Forensic Blogs

An aggregator for digital forensics blogs

January 1, 2021 by Didier Stevens

Overview of Content Published in 2020

Here is an overview of content I published in 2020:

Blog posts:

Analysis Of Unusual ZIP Files Using CveEventWrite From VBA (CVE-2020-0601) Update: cut-bytes.py Version 0.0.11 Update: format-bytes.py Version 0.0.11 Update: hash.py Version 0.0.8 etl2pcapng: Support For Process IDs Update: pecheck.py Version 0.7.9 Update: oledump.py Version 0.0.45 Update: xmldump.py Version 0.0.4 Update: hex-to-bin.py Version 0.0.4 Update: format-bytes.py Version 0.0.13 Update: translate.py Version 0.2.7 Update: Python Templates Version 0.0.2 Contextual Grepping: Proxmark3 Key Scan Example Update: oledump.py Version 0.0.47 Update: oledump.py Version 0.0.48 CLSIDs in OLE Files Update: cmd.dll Version 0.0.5 pecheck.py Version 0.7.10 Windows Assembly Program To Create New User Quickpost: User-Agent: Microsoft Office Excel 2014 Carving PE Files With pecheck.py Quickpost: Windows Domain Controllers Have No Local Accounts Update: oledump.py Version 0.0.49 mimikatz Is My New EICAR Update: msoffcrypto-crack.py Version 0.0.5 April 1st 2020: FlashPix File With VBA Code Video: GNU Radio Companion: Acoustic Beats Update XORSearch Version 1.11.3 Update: zipdump.py Version 0.0.17 Update: zipdump.py Version 0.0.18 Analyzing Malformed ZIP Files Update: xmldump.py Version 0.0.6 Update: hex-to-bin.py Version 0.0.5 Update: python-per-line.py Version 0.0.7 Handling Diacritics Quickpost: My SpiderMonkey’s Cheat Sheet NVISO Innovation Coin Update: zipdump.py Version 0.0.19 Quickpost: Empty ZIP File Quickpost: Go: Building For Multiple Operating Systems Update: XORSelection.1sc Version 5.0 Quickpost: curl And SSPI Proxy Authentication Update: oledump.py Version 0.0.50 AdHoc GitHub Repository New Tool: simple_ip_stats.py add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging Update: base64dump.py Version 0.0.12 Tampering With Digitally Signed VBA Projects Quickpost: curl Update XORSearch Version 1.11.4 Update: oledump.py Version 0.0.51 Cracking VBA Project Passwords ndisasm 2.15 stdin Bug Fix Update: oledump.py 0.0.52 Update: zipdump.py Version 0.0.20 Update: InteractiveSieve 0.9.1 Update: pecheck.py Version 0.7.11 Videos: Defective USB Cable Update: numbers-to-string.py Version 0.0.10 New Tool: XORSearch.py Update: oledump.py 0.0.53 Quickpost: Downloading Files With Windows Defender & User Agent String Quickpost: dig On Windows Quickpost: Ext2explore Quickpost: USB Passive Load “Epic Manchego” And My Tools Update: oledump.py Version 0.0.54 Quickpost: 4 Bytes To Crash Excel Update: translate.py version 2.5.9 Update: strings.py Version 0.0.5 Pascal Strings Quickpost: VMware OS Version Snapshots Quickpost: Portable Power 1768 K The Qwerty Effect And Passwords Update: translate.py Version 2.5.10 oledump Indicators Update: oledump.py Version 0.0.55 Decrypting With translate.py Update: disitool.py Version 0.4 Update: emldump.py Version 0.0.11 Update: oledump.py Version 0.0.56 Update: pecheck.py Version 0.7.12 Quickpost: finger.exe Update: numbers-to-string.py Version 0.0.11 Update: oledump.py version 0.0.57 Decrypting TLS Streams With Wireshark: Part 1 Update: strings.py Version 0.0.6 Update: translate.py Version 2.5.11 Update: cut-bytes.py Version 0.0.13 Update: byte-stats.py Version 0.0.8 Video: Using numbers-to-string.py To Analyze FireEye Maldocs Update: zipdump.py Version 0.0.21 Update: base64dump.py Version 0.0.13 Update: 1768.py Version 0.0.4 Decrypting TLS Streams With Wireshark: Part 2 Update: rtfdump.py Version 0.0.10

YouTube videos:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files YARA: Ad Hoc Rules GNU Radio Companion: Acoustic Beat GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal strings Measuring a USB Cable – 4-Wire Method Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

Videoblog posts:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files GNU Radio Companion: Acoustic Beats YARA: Ad Hoc Rules GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal Strings Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

SANS ISC Diary entries:

“Nim httpclient/1.0.4” KringleCon 2019 etl2pcapng: Convert .etl Capture Files To .pcapng Format Citrix ADC Exploits: Overview of Observed Payloads Wireshark 3.2.1 Released Video: Stego & Cryptominers bsdtar on Windows 10 curl and SSPI Maldoc: Excel 4 Macros in OOXML Format Maldoc: Excel 4 Macros and VBA, Devil and Angel? Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please Excel Maldocs: Hidden Sheets Malicious Spreadsheet With Data Connection and Excel 4 Macros Phishing PDF With Incremental Updates. More COVID-19 Themed Malware KPOT Deployed via AutoIt Script Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability Covid19 Domain Classifier Obfuscated Excel 4 Macros New Bypass Technique or Corrupt Word Document? Password Protected Malicious Excel Files Wireshark 3.2.3 Released: Mac Users Pay Attention Please Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.” KPOT Analysis: Obtaining the Decrypted KPOT EXE KPOT AutoIt Script: Analysis MALWARE Bazaar Video: Malformed .docm File ZIP & AES Sysmon and File Deletion YARA v4.0.0: BASE64 Strings Excel 4 Macro Analysis: XLMMacroDeobfuscator Antivirus & Multiple Detections Some Strings to Remember Wireshark 3.2.4 Released Zloader Maldoc Analysis With xlm-deobfuscator YARA v4.0.1 XLMMacroDeobfuscator: An Update Translating BASE64 Obfuscated Scripts YARA’s BASE64 Strings ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red Comparing Office Documents with WinMerge Video: YARA’s BASE64 Strings Sysmon and Alternate Data Streams Wireshark 3.2.5 Released CVE-2020-5902 F5 BIG-IP Exploitation Attempt CVE-2020-5902: F5 BIG-IP RCE Vulnerability Maldoc: VBA Purging Example VBA Project Passwords Zone.Identifier: A Couple Of Observations ndisasm Update 2.15 Cracking Maldoc VBA Project Passwords Analyzing Metasploit ASP .NET Payloads Small Challenge: A Simple Word Maldoc Small Challenge: A Simple Word Maldoc – Part 2 Wireshark 3.2.6 Released Small Challenge: A Simple Word Maldoc – Part 3 Small Challenge: A Simple Word Maldoc – Part 4 Malicious Excel Sheet with a NULL VT Score: More Info Finding The Original Maldoc Office: About OLE and ZIP Files Office Documents with Embedded Objects Wireshark 3.2.7 Released Decoding Corrupt BASE64 Strings Nmap 7.90 Released Obfuscation and Repetition Open Packaging Conventions Analyzing MSG Files With plugin_msg_summary Nested .MSGs: Turtles All The Way Down File Selection Gaffe Video: Pascal Strings Excel 4 Macros: “Abnormal Sheet Visibility” More File Selection Gaffes Wireshark 3.2.8 and 3.4.0 Released AV Cleaned Maldoc Quick Tip: Extracting all VBA Code from a Maldoc oledump’s ! Indicator Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format Quick Tip: Cobalt Strike Beacon Analysis Quick Tip: Using JARM With a SOCKS Proxy Decrypting PowerShell Payloads (video) oledump’s Indicators (video) Corrupt BASE64 Strings: Detection and Decoding Office 95 Excel 4 Macros Wireshark 3.4.1 Released KringleCon 2020 Analyzing FireEye Maldocs Wireshark 3.4.2 Released Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working Quickie: String Analysis & Maldocs base64dump.py Supported Encodings Quickie: Bit Shifting With translate.py

NVISO blog posts:

Nessus’ UserAssist Plugin Evidence of VBA Purging Found in Malicious Documents Video: Attack Surface Reduction (ASR) Bypass using VBA Tampering with Digitally Signed VBA Projects Epic Manchego – atypical maldoc delivery brings flurry of infostealers

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Announcement

December 31, 2020 by Didier Stevens

Overview of Content Published in December

Here is an overview of content I published in December:

Blog posts:

Update: oledump.py Version 0.0.56 Update: pecheck.py Version 0.7.12 Quickpost: finger.exe Update: numbers-to-string.py Version 0.0.11 Update: oledump.py version 0.0.57 Decrypting TLS Streams With Wireshark: Part 1 Update: strings.py Version 0.0.6 Update: translate.py Version 2.5.11 Update: cut-bytes.py Version 0.0.13 Update: byte-stats.py Version 0.0.8 Video: Using numbers-to-string.py To Analyze FireEye Maldocs Update: zipdump.py Version 0.0.21 Update: base64dump.py Version 0.0.13 Update: 1768.py Version 0.0.4 Decrypting TLS Streams With Wireshark: Part 2 Update: rtfdump.py Version 0.0.10

YouTube videos:

Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

Videoblog posts:

Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

SANS ISC Diary entries:

oledump’s Indicators (video) Corrupt BASE64 Strings: Detection and Decoding Office 95 Excel 4 Macros Wireshark 3.4.1 Released KringleCon 2020 Analyzing FireEye Maldocs Wireshark 3.4.2 Released Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working Quickie: String Analysis & Maldocs base64dump.py Supported Encodings Quickie: Bit Shifting With translate.py

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Announcement

December 31, 2020 by Didier Stevens

Update: rtfdump.py Version 0.0.10

This is a Python 3 update for my tool to analyze RTF files. There are some new features, like option -O, to produce an overview:

More details in upcoming maldoc analysis posts.

rtfdump_V0_0_10.zip (https)
MD5: E7D235AC14A83DAABCD433DE1948E989
SHA256: 750430C0DA0B9D25B0BBBB972F107D1459FEAF45A2D61EAB6C10E84CB8AA01F8

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: My Software, Update

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • …
  • 197
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)