Forensic Blogs

An aggregator for digital forensics blogs

April 3, 2022 by Didier Stevens

.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021

We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.

One of the reasons to do this, is to evade “mark-of-web propagation”.

When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).

When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).

But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.

But this has changed recently. When exactly, I don’t know.

But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:

With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:

After updating Office:

Word’s behavior has changed:

The file is now opened in Protected View.

If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:

Or you can just add the ZoneIdentifier ADS with notepad.

I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.

I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: maldoc, Malware, Uncategorized

February 11, 2022 by The Leahy Center for Digital Forensics & Cybersecurity

Celebrating Black Greatness in Cybersecurity and Technology

The Leahy Center is taking a look at some of the most influential Black leaders in cybersecurity and technology. ... Read More

The post Celebrating Black Greatness in Cybersecurity and Technology appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

Read the original at: The Leahy Center for Digital Forensics & CybersecurityFiled Under: Digital Forensics, Uncategorized Tagged With: Black History, D&I, Diveristy, technology, Uncategorized

November 29, 2021 by Didier Stevens

Update: cs-extract-key.py Version 0.0.3

This update brings a new option: -V –verbose.

Verbose output includes an hex/ascii dump of the decrypted data:

cs-extract-key_V0_0_3.zip (https)
MD5: C40C96B68701369F41EB6731FD83B28B
SHA256: CBB5EC3C8C36931D56AB42E3086CF7E95ABC7782D74F30DDCCF874BD4E89B6BB

Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: Uncategorized

  • 1
  • 2
  • 3
  • …
  • 48
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)