PoC: Cobalt Strike mitm Attack
I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now. I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike...
View ArticleAnother Exercise In Encoding Reversing
In this blog post, I will show how to decode a payload encoded in a variation of hexadecimal encoding, by performing statistical analysis and guessing some of the “plaintext”. I do have the decoder...
View ArticleExamples Of Encoding Reversing
I recently created 2 blog posts with corresponding videos for the reversing of encodings. The first one is on the ISC diary: “Decoding Obfuscated BASE64 Statistically“. The payload is encoded with a...
View ArticleMaldoc Analysis Video – Rehearsed & Unrehearsed
When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording. This time, I also recorded the unrehearsed analysis: when I take the first...
View ArticleExtracting Certificates For Defender
A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list. The procedure involves right-clicking the EXE in Windows Explorer,...
View ArticleCombining dns-pydivert And dnsresolver
I use my tools dns-pydivert and dnsresolver.py for dynamic analysis of software (malware and benign software). On the virtual machine where I’m doing dynamic analysis, I disable IPv6 support. I...
View ArticleCombining zipdump, file-magic And myjson-filter
In this blog post, I show how you can combine my tools zipdump.py, file-magic.py and myjson-filter.py to select and analyze files of a particular type. I start with a daily batch of malware files...
View ArticleNew Tool: onedump.py
This is a new tool (based on my Python template for binary files) to analyze OneNote files. This version is limited to handling embedded files (for the moment). As I might still make significant...
View ArticleQuickpost: Analysis of PDF/ActiveMime Polyglot Maldocs
jpcert reported a new type of maldoc: “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –“. These maldocs are PDF files that embed a Word document (ActiveMime) in...
View ArticleQuickpost: PDF/ActiveMime Maldocs YARA Rule
Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“. It looks for files that start with %PDF- (this header can be...
View Article