Forensic Blogs

An aggregator for digital forensics blogs

by

Overview of Content Published in February

Here is an overview of content I published in February:

Blog posts:

Update: oledump.py Version 0.0.59 Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets Update: re-search.py Version 0.0.16 re-search.py And Custom Validations Update: oledump.py Version 0.0.60

YouTube videos:

tshark & Malware Analysis oledump and YARA DDE Rules

Videoblog posts:

tshark & Malware Analysis oledump and YARA DDE Rules

SANS ISC Diary entries:

YARA v4.0.5 Quickie: tshark & Malware Analysis Video: tshark & Malware Analysis Quickie: Extracting HTTP URLs With tshark DDE and oledump Unprotecting Malicious Documents For Inspection Maldocs: Protection Passwords

by

Overview of Content Published in January

Here is an overview of content I published in January:

Blog posts:

Update: Python Templates Version 0.0.3 Update: oledump.py Version 0.0.58 Decrypting TLS Streams With Wireshark: Part 3 Update: count.py Version 0.3.0 Update: Python Templates Version 0.0.4 Video: Maldoc Analysis With CyberChef Update: re-search.py Version 0.0.14 Update: re-search.py Version 0.0.15 Update: strings.py Version 0.0.7 Update: XORSelection.1sc Version 6.0 New Tool: pdftool.py

YouTube videos:

December 2020: Jupiter & Saturn Maldoc Analysis With CyberChef My Encrypted Storage My Encrypted Storage: Read-Only CyberChef: Analyzing OOXML Files for URLs Doc & RTF Malicious Document Decoding a Payload Using a Dynamic XOR Key pdftool.py: Incremental Updates

Videoblog posts:

Maldoc Analysis With CyberChef My Encrypted Storage My Encrypted Storage: Read-Only CyberChef: Analyzing OOXML Files for URLs Doc & RTF Malicious Document Decoding a Payload Using a Dynamic XOR Key pdftool.py: Incremental Updates

SANS ISC Diary entries:

Strings 2021 Maldoc Strings Analysis Maldoc Analysis With CyberChef New Release of Sysmon Adding Detection for Process Tampering Doc & RTF Malicious Document CyberChef: Analyzing OOXML Files for URLs Video: Doc & RTF Malicious Document YARA v4.0.4 Wireshark 3.4.3 Released

by

Overview of Content Published in 2020

Here is an overview of content I published in 2020:

Blog posts:

Analysis Of Unusual ZIP Files Using CveEventWrite From VBA (CVE-2020-0601) Update: cut-bytes.py Version 0.0.11 Update: format-bytes.py Version 0.0.11 Update: hash.py Version 0.0.8 etl2pcapng: Support For Process IDs Update: pecheck.py Version 0.7.9 Update: oledump.py Version 0.0.45 Update: xmldump.py Version 0.0.4 Update: hex-to-bin.py Version 0.0.4 Update: format-bytes.py Version 0.0.13 Update: translate.py Version 0.2.7 Update: Python Templates Version 0.0.2 Contextual Grepping: Proxmark3 Key Scan Example Update: oledump.py Version 0.0.47 Update: oledump.py Version 0.0.48 CLSIDs in OLE Files Update: cmd.dll Version 0.0.5 pecheck.py Version 0.7.10 Windows Assembly Program To Create New User Quickpost: User-Agent: Microsoft Office Excel 2014 Carving PE Files With pecheck.py Quickpost: Windows Domain Controllers Have No Local Accounts Update: oledump.py Version 0.0.49 mimikatz Is My New EICAR Update: msoffcrypto-crack.py Version 0.0.5 April 1st 2020: FlashPix File With VBA Code Video: GNU Radio Companion: Acoustic Beats Update XORSearch Version 1.11.3 Update: zipdump.py Version 0.0.17 Update: zipdump.py Version 0.0.18 Analyzing Malformed ZIP Files Update: xmldump.py Version 0.0.6 Update: hex-to-bin.py Version 0.0.5 Update: python-per-line.py Version 0.0.7 Handling Diacritics Quickpost: My SpiderMonkey’s Cheat Sheet NVISO Innovation Coin Update: zipdump.py Version 0.0.19 Quickpost: Empty ZIP File Quickpost: Go: Building For Multiple Operating Systems Update: XORSelection.1sc Version 5.0 Quickpost: curl And SSPI Proxy Authentication Update: oledump.py Version 0.0.50 AdHoc GitHub Repository New Tool: simple_ip_stats.py add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging Update: base64dump.py Version 0.0.12 Tampering With Digitally Signed VBA Projects Quickpost: curl Update XORSearch Version 1.11.4 Update: oledump.py Version 0.0.51 Cracking VBA Project Passwords ndisasm 2.15 stdin Bug Fix Update: oledump.py 0.0.52 Update: zipdump.py Version 0.0.20 Update: InteractiveSieve 0.9.1 Update: pecheck.py Version 0.7.11 Videos: Defective USB Cable Update: numbers-to-string.py Version 0.0.10 New Tool: XORSearch.py Update: oledump.py 0.0.53 Quickpost: Downloading Files With Windows Defender & User Agent String Quickpost: dig On Windows Quickpost: Ext2explore Quickpost: USB Passive Load “Epic Manchego” And My Tools Update: oledump.py Version 0.0.54 Quickpost: 4 Bytes To Crash Excel Update: translate.py version 2.5.9 Update: strings.py Version 0.0.5 Pascal Strings Quickpost: VMware OS Version Snapshots Quickpost: Portable Power 1768 K The Qwerty Effect And Passwords Update: translate.py Version 2.5.10 oledump Indicators Update: oledump.py Version 0.0.55 Decrypting With translate.py Update: disitool.py Version 0.4 Update: emldump.py Version 0.0.11 Update: oledump.py Version 0.0.56 Update: pecheck.py Version 0.7.12 Quickpost: finger.exe Update: numbers-to-string.py Version 0.0.11 Update: oledump.py version 0.0.57 Decrypting TLS Streams With Wireshark: Part 1 Update: strings.py Version 0.0.6 Update: translate.py Version 2.5.11 Update: cut-bytes.py Version 0.0.13 Update: byte-stats.py Version 0.0.8 Video: Using numbers-to-string.py To Analyze FireEye Maldocs Update: zipdump.py Version 0.0.21 Update: base64dump.py Version 0.0.13 Update: 1768.py Version 0.0.4 Decrypting TLS Streams With Wireshark: Part 2 Update: rtfdump.py Version 0.0.10

YouTube videos:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files YARA: Ad Hoc Rules GNU Radio Companion: Acoustic Beat GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal strings Measuring a USB Cable – 4-Wire Method Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

Videoblog posts:

Analyzing Unusual ZIP Files Stego & Cryptominers oledump: plugin_http_heuristics pecheck: Carving PE Files GNU Radio Companion: Acoustic Beats YARA: Ad Hoc Rules GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File EICAR File, Memorized ZIP(EICAR File), Memorized Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords oledump.py: plugin_msg_summary strings.py: Pascal Strings Tools in my Wallet Decrypting With translate.py oledump Indicators Analyzing FireEye Maldocs Inspecting Process Explorer Traffic With Fiddler Hobo Knife Process Explorer & VirusTotal: Fixed! December 2020: Jupiter & Saturn

SANS ISC Diary entries:

“Nim httpclient/1.0.4” KringleCon 2019 etl2pcapng: Convert .etl Capture Files To .pcapng Format Citrix ADC Exploits: Overview of Observed Payloads Wireshark 3.2.1 Released Video: Stego & Cryptominers bsdtar on Windows 10 curl and SSPI Maldoc: Excel 4 Macros in OOXML Format Maldoc: Excel 4 Macros and VBA, Devil and Angel? Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please Excel Maldocs: Hidden Sheets Malicious Spreadsheet With Data Connection and Excel 4 Macros Phishing PDF With Incremental Updates. More COVID-19 Themed Malware KPOT Deployed via AutoIt Script Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability Covid19 Domain Classifier Obfuscated Excel 4 Macros New Bypass Technique or Corrupt Word Document? Password Protected Malicious Excel Files Wireshark 3.2.3 Released: Mac Users Pay Attention Please Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.” KPOT Analysis: Obtaining the Decrypted KPOT EXE KPOT AutoIt Script: Analysis MALWARE Bazaar Video: Malformed .docm File ZIP & AES Sysmon and File Deletion YARA v4.0.0: BASE64 Strings Excel 4 Macro Analysis: XLMMacroDeobfuscator Antivirus & Multiple Detections Some Strings to Remember Wireshark 3.2.4 Released Zloader Maldoc Analysis With xlm-deobfuscator YARA v4.0.1 XLMMacroDeobfuscator: An Update Translating BASE64 Obfuscated Scripts YARA’s BASE64 Strings ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red Comparing Office Documents with WinMerge Video: YARA’s BASE64 Strings Sysmon and Alternate Data Streams Wireshark 3.2.5 Released CVE-2020-5902 F5 BIG-IP Exploitation Attempt CVE-2020-5902: F5 BIG-IP RCE Vulnerability Maldoc: VBA Purging Example VBA Project Passwords Zone.Identifier: A Couple Of Observations ndisasm Update 2.15 Cracking Maldoc VBA Project Passwords Analyzing Metasploit ASP .NET Payloads Small Challenge: A Simple Word Maldoc Small Challenge: A Simple Word Maldoc – Part 2 Wireshark 3.2.6 Released Small Challenge: A Simple Word Maldoc – Part 3 Small Challenge: A Simple Word Maldoc – Part 4 Malicious Excel Sheet with a NULL VT Score: More Info Finding The Original Maldoc Office: About OLE and ZIP Files Office Documents with Embedded Objects Wireshark 3.2.7 Released Decoding Corrupt BASE64 Strings Nmap 7.90 Released Obfuscation and Repetition Open Packaging Conventions Analyzing MSG Files With plugin_msg_summary Nested .MSGs: Turtles All The Way Down File Selection Gaffe Video: Pascal Strings Excel 4 Macros: “Abnormal Sheet Visibility” More File Selection Gaffes Wireshark 3.2.8 and 3.4.0 Released AV Cleaned Maldoc Quick Tip: Extracting all VBA Code from a Maldoc oledump’s ! Indicator Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format Quick Tip: Cobalt Strike Beacon Analysis Quick Tip: Using JARM With a SOCKS Proxy Decrypting PowerShell Payloads (video) oledump’s Indicators (video) Corrupt BASE64 Strings: Detection and Decoding Office 95 Excel 4 Macros Wireshark 3.4.1 Released KringleCon 2020 Analyzing FireEye Maldocs Wireshark 3.4.2 Released Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working Quickie: String Analysis & Maldocs base64dump.py Supported Encodings Quickie: Bit Shifting With translate.py

NVISO blog posts:

Nessus’ UserAssist Plugin Evidence of VBA Purging Found in Malicious Documents Video: Attack Surface Reduction (ASR) Bypass using VBA Tampering with Digitally Signed VBA Projects Epic Manchego – atypical maldoc delivery brings flurry of infostealers