP Flags: How To Install On Windows Video Another Maldoc? I’m Afraid So… The EICAR Test File Analyzing Quarantine Files A .BUP File Is An OLE File Working with base64 Jump List Files Are OLE Files Process Explorer and VirusTotal Autoruns and VirusTotal Sigcheck and VirusTotal Searching Through the VirusTotal Database Sigcheck and virustotal-search PDF + maldoc1 = maldoc2 Test File: PDF With Embedded DOC Dropping EICAR Don’t launch that file Adobe Reader! Ransomware & Entropy Ransomware & Entropy: Your Turn Ransomware & Entropy: Your Turn -> Solution Maldoc Social Engineering Trick Use The Privilege Malfunctioning Malware Failure Is An Option A Tip For The Analysis Of MIME Files BlackEnergy .XLS Dropper Sigcheck and VirusTotal for Offline Machine Obfuscated MIME Files Locky: JavaScript Deobfuscation Tip: Quick Analysis of Office Maldoc VBE: Encoded VBS Script Handling Malware Samples VBS + VBE Python Malware – Part 1 Python Malware – Part 2 Python Malware – Part 3 Office Maldoc: Let’s Focus on the VBA Macros Later… Practice ntds.dit File Python Malware – Part 4 Malicious RTF Files rtfobj rtfdump .PUB Analysis VBA and P-code Radare2: rahash2 Maldoc VBA Anti-Analysis Analyzing Office Maldocs With Decoder.xls Maldoc VBA Anti-Analysis: Video Hancitor Maldoc Bypasses Application Whitelisting VBA Shellcode and EMET VBA Shellcode and Windows 10 ZIP With Comment Update:ZIP With Comment Extracting Shellcode From JavaScript Hancitor Maldoc Videos Sleeping VBS Really Wants To Sleep Pinging All The Way py2exe Decompiling – Part 1 py2exe Decompiling – Part 2 CRA Maldoc Analysis Another example of maldoc string obfuscation, with extra bonus: UAC bypass Domain Whitelisting With Alexa and Umbrella Lists Domain Whitelisting With Alexa and Umbrella Lists – update Password History: Insights Shared by a Reader Malicious Documents: A Bit Of News Malware and XOR – Part 1 Malware and XOR – Part 2 PE Section Name Descriptions Selecting domains with random names Basic Office maldoc analysis Office maldoc + .lnk Malicious .iso Attachments Another .lnk File Static Analysis of Emotet Maldoc Maldoc Submitted and Analyzed Maldoc Analysis with ViperMonkey The Good Phishing Email Sometimes it’s just SPAM It’s Not An Invoice … Malware analysis: searching for dots It is a resume – Part 1 It is a resume – Part 2 Malware analysis output sanitization Analyzing JPEG files It is a resume – Part 3 A strange JPEG file Peeking into .msg files It’s in the signature. Remember ACE files? PE files and debug info PDF documents & URLs Extracting the text from PDF documents Metasploit’s Maldoc BTC Pickpockets Sometimes it’s a dud Phish or scam? – Part 1 Phish or scam? – Part 2 Encrypted PDFs PDF documents & URLs: update Dealing with obfuscated RTF files Analyzing TNEF files What is new? PDF documents & URLs: video Peeking into Excel files Decrypting malicious PDFs with the key An RTF phish Retrieving malware over Tor HTTPS on every port? Is this a pentest? Comment your Packet Captures – Extra! Analyzing an HTA file Analyzing an HTA file: Update An autograph from the Dridex gang Finding VBA signatures in Word documents Analyzing compressed shellcode Finding VBA signatures in .docm files Analyzing MSI files Retrieving malware over Tor on Windows Wireshark and USB “Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence.” Phishing PDFs with multiple links Phishing PDFs with multiple links – Animated GIF Phishing PDFs with multiple links – Detection Metasploit’s Payload UUID A malicious word document with a VBA form A malicious word document with a VBA form – video New IE 0-day in the wild DASAN GPON home routers exploits in-the-wild Quick analysis of malware created with NSIS Encrypted Office Documents Guilty by association Analyzing XPS files XPS samples Video: Analyzing XPS Files Progress indication for scripts on Windows XPS Metadata dd progress indicator on Linux dd progress indicator on OSX Retrieving and processing JSON data (BTC example) Video: Retrieving and processing JSON data (BTC example) Extracting BTC addresses from emails BTC pickpockets are back Maldoc analysis with standard Linux tools Analyzing MSG files Malicious Word documents using DOSfuscation Dealing with numeric obfuscation in malicious scripts Video: Maldoc analysis with standard Linux tools Numeric obfuscation: another example Peeking into msg files – revisited A URL shortener handy for phishers New Extortion Tricks: Now Including Your (Partial) Phone Number! Video: Peeking into msg files – revisited OpenSSH user enumeration (CVE-2018-15473) Microsoft Publisher malware: static analysis Identifying numeric obfuscation “When was this machine infected?” Another quickie: Using scdbg to analyze shellcode Video: Using scdbg to analyze shellcode “What is dikona or glirote3?” User Agent String “$ua.tools.random()” ? 🙂 ! 20/20 malware vision Suspicious DNS Requests … Issued by a Firewall Analyzing Encoded Shellcode with scdbg When DOSfuscation Helps… Decoding Custom Substitution Encodings with translate.py Developing YARA Rules: a Practical Example YARA: XOR Strings YARA XOR Strings: Some Remarks Maldoc: Once More It’s XOR CyberChef: BASE64/XOR Recipe MSG Files: Compressed RTF Detecting Compressed RTF Maldoc Duplicating PowerShell Prior to Use Windows Defender’s Sandbox TriJklcj2HIUCheDES decryption failed? Dissecting a CVE-2017-11882 Exploit Video: CyberChef: BASE64/XOR Recipe Wireshark update 2.6.5 available Video: Dissecting a CVE-2017-11882 Exploit Word maldoc: yet another place to hide a command Reader Malware Submission: MHT File Inside a ZIP File Quickie: String Analysis is Still Useful Yet Another DOSfuscation Sample De-DOSfuscation Example Password Protected ZIP with Maldoc KringleCon 2018 Bitcoin “Blacklists” Matryoshka Phish Video: De-DOSfuscation Example Software Crashes: A New Year’s Resolution Make a Wheel in 2019! Maldoc with Nonfunctional Shellcode A Malicious JPEG? A Malicious JPEG? Second Example Malicious .tar Attachments Analyzing Encrypted Malicious Office Documents Quick Maldoc Analysis Suspicious GET Request: Do You Know What This Is? Video: Analyzing Encrypted Malicious Office Documents Video: Analyzing a Simple HTML Phishing Attachment Maldoc Analysis of the Weekend Video: Maldoc Analysis of the Weekend Have You Seen an Email Virus Recently? Finding Property Values in Office Documents Video: Finding Property Values in Office Documents Know What You Are Logging Identifying Files: Failure Happens Sextortion Email Variant: With QR Code Maldoc Analysis by a Reader Malicious HTA Analysis by a Reader Quick and Dirty Malicious HTA Analysis Wireshark 3.0.0 and Npcap Tip: Ghidra & ZIP Files Maldoc: Excel 4.0 Macros Video: Maldoc Analysis: Excel 4.0 Macro Wireshark 3.0.0 and Npcap: Some Remarks “VelvetSweatshop” Maldocs Decoding QR Codes with Python “VelvetSweatshop” Maldocs: Shellcode Analysis “404” is not Malware Maldoc Analysis of the Weekend by a Reader Analysis of PDFs Created with OpenOffice/LibreOffice Analyzing UDF Files with Python .rar Files and ACE Exploit CVE-2018-20250 Malicious VBA Office Document Without Source Code Quick Tip for Dissecting CVE-2017-11882 Exploits VBA Office Document: Which Version? Text and Text Do You Remember the SUBST Command? Video: nmap Service Detection Customization nmap Service Fingerprint Office Document & BASE64? PowerShell! Analyzing First Stage Shellcode Retrieving Second Stage Payload with Ncat Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As Tip: Sysmon Will Log DNS Queries Sysmon Version 10: DNS Logging Maldoc: Payloads in User Forms A “Stream O” Maldoc Machine Code? Malicious XSL Files Machine Code? No! isodump.py and Malicious ISO Files Malicious RTF Analysis CVE-2017-11882 by a Reader Analyzing Compressed PowerShell Scripts A Python TCP proxy Video: Analyzing Compressed PowerShell Scripts Recognizing ZLIB Compression Detecting ZLIB Compression Nmap Defcon Release: 7.80 Malicious .DAA Attachments Analysis of a Spearphishing Maldoc The DAA File Format Video: Analyzing DAA Files Compressed ISO Files (ISZ) Encrypted Sextortion PDFs Wireshark 3.0.5 Release: Potential Windows Crash when Updating Video: Encrypted Sextortion PDFs YARA XOR Strings: an Update Encrypted Maldoc, Wrong Password Maldoc, PowerShell & BITS YARA v3.11.0 released YARA’s XOR Modifier Wireshark 3.0.6 Released Using scdbg to Find Shellcode Tip: Password Managers and 2FA Remark on EML Attachments You Too? “Unusual Activity with Double Base64 Encoding” Wireshark 3.0.7 Released (Lazy) Sunday Maldoc Analysis (Lazy) Sunday Maldoc Analysis: A Bit More … VirusTotal Email Submissions Malicious .DWG Files? Wireshark 3.2.0 Released Extracting VBA Macros From .DWG Files New oledump.py plugin: plugin_version_vba Corrupt Office Documents

NVISO blog posts:

Malicious Document Targets Belgian Users PDF URIs Analyzing an Office Maldoc with a VBA Emulator Videos: Analyzing an Office Maldoc with a VBA Emulator PDF Analysis: Back To Basics Decompiling py2exe Executables Detecting py2exe Executables: YARA Rule Working with GFI Cloud anti-virus quarantine files Maldoc: ItÔÇÖs not all VBA these days Hunting with YARA rules and ClamAV Developing complex Suricata rules with Lua – part 1 Developing complex Suricata rules with Lua – part 2 New Hancitor maldocs keep on comingÔǪ Analysis of a CVE-2017-0199 Malicious RTF Document Hunting malware with metadata Critical Samba vulnerability CVE-2017-7494 – Impact on Belgium Malicious PowerPoint Documents Abusing Mouse Over Actions Decoding malware via simple statistical analysis Active exploitation of Struts vulnerability S2-052 CVE-2017-9805 YARA rules for CCleaner 5.33 Detecting DDE in MS Office documents YARA DDE rules: DDE Command Execution observed in-the-wild Windows Credential Guard & Mimikatz Creating custom YARA rules Painless Cuckoo Sandbox Installation Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF Sextortion Scam With Leaked Passwords Succeeds Shortcomings of blacklisting in Adobe Reader and what you can do about it PowerShell Inside a Certificate? – Part 1 PowerShell Inside a Certificate? – Part 2 PowerShell Inside a Certificate? – Part 3 Compiling Our Python Decompiler OpenSSH User Enumeration Vulnerability: a Close Look Differential Malware Analysis: An Example Detecting and Analyzing Microsoft Office Online Video Solving a CTF challenge: Exploiting a Buffer Overflow (video) Malicious SYLK Files with MS Excel 4.0 Macros Extracting Certificates From the Windows Registry Analyzing a Malicious Spreadsheet Dropping a DLL Nessus’ UserAssist Plugin