Digital Forensics Archives | Page 2 of 456

January 1, 2021 by Didier Stevens

Overview of Content Published in 2020

Here is an overview of content I published in 2020:

Blog posts:

Analysis Of Unusual ZIP Files Using CveEventWrite From VBA (CVE-2020-0601) Update: cut-bytes.py Version 0.0.11 Update: format-bytes.py Version 0.0.11 Update: hash.py Version 0.0.8 etl2pcapng: Support For Process IDs Update: pecheck.py Version 0.7.9 Update: oledump.py Version 0.0.45 Update: xmldump.py Version 0.0.4 Update: hex-to-bin.py Version 0.0.4 Update: format-bytes.py Version 0.0.13 Update: translate.py Version 0.2.7 Update: Python Templates Version 0.0.2 Contextual Grepping: Proxmark3 Key Scan Example Update: oledump.py Version 0.0.47 Update: oledump.py Version 0.0.48 CLSIDs in OLE Files Update: cmd.dll Version 0.0.5 pecheck.py Version 0.7.10 Windows Assembly Program To Create New User Quickpost: User-Agent: Microsoft Office Excel 2014 Carving PE Files With pecheck.py Quickpost: Windows Domain Controllers Have No Local Accounts Update: oledump.py Version 0.0.49 mimikatz Is My New EICAR Update: msoffcrypto-crack.py Version 0.0.5 April 1st 2020: FlashPix File With VBA Code Video: GNU Radio Companion: Acoustic Beats Update XORSearch Version 1.11.3 Update: zipdump.py Version 0.0.17 Update: zipdump.py Version 0.0.18 Analyzing Malformed ZIP Files Update: xmldump.py Version 0.0.6 Update: hex-to-bin.py Version 0.0.5 Update: python-per-line.py Version 0.0.7 Handling Diacritics Quickpost: My SpiderMonkey’s Cheat Sheet NVISO Innovation Coin Update: zipdump.py Version 0.0.19 Quickpost: Empty ZIP File Quickpost: Go: Building For Multiple Operating Systems Update: XORSelection.1sc Version 5.0 Quickpost: curl And SSPI Proxy Authentication Update: oledump.py Version 0.0.50 AdHoc GitHub Repository New Tool: simple_ip_stats.py add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging Update: base64dump.py Version 0.0.12 Tampering With Digitally Signed VBA Projects Quickpost: curl Update XORSearch Version 1.11.4 Update: oledump.py Version 0.0.51 Cracking VBA Project Passwords ndisasm 2.15 stdin Bug Fix Update: oledump.py 0.0.52 Update: zipdump.py Version 0.0.20 Update: InteractiveSieve 0.9.1 Update: pecheck.py Version 0.7.11 Videos: Defective USB Cable Update: numbers-to-string.py Version 0.0.10 New Tool: XORSearch.py Update: oledump.py 0.0.53 Quickpost: Downloading Files With Windows Defender & User Agent String Quickpost: dig On Windows Quickpost: Ext2explore Quickpost: USB Passive Load “Epic Manchego” And My Tools Update: oledump.py Version 0.0.54 Quickpost: 4 Bytes To Crash Excel Update: translate.py version 2.5.9 Update: strings.py Version 0.0.5 Pascal Strings Quickpost: VMware OS Version Snapshots Quickpost: Portable Power 1768 K The Qwerty Effect And Passwords Update: translate.py Version 2.5.10 oledump Indicators Update: oledump.py Version 0.0.55 Decrypting With translate.py Update: disitool.py Version 0.4 Update: emldump.py Version 0.0.11 Update: oledump.py Version 0.0.56 Update: pecheck.py Version 0.7.12 Quickpost: finger.exe Update: numbers-to-string.py Version 0.0.11 Update: oledump.py version 0.0.57 Decrypting TLS Streams With Wireshark: Part 1 Update: strings.py Version 0.0.6 Update: translate.py Version 2.5.11 Update: cut-bytes.py Version 0.0.13 Update: byte-stats.py Version 0.0.8 Video: Using numbers-to-string.py To Analyze FireEye Maldocs Update: zipdump.py Version 0.0.21 Update: base64dump.py Version 0.0.13 Update: 1768.py Version 0.0.4 Decrypting TLS Streams With Wireshark: Part 2 Update: rtfdump.py Version 0.0.10

YouTube videos:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files YARA: Ad Hoc Rules GNU Radio Companion: Acoustic Beat GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal strings Measuring a USB Cable – 4-Wire Method Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

Videoblog posts:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files GNU Radio Companion: Acoustic Beats YARA: Ad Hoc Rules GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal Strings Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

SANS ISC Diary entries:

“Nim httpclient/1.0.4” KringleCon 2019 etl2pcapng: Convert .etl Capture Files To .pcapng Format Citrix ADC Exploits: Overview of Observed Payloads Wireshark 3.2.1 Released Video: Stego & Cryptominers bsdtar on Windows 10 curl and SSPI Maldoc: Excel 4 Macros in OOXML Format Maldoc: Excel 4 Macros and VBA, Devil and Angel? Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please Excel Maldocs: Hidden Sheets Malicious Spreadsheet With Data Connection and Excel 4 Macros Phishing PDF With Incremental Updates. More COVID-19 Themed Malware KPOT Deployed via AutoIt Script Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability Covid19 Domain Classifier Obfuscated Excel 4 Macros New Bypass Technique or Corrupt Word Document? Password Protected Malicious Excel Files Wireshark 3.2.3 Released: Mac Users Pay Attention Please Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.” KPOT Analysis: Obtaining the Decrypted KPOT EXE KPOT AutoIt Script: Analysis MALWARE Bazaar Video: Malformed .docm File ZIP & AES Sysmon and File Deletion YARA v4.0.0: BASE64 Strings Excel 4 Macro Analysis: XLMMacroDeobfuscator Antivirus & Multiple Detections Some Strings to Remember Wireshark 3.2.4 Released Zloader Maldoc Analysis With xlm-deobfuscator YARA v4.0.1 XLMMacroDeobfuscator: An Update Translating BASE64 Obfuscated Scripts YARA’s BASE64 Strings ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red Comparing Office Documents with WinMerge Video: YARA’s BASE64 Strings Sysmon and Alternate Data Streams Wireshark 3.2.5 Released CVE-2020-5902 F5 BIG-IP Exploitation Attempt CVE-2020-5902: F5 BIG-IP RCE Vulnerability Maldoc: VBA Purging Example VBA Project Passwords Zone.Identifier: A Couple Of Observations ndisasm Update 2.15 Cracking Maldoc VBA Project Passwords Analyzing Metasploit ASP .NET Payloads Small Challenge: A Simple Word Maldoc Small Challenge: A Simple Word Maldoc – Part 2 Wireshark 3.2.6 Released Small Challenge: A Simple Word Maldoc – Part 3 Small Challenge: A Simple Word Maldoc – Part 4 Malicious Excel Sheet with a NULL VT Score: More Info Finding The Original Maldoc Office: About OLE and ZIP Files Office Documents with Embedded Objects Wireshark 3.2.7 Released Decoding Corrupt BASE64 Strings Nmap 7.90 Released Obfuscation and Repetition Open Packaging Conventions Analyzing MSG Files With plugin_msg_summary Nested .MSGs: Turtles All The Way Down File Selection Gaffe Video: Pascal Strings Excel 4 Macros: “Abnormal Sheet Visibility” More File Selection Gaffes Wireshark 3.2.8 and 3.4.0 Released AV Cleaned Maldoc Quick Tip: Extracting all VBA Code from a Maldoc oledump’s ! Indicator Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format Quick Tip: Cobalt Strike Beacon Analysis Quick Tip: Using JARM With a SOCKS Proxy Decrypting PowerShell Payloads (video) oledump’s Indicators (video) Corrupt BASE64 Strings: Detection and Decoding Office 95 Excel 4 Macros Wireshark 3.4.1 Released KringleCon 2020 Analyzing FireEye Maldocs Wireshark 3.4.2 Released Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working Quickie: String Analysis & Maldocs base64dump.py Supported Encodings Quickie: Bit Shifting With translate.py

NVISO blog posts:

Nessus’ UserAssist Plugin Evidence of VBA Purging Found in Malicious Documents Video: Attack Surface Reduction (ASR) Bypass using VBA Tampering with Digitally Signed VBA Projects Epic Manchego – atypical maldoc delivery brings flurry of infostealers

December 31, 2020 by LCDI

Cybersecurity Tips For The New Year

2020 was a year filled with change and learning how to adapt our ways into COVID-19 protocol friendly ones. With these changes, many people started moving their lives to be online. Work meetings, education of all levels, shopping, and even holiday events became remote. With the increase in internet use, cybersecurity professionals saw cybercrimes committed at an all-time high.

That made this past Cybersecurity Awareness Month in October even more valuable than ever. The National Cyber Security Alliance, in partnership with the Cybersecurity and Infrastructure Security Agency, created this year’s theme of “Do Your Part and Be Cyber Smart”.

Our Leahy Center employees decided to be apart of this semester’s virtual events by submitting their tips for the five topics of the do your part theme. For the New Year, we decided to share two of the themes and our tips on how to stay safe. The students range in different positions, majors, and academic years, but all provide great wisdom for anyone looking to stay safe online.

Theme 1: If You Connect It, Protect It

The prompt was described as If you connect it, protect it. The line between our online and offline lives is indistinguishable. This network of connections creates both opportunities and challenges for individuals and organizations across the globe. The first week of Cybersecurity Awareness Month will highlight how internet-connected devices have impacted our lives and will empower all users to own their role in security by taking steps to reduce their risks. Our students said:

“With more and more of our appliances connected to the internet, including locks, mailboxes, refrigerators, watches, and much more, physical security and cybersecurity are becoming the same. To maintain physical security in this world of smart devices, you have to educate yourself about good cybersecurity practices, too. As great as it is that you can lock your door remotely, it’s vital to consider the risks of what somebody could do with unauthorized access to these tools you’re using. Before buying a new smart device, consider these risks. Do some research on the manufacturer’s history in cybersecurity. Ask yourself if the convenience is worth the risks associated with it. Understanding the risks is crucial.”

Sawyer Zundel ’23 // Computer & Digital Forensics

We buy a lot of stuff online these days. Often we may be on a risky website without realizing it. If you are purchasing anything online, make sure the website’s link begins with “HTTPS://” as opposed to “HTTP://”. The “s” at the end of “HTTP” stands for secure. So any transitions on a website that uses “HTTP” would be unsecured. The Chrome and Firefox add-on/extensions “HTTPS everywhere” is a useful tool to help ensure this if you are unsure.

Blaise Notter ’23 // Computer Networking & Cybersecurity Theme 2: Securing Devices at Home and Work

Week 2 of Cybersecurity Awareness Month was described as: focusing on steps users and organizations can take to protect internet-connected devices for personal and professional use. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before. This introduces a whole new set of potential vulnerabilities that users must be conscious of.

“The best way to protect users’ information is to be cautious. The first step would be to use a password when possible. Better yet different passwords so if one account is breached, they all aren’t. The next step would be to not give out information unless needed and to a trusted individual. This means not going to suspicious websites, where info can be stolen by force. As well as being cautious that a website is who they say they are.”

Spencer Bellucci ’22 // Computer Science

“Nowadays, VPN’s have gotten to the point where they are extremely cheap and relatively fast. Whether you are at home or surfing the internet at a Starbucks, the added protection is defiantly worth the $3 a month. It will protect you from various tracking threats/ annoyances by encrypting all of the traffic that leaves your computer. When shopping around for one, I would look for one that does not keep logs of its user’s data as well as has software that works on most devices. The two I have used and recommend the most are TorGuard and Private Internet Access (PIA).”

Thomas Autiello ’23 // Computer Networking & Cybersecurity Other Tips: Students WANT You To Know

With the rise in interconnected devices, it’s important to remember that anything connected to the outside world can be attacked. Taking simple steps such as secure passwords and using password-protected Wi-Fi signals can help immensely when it comes to the security of any device.

Miranda Evans ’22 // Computer & Digital Forensics

Most people keep their life online — whether it be through Facebook, Instagram, Snapchat, or others — so it is always important to remember that the online world is no different than the “real” world. This includes the information you post publicly, from photos, dates, friends, statuses, addresses, and more. At face value, it is fun to use social media outlets to express yourself and snap a photo here and there or use it to promote communication, but everyone must do their part to protect themselves and those around them regarding the information they post. Would you post your phone number on your front lawn? Would you print a map of the local places you’ve been, and with whom, to hand out at your grocery store? Though this information is expressive and fun to share with friends, there are always opportunities for unwanted attention from others when you post it online.

Alexandra Cartwright ’22 // Computer & Digital Forensics

Stay up to date with the Leahy Center by following us on LinkedIn, Twitter, Instagram, and Facebook!

The post Cybersecurity Tips For The New Year appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

December 31, 2020 by Didier Stevens

Overview of Content Published in December

Here is an overview of content I published in December:

Blog posts:

Update: oledump.py Version 0.0.56 Update: pecheck.py Version 0.7.12 Quickpost: finger.exe Update: numbers-to-string.py Version 0.0.11 Update: oledump.py version 0.0.57 Decrypting TLS Streams With Wireshark: Part 1 Update: strings.py Version 0.0.6 Update: translate.py Version 2.5.11 Update: cut-bytes.py Version 0.0.13 Update: byte-stats.py Version 0.0.8 Video: Using numbers-to-string.py To Analyze FireEye Maldocs Update: zipdump.py Version 0.0.21 Update: base64dump.py Version 0.0.13 Update: 1768.py Version 0.0.4 Decrypting TLS Streams With Wireshark: Part 2 Update: rtfdump.py Version 0.0.10

YouTube videos:

Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

Videoblog posts:

Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

SANS ISC Diary entries:

oledump’s Indicators (video) Corrupt BASE64 Strings: Detection and Decoding Office 95 Excel 4 Macros Wireshark 3.4.1 Released KringleCon 2020 Analyzing FireEye Maldocs Wireshark 3.4.2 Released Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working Quickie: String Analysis & Maldocs base64dump.py Supported Encodings Quickie: Bit Shifting With translate.py