Didier Stevens

Here is an overview of content I published in the 2010s:

Blog posts:

• The Undeletable SafeBoot Key
• New Format for UserAssist Registry Keys
• Adobe Reader JavaScript Blacklist Framework
• Quickpost: New Versions of PDFiD and pdf-parser
• Update: XORSearch Version 1.6.0
• Quickpost: PDF Header %!PS-Adobe-N.n PDF-M.m
• Quickpost: Shellcode to Load a DLL From Memory
• Quickpost: Quasi-Tautologies & SQL-Injection
• cmd.dll
• Excel with cmd.dll & regedit.dll
• MemoryLoadLibrary: From C Program to Shellcode
• Ping Shellcode
• Quickpost: NetworkMashup.xls
• PDF Info Stealer PoC
• Frisky Solitaire – Another Info Stealer
• Tweet Shellcode
• Escape From PDF
• “Escape From Foxit Reader”
• Update: Escape From PDF
• .NET Shellcode
• Update: PDFiD Version 0.0.11 to Detect /Launch
• Writing WIN32 Shellcode With a C-compiler
• Quickpost: More Malformed PDFs
• A Win7 Puzzle…
• Solving the Win7 Puzzle
• Quickpost: No Escape From PDF
• Quickpost: Preventing the /Launch Action “cmd.exe” Bypass
• The Hex Factor RE Challenge
• Mitigating .LNK Exploitation With Ariad
• Mitigating .LNK Exploitation With SRP
• Quickpost: 2 .LNK Tools
• Quickpost: .LNK Template Update
• Quickpost: Ariad & DLL Preloading
• PDFTemplate
• Integrity Levels and DLL Injection
• RunInsideLimitedJob
• Free Malicious PDF Analysis E-book
• LowerMyRights
• PDF, DEP, ASLR and Integrity Levels
• setdllcharacteristics
• Update: LoadDLLViaAppInit
• Quickpost: Adding Certificates to the Certificate Store
• EnforcePermanentDEP
• Password Auditing With a Password Filter
• Quickpost: Adobe Reader X
• Runasil
• HeapLocker
• HeapLocker: Private Memory Usage Monitoring
• HeapLocker: NOP Sled Detection
• Quickpost: “It Does No Harm…” or Does It?
• Quickpost: Checking ASLR
• Circumventing SRP and AppLocker, By Design
• Circumventing SRP and AppLocker to Create a New Process, By Design
• TaskManager.xls
• Update: WhoAmI? Version 0.1.5
• HeapLocker: String Detection
• Update: TaskManager.xls Version 0.0.3
• DumpStrings.1sc
• HeapLocker: Null Page Allocation
• Windows Security Center: Under the Hood
• LockIfNotHot
• Signed Spreadsheet with cmd.dll & regedit.dll
• Suspender.dll
• BackTrack 5 Includes PDFiD and pdf-parser
• Another PDF Puzzle
• Malicious PDF Analysis Workshop Screencasts
• Update: vs.py
• EMET Article
• Quickpost: Need a PoC to Test Your Security Setup? Not Necessarily…
• Integrating My CCTV DVR And Alarm System
• Teensy PDF Dropper Part 1
• Quickpost: Blocking and Detecting a Teensy Dropper
• My Home Surveillance System
• My Home Surveillance System: Some Details
• Force “ASLR” on Shell Extensions
• So How Good is Pseudo-ASLR?
• Quickpost: CCTV Over UTP
• Bottom Up Randomization Saves Mandatory ASLR
• DEP Enforcing Shellcode
• Quickpost: create-remote-thread.py
• simple-shellcode-generator.py
• Add Bottom Up Randomization To (Your Own) Source Code
• The Matryoshka Router
• Update: USBVirusScan 1.7.4
• TaskManager Runs on 64-bit Excel
• Quickpost: Some Windows 8 Observations
• HeapLocker: Preventing Heapsprays
• LoadDLLViaAppInit 64-bit
• RunInsideLimitedJob 64-bit
• HeapLocker 64-bit
• Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag
• Ariad 64-bit
• White Hat Shellcode Workshop: Enforcing Permanent DEP
• Hotfix For SRP/AppLocker Bypass
• Signed TaskManager
• LoadDLLViaAppInit with FORCE_INTEGRITY
• FORCE_INTEGRITY With DLLs
• Happy New Router
• Calculating a SSH Fingerprint From a (Cisco) Public Key
• Identifying IOS
• Analyzing IOS Core Dumps (SOPA-style)
• IOS: Let Me Truncate That Password For You…
• x64 Windows Shellcode
• Quickpost: Disassociating the Key From a TrueCrypt System Disk
• Article: White Hat Shellcode
• Peeking at NAFT
• Teensy PDF Dropper Part 2
• Update: TaskManager.xls V0.1.2
• NAFT Release
• Update: PDFid And pdf-parser
• Update: SE_ASLR Version 0.0.0.2
• InteractiveSieve
• Update: TaskManager.xls V0.1.3 Killer Shellcode
• Why Isn’t my PoC Launching calc.exe?
• ExitProcess Shellcode
• Searching With VirusTotal
• Update: virustotal-search
• Flame: Before and After KB2718704
• Flame Authenticode Dumps (KB2718704)
• Update: vs.py Version 0.5
• _nomap, _nomap, _nomap, …
• Entropy.1sc
• Nmap McAfee ePO Agent Script
• InstalledPrograms.xls
• UserAssist Windows 2000 Thru Windows 8
• My BlueHat Prize Entry: CounterHeapSpray
• Prefetch File 010 Template
• Video: Hardening Windows processes
• Update: InstalledPrograms.xls V0.0.2
• Update: USBVirusScan 1.7.5
• Update: InteractiveSieve 0.7.6
• Update & Split: TaskManager.xls Version 0.1.4
• New Authenticode Tools
• Didier Stevens Labs – Brucon 2012
• Searching For That Adobe Cert
• Hack.lu 2012
• XORSearch Video
• Workshops and Promo
• “Please Buy Our Competitor’s Products”
• XORSearch for OSX
• Quickpost: Spiders and CCTV
• Update: AnalyzePESig Version 0.0.0.2
• Nmap 6.25 With McAfee ePO Agent Script
• Authenticode Tools Page
• ListModules V0.0.0.1
• Crossbreeding Spiders: Baiduspider And Googlebot
• MVP – Promo – Datapipe.xls
• ISSA Journal Article ; HITB PDF Training
• Quickpost: TeamViewer and Proxies
• Update XORSearch V1.8.0: Shifting
• Looking Up Hosts and IP Addresses: Yet Another Tool
• Update: PDFiD Version 0.1.0
• Update: pdf-parser Version 0.4.1
• Update: PDFiD Version 0.1.2
• Cisco IOS Patching: Defense and Offense
• New Tool: XORStrings
• shift.1sc
• fuzzer.1sc
• search-and-replace-with-wildcards.1sc
• pecheck.py
• js-unicode-escape.1sc
• js-unicode-unescape.1sc
• Howto: Add a Digital Signature to a PDF File – Free Software
• VirusTotal: Searching And Submitting
• Howto: Make Your Own Cert And Revocation List With OpenSSL
• Adobe Reader and CRLs
• Quickpost: Signed PDF Stego
• pdf-parser: Searching Inside Streams
• PDFiD: False Positives
• shellcode2vba
• Update: virustotal-search.py
• The Art Of Defuzzing
• Update: js-unicode-unescape.1sc
• Update: Lookup Tools
• MSI: The Case Of The Invalid Signature
• OHM2013
• Quickpost: Rovnix PCAP
• A Bit More Than A Signature
• Quickpost: Proxy Cookies
• Brucon Hacking PDF Training
• Update: pdf-parser V0.4.3
• Bugfix virustotal-submit.py Version 0.0.2
• Finding Contained Files
• Update: XORSearch Version 1.9.2
• Update: Suspender V0.0.0.4
• NAFT: The Movie
• Update: naft-gfe.py
• Update: find-file-in-file.py Version 0.0.3
• Quickpost: nmap & xml
• 4 Times Faster virustotal-search.py
• MS13-098: Fixing Authenticode
• Update: virustotal-submit.py V0.0.3
• Update: Prefetch File 010 Template
• UltraEdit Scripts
• Video: Checking the Digital Signature of Windows Executables
• The Credentials Listener
• My Software
• Forensic Use of CAT Files
• Handling McAfee Quarantine Files
• XORSearch: Finding Embedded Executables
• “Network Device Forensics” Talk
• Recorded “Network Device Forensics” Talk
• Announcement: Wireshark Lua Dissectors
• Heartbleed: Packet Capture
• PDF Rainbow Tables
• Heartbleed: Packet Capture – Full TLS
• nmap Grepable Script Output – Heartbleed
• Heartbleed: Testing From a Cisco IOS Router – ssltest.tcl
• ssl-hearbleed.nse mod
• TCP Flags for Wireshark
• Video: “Packet Class: Wireshark – Lua Protocol Dissectors”
• WhoAmI: status-4-evar
• Packet Class: Wireshark – Import Hex Dump
• Wireshark-export
• Stoned Bitcoin
• Update: Stoned Bitcoin
• Update: translate.py
• Stoned Bitcoin: My Analysis Tools
• Videos
• EICARgen: An Arms Race
• A Return: The Puzzle
• Update: Calculating a SSH Fingerprint From a (Cisco) Public Key
• Introducing Filescanner.exe
• Update: SpiderMonkey
• FileScanner.exe Part 2
• FileScanner.exe Part 3
• FileScanner.exe Part 4
• Update: XORSearch With Shellcode Detector
• Announcement: PDFiD Plugins
• Update: PDFiD With Plugins Part 1
• Update: PDFiD With Plugins Part 2
• XORSearch: Hexdump Support
• Update: pecheck.py Version 0.4.0
• Update: find-file-in-file.py Version 0.0.4
• XORSelection.1sc
• router-forensics.net
• YARA Rules
• Introducing oledump.py
• oledump: Extracting Embedded EXE From DOC
• Update: oledump.py Version 0.0.5
• YouTube Video Promo
• Didier Stevens Suite
• Update: oledump.py Version 0.0.6
• YARA Rule: Detecting JPEG Exif With eval()
• Converting PEiD Signatures To YARA Rules
• AirPcap Channel Hopping With Python
• Update: oledump.py Version 0.0.7
• Update: YARA Rule JPEG_EXIF_Contains_eval
• Update EICARgen Version 2.1
• Update: oledump.py Version 0.0.8
• Analyzing A Fraudulent Document With Error Level Analysis
• Update: oledump.py Version 0.0.9
• Update oledump.py Version 0.0.10
• A New Type Of Malicious Document: XML
• VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC
• Quickpost: Metasploit User Agent Strings
• Update oledump.py Version 0.0.12
• Update: peid-userdb-to-yara-rules.py
• split.py
• oledump And XML With Embedded OLE Object
• Howto: Make Your Own Cert With OpenSSL on Windows
• pdf-parser And YARA
• Quickpost: Maldocs: VBA And Pastebin
• Update: oledump.py Version 0.0.14
• PDF Password Cracking With John The Ripper
• pdf-parser: A Method To Manipulate PDFs Part 1
• MS15-034 Detection: Some Observations
• MS15-034: PoC Excel Video
• Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs
• pdf-parser: A Method To Manipulate PDFs Part 2
• Update: NAFT Version 0.0.9
• Detecting Network Traffic from Metasploit’s Meterpreter Reverse HTTP Module
• Howto: Install Wireshark Dissectors
• Regular Expressions With Comments
• pcap-rename.py
• Metasploit Meterpreter Reverse HTTPS Snort Rule
• Update: oledump.py Version 0.0.17 – ExitCode
• base64dump.py Version 0.0.1
• Extracting Dyre Configuration From A Process Dump
• If You Have A Problem Running My Tools
• “Analysing Malicious Documents” Training At 44CON London
• Jump List Forensics
• Update: pdf-parser Version 0.6.4
• Update: base64dump.py Version 0.0.2
• Test File: PDF With Embedded DOC Dropping EICAR
• nsrl.py: Using the Reference Data Set of the National Software Reference Library
• Wireshark Wifi and Lua Training – Brucon 2015
• PDF + DOC + VBAs Videos
• Dump Tools: Cut Cut Cut …
• Update: base64dump.py Version 0.0.3
• Release: emldump.py Version 0.0.3
• cut-bytes.py
• New workshop videos: Malicious Office Documents Part 1
• Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty)
• Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)
• Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin
• Update: translate.py V2.1.0
• byte-stats.py
• Update: oledump V0.0.20
• Update: emldump.py Version 0.0.4
• Update: cut-bytes.py Version 0.0.2
• Update: find-file-in-file.py Version 0.0.5
• Maldoc Social Engineering Trick
• Update: nsrl.py Version 0.0.2
• Update: emldump.py Version 0.0.5
• Authenticode And Timestamping And sha256
• Update: virustotal-search.py Version 0.1.3
• Update: oledump.py Version 0.0.21
• Update: Authenticode Tools
• Windows Backup Privilege: CMD.EXE
• BruCON Spring Training 2016: Analysing Malicious Documents
• Update: oledump.py Version 0.0.22
• MIME File With “Header”
• Maldoc GET Range
• SHA256 Code Signing and Microsoft
• XOR Known-Plaintext Attack
• Update: shellcode2vba.py Version 0.4
• BlackEnergy .XLS Dropper
• BlackEnergy .XLS Dropper Puzzle
• Update: base64dump.py Version 0.0.4
• Update: emldump.py Version 0.0.6
• Update: xor-kpa.py Version 0.0.2
• Update: cut-bytes.py Version 0.0.3
• Update: numbers-to-hex.py Version 0.0.2
• Create Your Own CMD.XLS
• Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation
• More Obfuscated MIME Type Files
• Even More Obfuscated MIME Type Files
• Update: oledump.py Version 0.0.23
• YARA Rule To Detect VBE Scripts
• Decoding VBE
• Update: decode-vbe.py Version 0.0.2
• Update translate.py Version 2.3.0
• Update: numbers-to-hex.py Version 0.0.3
• MovingXORSelection.1sc
• Update: emldump.py Version 0.0.9
• New YARA Rule: PE_File_pyinstaller
• Update: pecheck.py Version 0.5.0
• Update: pecheck.py Version 0.5.1
• Major Update For zipdump.py
• Recovering A Ransomed PDF
• Update:oledump.py Version 0.0.24
• YouTube Video Promo
• hashcat 3.00 “fatal error: ‘inc_vendor.cl’ file not found”
• Practice ntds.dit File Part 1
• Practice ntds.dit File Part 2: Extracting Hashes
• Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist
• Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force
• Tool To Generate Hashcat Toggle Rules
• Practice ntds.dit File Overview
• Releasing rtfdump.py
• Bugfix: pdf-parser Version 0.6.5
• Video: ntds.dit: Extract Hashes With secretsdump.py
• Update: re-search Version 0.0.2
• rtfdump: Update And Videos
• Howto CreateCertGUI: Create Your Own Certificate On Windows (OpenSSL Library)
• mimikatz: Golden Ticket + DCSync
• Video: mimikatz: Golden Ticket + DCSync
• Update: xor-kpa.py Version 0.0.3 With Man Page
• Update: rtfdump Version 0.0.4
• Update: translate.py Version 2.3.1
• decoder-search.py Beta
• Quickpost: Enhancing Radare2 Disassembly Listing
• rtfdump Videos
• Analyzing Office Maldocs With Decoder.xls
• Update: oledump.py Version 0.0.25
• Update: cut-bytes.py Version 0.0.4
• Update: virustotal-search.py Version 0.1.4
• Maldoc With Process Hollowing Shellcode
• Quickpost: Zone.Identifier
• Update: shellcode2vba.py Version 0.5
• Update: byte_stats.py Version 0.0.4
• Update: zipdump.py Version 0.0.4
• Update: base64dump.py Version 0.0.5
• Simple Ciphers: cipher-tool.py
• Update: xor-kpa.py Version 0.0.4
• Update: pdf-parser Version 0.6.6
• Update: pecheck.py Version 0.5.2
• Update: oledump.py Version 0.0.26
• Update: pecheck.py Version 0.6.0 – Overview Of Resources
• Hancitor Maldoc Videos
• Update: pdf-parser Version 0.6.7
• Update: byte-stats.py Version 0.0.5
• Update: FileScanner Version 0.0.0.4
• Quickpost: Dropbox & Alternate Data Streams
• Update: zipdump.py Version 0.0.5
• Quickpost: ClamAV and ZIP File Decryption
• Update: base64dump.py Version 0.0.6
• Update: rtfdump.py Version 0.0.5
• Update: translate.py Version 2.4.0
• Password History Analysis
• Practice ntds.dit File Part 9: Extracting Password History Hashes
• New Tool: sets.py
• Update: re-search.py Version 0.0.3
• Update: cut-bytes.py Version 0.0.5
• Update: oledump.py Version 0.0.27
• That Is Not My Child Process!
• Quickpost: Using My Bash Bunny To “Snag Creds From A Locked Machine”
• Quickpost: Infinite Control For Bash Bunny
• Quickpost: Bash Bunny & Keyboard Layouts
• Update: re-search.py Version 0.0.4
• CVE-2017-0199
• Malicious Documents: The Matryoshka Edition
• New Tool: python-per-line
• Bash Bunny PDF Dropper
• Gzip Decompression Via Pipes
• Quickpost: Internet Zone IDs
• Crack A ZIP Password, And Fly To Dubai …
• Quickpost: ZIP Password Cracking With John The Ripper
• Quickpost: WannaCry Killswitch Check Is Not Proxy Aware
• Update: re_search.py Version 0.0.5
• Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End)
• Update: re_search.py Version 0.0.7
• Update: zipdump.py Version 0.0.7
• Update: zipdump.py Version 0.0.8
• WannaCry Simple File Analysis
• Update: xor-kpa.py Version 0.0.5
• Update; base64dump.py Version 0.0.7
• Update: zipdump.py Version 0.0.9
• Update: pecheck.py Version 0.7.0
• Update: re-search.py Version 0.0.8
• I Will Follow (no, not talking about social media)
• Quickpost: mimikatz !bsod
• Video: mimikatz & !bsod
• Video: mimikatz & minesweeper
• Select Parent Process from VBA
• Update: zipdump.py Version 0.0.10
• Analyzing ClamAV Signatures
• Analyzing ClamAV Signatures – Correction
• ClamAV sigtool –decode-sigs
• Mimikatz Videos
• Beta: format-bytes.py
• Quickpost: Analyzing .ISO Files Containing Malware
• .ISO Files With Zone.Identifier
• Update:zipdump.py Version 0.0.11
• Update: oledump.py Version 0.0.28
• Update: emldump.py Version 0.0.10
• oledump.py *.vir
• Update: python-per-line.py Version 0.0.2
• New Tool: headtail.py
• The Clip Command
• The Paste Command
• Update: count.py Version 0.2.0
• Analyzing Password Dumps With My Tools – Part 1
• .ISO Files & autorun.inf
• Quickpost: Trying Out JA3
• Update: translate.py Version 2.5.0
• Update: byte-stats.py Version 0.0.6
• Reading Memory Of 64-bit Processes
• Using Metasploit On Windows
• Generating PowerShell Scripts With MSFVenom On Windows
• Wireshark: Follow Streams
• Quickpost: Using ClamAV On Windows
• Quickpost: Metasploit PowerShell BASE64 Commands
• Quickpost: PowerShell Options Order
• Abusing A Writable Windows Service
• Compiling a Windows Service With Mono on Kali
• Update: re-search.py Version 0.0.9
• Running Windows Services on Linux with Mono
• Quickpost: DllDemo
• Quickpost: Keyboard Setting For pfSense
• PyBoard LCD160CR Text Scrolling Window 8
• Quickpost: Update: Infinite Control For Bash Bunny
• Quickpost: GNU Radio On Windows
• Quickpost: Creating A Simple Flow Graph With GNU Radio Companion
• Quickpost: Mimikatz DCSync Detection
• Update: oledump.py Version 0.0.29
• Update: base64dump.py Version 0.0.8
• Update: pdf-parser.py Version 0.6.8
• Update: pdfid.py Version 0.2.2
• Analyzing A Malicious Document Cleaned By Anti-Virus
• Analyzing Metasploit’s Office Maldoc
• Update: byte-stats.py Version 0.0.7
• Update: cut-bytes.py Version 0.0.6
• Update: pecheck.py Version 0.7.1
• Update: oledump.py Version 0.0.30
• Update: numbers-to-string.py Version 0.0.3
• WebDAV Traffic To Malicious Sites
• Update: pcap-rename.py Version 0.0.2
• Update: pdfid.py Version 0.2.3
• Update: rtfdump.py Version 0.0.6
• New Tool: hash.py
• Update: plugin_biff.py Version 0.0.2 / oledump.py Version 0.0.31
• New oledump Plugin: plugin_msg.py / oledump.py Version 0.0.32
• New Tool: xmldump.py
• New Tool: format-bytes.py
• Cracking Encrypted PDFs – Part 1
• Cracking Encrypted PDFs – Part 2
• Cracking Encrypted PDFs – Part 3
• Cracking Encrypted PDFs – Conclusion
• New Tool: What Is New?
• Update: xmldump.py Version 0.0.2
• Update: format-bytes.py Version 0.0.4
• Quickpost: Data Exfiltration With Tor Browser And Domain Fronting
• Quickpost: Retrieving Malware Via Tor On Windows
• New Tool: jpegdump.py
• Update: translate.py Version 2.5.2
• Update: rtfdump.py Version 0.0.7
• Quickpost: Code To Connect To Tor Onion Service
• Quickpost: Remote Shell On Windows Via Tor Onion Service
• Update: python-per-line version 0.0.3
• Update: hash.py Version 0.0.2
• Update: jpegdump.py Version 0.0.4
• Update: pdfid.py Version 0.2.4
• Update: translate.py Version 2.5.3
• Update: oledump.py Version 0.0.33
• Update: pecheck.py Version 0.7.2
• Quickpost: Using nmap With Tallow (Tor proxy)
• Wireshark Comments
• Quickpost: Using Suricata on Windows
• CTRL-Z is EOF
• Update: xmldump.py Version 0.0.3
• Quickpost: Email Server Simulator
• Update: XORSelection.1sc Version 4.0
• Update: hash.py Version 0.0.3
• Update: Patched SpiderMonkey
• Update: python-per-line.py Version 0.0.4
• SpiderMonkey and STDIN
• Update: oledump.py Version 0.0.34
• Update: base64dump.py Version 0.0.9
• Video: SpiderMonkey Output Options
• Update: base64dump.py Version 0.0.10
• Quickpost: Windows Debugger as Post Mortem Debugger – 32-bit & 64-bit
• PDFiD: GoToE and GoToR Detection (“NTLM Credential Theft”)
• Quickpost: John & Dummy Hashes
• Encrypted OOXML Documents
• Update: pecheck.py Version 0.7.3
• “Here Files” and my Tools
• Update: jpegdump.py Version 0.0.5
• Update: translate.py Version 2.5.4
• Update: cut-bytes.py Version 0.0.7
• Update: hash.py version 0.0.5
• Validating Your Downloads
• Update: jpegdump.py Version 0.0.6
• Update: zipdump.py Version 0.0.12
• Quickpost: Decoding Certutil Encoded Files
• Update: re-search.py Version 0.0.10
• Update: re-search.py Version 0.0.11
• Update: oledump.py Version 0.0.35
• Update: zipdump.py Version 0.0.13
• Update: oledump.py Version 0.0.36
• Update: zipdump.py Version 0.0.14
• –jsonoutput
• Quickpost: Compiling DLLs with MinGW on Kali
• New Tool: file-magic.py
• !exploitable Crash Analyzer – Statically Linked CRT
• Update: sets.py Version 0.0.2
• Update: base64dump.py Version 0.0.11
• Extracting DotNetToJScript’s PE Files
• Update: re-search.py Version 0.0.12
• Update: numbers-to-string.py Version 0.0.4
• Update: python-per-line.py Version 0.0.5
• Update: PDFiD.py Version 0.2.5
• Update: oledump.py Version 0.0.37
• Update: format-bytes Version 0.0.5
• Quickpost: Revisiting JA3
• Obtaining Malware Samples for Analysis
• Update: numbers-to-string.py Version 0.0.5
• Quickpost: Compiling DLLs with MinGW on Windows
• Firmware Upgrade: WiFi Pineapple NANO
• WiFi Pineapple NANO: Persistent Recon DB
• Quickpost: Compiling EXEs and Resources with MinGW on Kali
• Update: pecheck.py Version 0.7.4
• Quickpost: Signing Windows Executables on Kali
• KEIHash: Fingerprinting SSH
• Release: Python Tool Templates
• New tool: decompress_rtf.py
• Update: pdf-parser.py Version 0.6.9
• Update: oledump.py Version 0.0.38
• Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt
• Update: file-magic.py Version 0.0.3
• Update: file-magic.py Version 0.0.4
• Update: format-bytes.py Version 0.0.6
• Quickpost: Using pcapy with Npcap on Windows
• Update: hash.py Version 0.0.6
• Update: cut-bytes.py Version 0.0.8
• Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt
• Quickpost: Compiling 32-bit Static ELF Files on Kali
• Quickpost: Compiling with Build Tools for Visual Studio 2017
• Quickpost: Developing for ESP32 with the Arduino IDE
• Update: oledump.py Version 0.0.39
• Release: strings.py
• Update: rtfdump.py Version 0.0.9
• Update: numbers-to-string.py Version 0.0.6
• Update:oledump.py Version 0.0.40
• Update: XORSearch Version 1.11.2
• Update: numbers-to-string.py Version 0.0.7
• New Tool: SimpleEncoder
• Update: format-bytes.py Version 0.0.7
• New Tool: msoffcrypto-crack.py
• Update: msoffcrypto-crack.py Version 0.0.2
• Update: msoffcrypto-crack.py Version 0.0.3
• Update: cut-bytes.py Version 0.0.9
• Update: oledump.py Version 0.0.41
• Update: translate.py Version 2.5.5
• Update: pdf-parser.py Version 0.7.0
• Update: pdf-parser.py Version 0.7.1
• Analyzing a Phishing PDF with /ObjStm
• Update: re-search.py Version 0.0.13
• Update: oledump.py Version 0.0.42
• Maldoc: Excel 4.0 Macro
• Quickpost: PDF Tools Download Feature
• Update: pecheck.py Version 0.7.6
• list-interfaces.xlsm
• Quickpost: Browsers & Content-Disposition
• Extracting “Stack Strings” from Shellcode
• Update: translate.py Version 2.5.6
• Update: python-per-line.py Version 0.0.6
• Update: format-bytes.py Version 0.0.8
• Update: jpegdump.py Version 0.0.7
• Quickpost: Retrieving an SSL Certificate with nmap
• WebDAV, NTLM & Responder
• DSSuite: A Docker Container With My Tools
• Update: zipdump Version 0.0.15
• Update: hex-to-bin.py Version 0.0.2
• Update: sets.py Version 0.0.3
• Quickpost: C Random Functions in Other Languages
• Update: virustotal-search.py Version 0.1.5
• New Tool: amsiscan.py
• Quickpost: nslookup Types
• Update: format-bytes.py Version 0.0.9
• Quickpost: tcp-honeypot.py & Browser Tests
• Update: pdf-parser.py Version 0.7.2
• Downloading Executables Over DNS: Capture Files
• Update: msoffcrypto-crack.py Version 0.0.4
• Update: hash.py Version 0.0.7
• Update: pecheck.py Version 0.7.7
• Update: hex-to-bin.py Version 0.0.3
• Update: strings.py Version 0.0.4
• Update Of My PDF Tools
• Shark Jack Capture File
• PowerShell, Add-Type & csc.exe
• New Tool: simple_tcp_stats.py
• Quickpost: ExifTool, OLE Files and FlashPix Files
• Update: pecheck.py Version 0.7.8
• Quickpost: Compiling Service DLLs with MinGW on Kali
• Quickpost: Running a Service DLL
• Update: cut-bytes.py Version 0.0.10
• Update: numbers-to-string.py Version 0.0.10
• Update: format-bytes.py Version 0.0.10
• Steganography and Malware
• Update: tcp-honeypot.py Version 0.0.7
• Update: numbers-to-string.py Version 0.0.9
• Update: oledump.py Version 0.0.43
• Analyzing .DWG Files With Embedded VBA Macros
• Update: oledump.py Version 0.0.44
• zoneidentifier.exe
• Update: zipdump.py Version 0.0.16
• Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7
• YARA “Ad Hoc Rules”

YouTube videos:

• Adobe Reader JavaScript Blacklist Framework
• Excel with cmd.dll & regedit.dll
• PDF: Launch a command
• LockIfNotHot
• Malicious PDF Analysis Workshop – Part 1 – Setup
• Malicious PDF Analysis Workshop – Part 2 – Exercise 1
• Malicious PDF Analysis Workshop – Part 3 – Exercise 2
• Malicious PDF Analysis Workshop – Part 4 – Exercise 3
• Malicious PDF Analysis Workshop – Part 5 – Exercise 4
• Malicious PDF Analysis Workshop – Part 6 – Exercise 4 and 5
• Malicious PDF Analysis Workshop – Part 7 – Exercise 5
• Malicious PDF Analysis Workshop – Part 8 – Exercise 6
• HeapLocker: Preventing Heapsprays
• White Hat Shellcode Workshop: Enforcing Permanent DEP
• Happy New Router
• Announcing Didier Stevens Labs
• XORsearch
• Network Appliance Forensic Toolkit
• Using Process Explorer’s Find Window’s Process
• PDF Rainbow Tables – APDFPR
• Checking the Digital Signature of Windows Executables
• Network Device Forensics
• Meteor over Belgium 29/03/2014
• Packet Class: Wireshark – Lua Protocol Dissectors
• Private IP Address or Public IP Address – netrouteview
• Packet Class: Wireshark – Import Hex Dump
• Cancale Flood Tide
• Lightning Middelkerke 18/07/2014
• Middelkerke 06/06/2014 Jan De Nul Beach Replenishment
• I have a hidden game on my iPad iOS 7 – Hide the apps…
• Urban wildlife on CCTV
• Loosafe SDVR: Language Setup
• punbup.py: Analyzing McAfee Quarantine Files
• EICARgen v2
• Mailmerge UltraEdit Script
• zipdump.py
• oledump.py beta
• count.py
• PDF Creation – Public Tools
• Kanonnen Gent 24/09/2014
• Handheld Spectrum Analyzer
• Cisco ROMMON priv mode
• Malicious Word Document Analysis
• Excel: Example of Privilege Escalation – CVE-2014-4113 MS14-058
• Excel: Privilege Escalation (CVE-2014-4113 MS14-058) & Mimikatz
• oledump With Plugins: Malicious Word Document Analysis
• YARA Registry Scanner
• oledump With Plugins (bis): Malicious Word Document Analysis
• oledump Decoders
• pdf-parser: YARA
• oledump plugin_biff
• Microsoft MVP Award 2015
• Broken Harddisk
• FileContainer.xls
• iCounterCatLives–
• oclHashcat PDF Crypto
• Microsoft MVP 5 Years Disc
• Rapoo Transmitter
• FileContainer.xls 2
• oledump XML
• Urban Wildlife: The Return Of The Marten
• oledump & ClipboardTransformer
• oledump And Yet Another XML
• Howto: Make Your Own Cert With OpenSSL
• oledump And Yet Another XML (Bis)
• CCTV, IR, Spiderwebs and Fog
• PoC: MS15-034 Exploited From Excel
• Maldoc: PDF With OLE
• Maldoc PDF With Embedded DOC: What You See When It’s Opened
• TCP Flags for Wireshark
• Magnet Viewer
• Malicious PDF: Just A URI
• base64dump.py
• re-search and Dyre Malware
• MacBook Screencast
• re-search Part 1
• re-search Part 2
• Analysing Malicious Documents – 44CON 2015 Training
• iPad Screencast Demo
• Electronic road signs used to warn for burning van
• The Making Of: PDF With Embedded DOC Dropping EICAR
• PDF With Embedded DOC And VBA: Reader Mitigation
• Wireshark Wifi and Lua Training – Brucon 2015
• cmd.dll: dll /a
• FindWritableFiles
• iOS app to generate watercolor paintings from pictures
• Cut Cut Cut …
• Wireshark Hex Import
• byte-stats.py
• oledump.py –extra
• Maldoc Social Engineering Trick
• CMD.EXE: Backup Privilege
• SpiderMonkey: Dump
• MIME File With Header
• Analysis Of A Corrupt OLE File
• xor-kpa.py: XOR Known-Plaintext Attack
• Creating CMD.XLS
• CMD.DLL: From DLL To VBA
• BlackEnergy .XLS Dropper
• translate.py: With regex
• VBE
• oledump: VBA UserForm
• numbers-to-hex.py
• Mixing cold and hot water
• MovingXORSelection.1sc
• emldump: Filter Option
• translate.py: Regex Option
• Geocache “¿Y esto que es?” Madrid
• ntds.dit: Extract Hashes With secretsdump.py
• rtfdump: intro
• rtfdump: MS12-027 Maldoc
• rtfdump: MS10-087 Maldoc
• CreateCertGUI
• oledump xor kpa
• ntds.dit: Mimikatz Golden Ticket & DCSync
• Visual Studio 2013 & OpenSSL
• Visual Studio 2013 & MFC
• Maldoc: numbers-to-string.py
• Training: Attacking with Excel
• Malware: Process Explorer & Procmon
• Malware: FakeNet-NG
• Maldoc VBA: .pub File
• Maldoc VBA: decoder.xls
• Maldoc VBA: Shellcode
• Maldoc VBA: Decoding With Excel
• VBA Shellcode To Test EMET
• EMET vs Hancitor Maldoc
• Hancitor maldoc: Extracting URLs
• Hancitor Maldoc: Shellcode Dynamic Analysis
• Sleeping VBS Really Wants To Sleep
• sets.py
• Maldoc Deobfuscation: Character Removal
• Maldoc Deobfuscation: Plugin sub-str
• cut-bytes.py & Here Documents
• oledump & YARA
• Bash Bunny & QuickCreds
• CVE-2017-0199 Demo
• CVE-2017-0199 & Metasploit – Analysis
• Bash Bunny Dropping PDF Via HID
• Malicious Documents: The Matryoshka Edition
• WannaCry: Simple File Analysis
• xor-kpa.py Version 0.0.5
• Ransomware: Very Simple IOC Extraction
• mimikatz & !bsod
• mimikatz & minesweeper
• Select Parent Process From VBA
• mimikatz & Protected Processes
• mimikatz RPC Mode
• mimikatz skeleton
• .ISO Files With Zone.Identifier
• .ISO Files & autorun.inf
• .ZIP Files With Zone.Identifier
• Emotet Maldoc & ViperMonkey
• It’s Not An Invoice
• Wireshark: Follow Streams
• Metasploit’s msf.docm Analysis
• Bash Bunny InfiniteControl Payload
• PyBoard LCD160CR Text Scrolling Window 8
• PDF’s /URI
• Dealing with obfuscated rtf files
• .xlsm: Button & VBA & PowerShell & EXE
• VirusTotal Upload
• Wireshark comments
• PDF: April 1st 2018
• VBA Maldoc: Form-Embedded PE File
• 360° 4K: Bamburg Battery Bunker Ost-W 016-235
• SpiderMonkey Output Options
• New Output Options
• Fileless Input Options
• Analyzing XPS Files
• Retrieving and Processing JSON Data (BTC Example)
• Maldoc with DOSfuscation
• DotNetToJScript Analysis
• Dealing With Numeric Obfuscation
• Maldoc Analysis & Linux Tools
• Maldoc with DOSfuscation: example 2
• oledump: plugin_msg
• Using scdbg to analyze shellcode
• When DOSfuscation Helps…
• oledump: plugin_ppt
• CyberChef: BASE64/XOR Recipe
• Dissecting a CVE-2017-11882 Exploit
• De-DOSfuscation Example
• msoffcrypto-crack
• Analyzing a Simple HTML Phishing Attachment
• Maldoc Analysis of the Weekend
• Finding Property Values in Office Documents
• PDF: Stream Objects (/ObjStm)
• Analyzing a Phishing PDF with /ObjStm
• Maldoc: Excel 4.0 Macro
• Maldoc Analysis: Excel 4.0 Macro
• Analysis of PDFs Created with OpenOffice/LibreOffice
• nmap Service Detection Customization
• Analyzing Compressed PowerShell Scripts
• Analyzing DAA Files
• Encrypted Sextortion PDFs
• Analyzing .DWG Files With Embedded VBA Macros
• AutoCAD & VBA

Videoblog posts:

• Loosafe SDVR: Language Setup
• punbup.py: Analyzing McAfee Quarantine Files
• EICARgen v2
• Retro Video: PiXiE Dust
• Mailmerge UltraEdit Script
• zipdump.py
• oledump.py beta
• count.py
• PDF Creation – Public Tools
• Cisco ROMMON Priv Mode
• Malicious Word Document Analysis
• Excel: Example of Privilege Escalation – CVE-2014-4113 MS14-058
• Excel: Privilege Escalation (CVE-2014-4113 MS14-058) & Mimikatz
• oledump With Plugins: Malicious Word Document Analysis
• YARA Registry Scanner
• oledump With Plugins (bis): Malicious Word Document Analysis
• oledump Decoders
• pdf-parser: YARA
• oledump With plugin_biff
• Broken Harddisk
• Microsoft MVP Award 2015
• FileContainer.xls
• oclHashcat PDF Crypto
• FileContainer.xls 2
• oledump XML
• oledump & ClipboardTransformer
• oledump And Yet Another XML
• Howto: Make Your Own Cert With OpenSSL
• oledump And Yet Another XML (Bis)
• CCTV, IR, Spiderwebs and Fog
• PoC: MS15-034 Exploited From Excel
• Maldoc PDF With Embedded DOC: What You See When It’s Opened
• Maldoc: PDF With OLE
• TCP Flags for Wireshark
• Magnet Viewer
• Malicious PDF: Just A URI
• Maldoc With BASE64
• re-search And Dyre Malware
• Analysing Malicious Documents – 44CON 2015 Training
• re-search Part 2
• re-search Part 1
• The Making Of: PDF With Embedded DOC Dropping EICAR
• PDF With Embedded DOC And VBA: Reader Mitigation
• CMD.DLL: DLL /A
• FindWritableFiles
• Cut Cut Cut …
• Wireshark Hex Import
• byte-stats.py
• oledump.py –extra
• CMD.EXE: Backup Privilege
• SpiderMonkey: Dump
• MIME File With Header
• Analysis Of A Corrupt OLE File
• BlackEnergy .XLS Dropper
• CMD.DLL: From DLL To VBA
• Creating CMD.XLS
• numbers-to-hex.py
• oledump: VBA UserForm
• translate.py: With regex
• VBE
• xor-kpa.py: XOR Known-Plaintext Attack
• MovingXORSelection.1sc
• emldump: Filter Option
• translate.py: Regex Option
• ntds.dit: Extract Hashes With secretsdump.py
• CreateCertGUI
• ntds.dit: Mimikatz Golden Ticket & DCSync
• oledump xor kpa
• rtfdump: intro
• rtfdump: MS10-087 Maldoc
• rtfdump: MS12-027 Maldoc
• Visual Studio 2013 & MFC
• Visual Studio 2013 & OpenSSL
• Maldoc: numbers-to-string.py
• Maldoc VBA: decoder.xls
• Maldoc VBA: .pub File
• Maldoc VBA: Shellcode
• Malware: FakeNet-NG
• Malware: Process Explorer & Procmon
• Training: Attacking with Excel
• Maldoc VBA: Decoding With Excel
• EMET vs Hancitor Maldoc
• Hancitor maldoc: Extracting URLs
• VBA Shellcode To Test EMET
• Hancitor Maldoc: Shellcode Dynamic Analysis
• Sleeping VBS Really Wants To Sleep
• sets.py
• cut-bytes.py & Here Documents
• Maldoc Deobfuscation: Character Removal
• Maldoc Deobfuscation: Plugin sub-str
• oledump & YARA
• Bash Bunny & QuickCreds
• Bash Bunny Dropping PDF Via HID
• CVE-2017-0199 Demo
• CVE-2017-0199 & Metasploit – Analysis
• Malicious Documents: The Matryoshka Edition
• WannaCry: Simple File Analysis
• xor-kpa.py Version 0.0.5
• Ransomware: Very Simple IOC Extraction
• .ISO Files & autorun.inf
• .ISO Files With Zone.Identifier
• mimikatz & !bsod
• mimikatz & minesweeper
• mimikatz & Protected Processes
• mimikatz RPC Mode
• mimikatz skeleton
• Select Parent Process From VBA
• Emotet Maldoc & ViperMonkey
• .ZIP Files With Zone.Identifier
• It’s Not An Invoice
• Metasploit’s msf.docm Analysis
• Wireshark: Follow Streams
• Bash Bunny InfiniteControl Payload
• Dealing with obfuscated rtf files
• PDF’s /URI
• PyBoard LCD160CR Text Scrolling
• Fileless Input Options
• New Output Options
• PDF: April 1st 2018
• SpiderMonkey Output Options
• VBA Maldoc: Form-Embedded PE File
• VirusTotal Upload
• Wireshark comments
• .xlsm: Button & VBA & PowerShell & EXE
• Analyzing XPS Files
• Retrieving and Processing JSON Data (BTC Example)
• Dealing With Numeric Obfuscation
• DotNetToJScript Analysis
• Maldoc Analysis & Linux Tools
• Maldoc with DOSfuscation
• oledump: plugin_msg
• Maldoc with DOSfuscation: example 2
• Using scdbg to analyze shellcode
• CyberChef: BASE64/XOR Recipe
• De-DOSfuscation Example
• Dissecting a CVE-2017-11882 Exploit
• oledump: plugin_ppt
• When DOSfuscation Helps…
• msoffcrypto-crack
• Analyzing a Simple HTML Phishing Attachment
• Maldoc Analysis of the Weekend
• Finding Property Values in Office Documents
• PDF: Stream Objects (/ObjStm)
• Analyzing a Phishing PDF with /ObjStm
• Maldoc: Excel 4.0 Macro
• Maldoc Analysis: Excel 4.0 Macro
• Analysis of PDFs Created with OpenOffice/LibreOffice
• nmap Service Detection Customization
• Analyzing Compressed PowerShell Scripts
• Analyzing DAA Files
• Encrypted Sextortion PDFs
• Analyzing .DWG Files With Embedded VBA Macros
• AutoCAD & VBA

SANS ISC Diary entries:

• XML: A New Vector For An Old Trick
• Maldoc VBA Sandbox/Virtualization Detection
• From PEiD To YARA
• Malicious XML: Matryoshka Edition
• YARA Rules For Shellcode
• SSH Fingerprints Are Important
• VMware Product Updates Address Critical Information Disclosure Issue In JRE
• Wireshark TCP Flags
• The Kill Chain: Now With Pastebin
• Memory Forensics Of Network Devices
• Handling Special PDF Compression Methods
• A Malicious Word Document Inside a PDF Document
• Malicious Word Document: This Time The Maldoc Is A MIME File
• Wireshark TCP Flags: How To Install On Windows Video
• Another Maldoc? I’m Afraid So…
• The EICAR Test File
• Analyzing Quarantine Files
• A .BUP File Is An OLE File
• Working with base64
• Jump List Files Are OLE Files
• Process Explorer and VirusTotal
• Autoruns and VirusTotal
• Sigcheck and VirusTotal
• Searching Through the VirusTotal Database
• Sigcheck and virustotal-search
• PDF + maldoc1 = maldoc2
• Test File: PDF With Embedded DOC Dropping EICAR
• Don’t launch that file Adobe Reader!
• Ransomware & Entropy
• Ransomware & Entropy: Your Turn
• Ransomware & Entropy: Your Turn -> Solution
• Maldoc Social Engineering Trick
• Use The Privilege
• Malfunctioning Malware
• Failure Is An Option
• A Tip For The Analysis Of MIME Files
• BlackEnergy .XLS Dropper
• Sigcheck and VirusTotal for Offline Machine
• Obfuscated MIME Files
• Locky: JavaScript Deobfuscation
• Tip: Quick Analysis of Office Maldoc
• VBE: Encoded VBS Script
• Handling Malware Samples
• VBS + VBE
• Python Malware – Part 1
• Python Malware – Part 2
• Python Malware – Part 3
• Office Maldoc: Let’s Focus on the VBA Macros Later…
• Practice ntds.dit File
• Python Malware – Part 4
• Malicious RTF Files
• rtfobj
• rtfdump
• .PUB Analysis
• VBA and P-code
• Radare2: rahash2
• Maldoc VBA Anti-Analysis
• Analyzing Office Maldocs With Decoder.xls
• Maldoc VBA Anti-Analysis: Video
• Hancitor Maldoc Bypasses Application Whitelisting
• VBA Shellcode and EMET
• VBA Shellcode and Windows 10
• ZIP With Comment
• Update:ZIP With Comment
• Extracting Shellcode From JavaScript
• Hancitor Maldoc Videos
• Sleeping VBS Really Wants To Sleep
• Pinging All The Way
• py2exe Decompiling – Part 1
• py2exe Decompiling – Part 2
• CRA Maldoc Analysis
• Another example of maldoc string obfuscation, with extra bonus: UAC bypass
• Domain Whitelisting With Alexa and Umbrella Lists
• Domain Whitelisting With Alexa and Umbrella Lists – update
• Password History: Insights Shared by a Reader
• Malicious Documents: A Bit Of News
• Malware and XOR – Part 1
• Malware and XOR – Part 2
• PE Section Name Descriptions
• Selecting domains with random names
• Basic Office maldoc analysis
• Office maldoc + .lnk
• Malicious .iso Attachments
• Another .lnk File
• Static Analysis of Emotet Maldoc
• Maldoc Submitted and Analyzed
• Maldoc Analysis with ViperMonkey
• The Good Phishing Email
• Sometimes it’s just SPAM
• It’s Not An Invoice …
• Malware analysis: searching for dots
• It is a resume – Part 1
• It is a resume – Part 2
• Malware analysis output sanitization
• Analyzing JPEG files
• It is a resume – Part 3
• A strange JPEG file
• Peeking into .msg files
• It’s in the signature.
• Remember ACE files?
• PE files and debug info
• PDF documents & URLs
• Extracting the text from PDF documents
• Metasploit’s Maldoc
• BTC Pickpockets
• Sometimes it’s a dud
• Phish or scam? – Part 1
• Phish or scam? – Part 2
• Encrypted PDFs
• PDF documents & URLs: update
• Dealing with obfuscated RTF files
• Analyzing TNEF files
• What is new?
• PDF documents & URLs: video
• Peeking into Excel files
• Decrypting malicious PDFs with the key
• An RTF phish
• Retrieving malware over Tor
• HTTPS on every port?
• Is this a pentest?
• Comment your Packet Captures – Extra!
• Analyzing an HTA file
• Analyzing an HTA file: Update
• An autograph from the Dridex gang
• Finding VBA signatures in Word documents
• Analyzing compressed shellcode
• Finding VBA signatures in .docm files
• Analyzing MSI files
• Retrieving malware over Tor on Windows
• Wireshark and USB
• “Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence.”
• Phishing PDFs with multiple links
• Phishing PDFs with multiple links – Animated GIF
• Phishing PDFs with multiple links – Detection
• Metasploit’s Payload UUID
• A malicious word document with a VBA form
• A malicious word document with a VBA form – video
• New IE 0-day in the wild
• DASAN GPON home routers exploits in-the-wild
• Quick analysis of malware created with NSIS
• Encrypted Office Documents
• Guilty by association
• Analyzing XPS files
• XPS samples
• Video: Analyzing XPS Files
• Progress indication for scripts on Windows
• XPS Metadata
• dd progress indicator on Linux
• dd progress indicator on OSX
• Retrieving and processing JSON data (BTC example)
• Video: Retrieving and processing JSON data (BTC example)
• Extracting BTC addresses from emails
• BTC pickpockets are back
• Maldoc analysis with standard Linux tools
• Analyzing MSG files
• Malicious Word documents using DOSfuscation
• Dealing with numeric obfuscation in malicious scripts
• Video: Maldoc analysis with standard Linux tools
• Numeric obfuscation: another example
• Peeking into msg files – revisited
• A URL shortener handy for phishers
• New Extortion Tricks: Now Including Your (Partial) Phone Number!
• Video: Peeking into msg files – revisited
• OpenSSH user enumeration (CVE-2018-15473)
• Microsoft Publisher malware: static analysis
• Identifying numeric obfuscation
• “When was this machine infected?”
• Another quickie: Using scdbg to analyze shellcode
• Video: Using scdbg to analyze shellcode
• “What is dikona or glirote3?”
• User Agent String “$ua.tools.random()” ? 🙂 !
• 20/20 malware vision
• Suspicious DNS Requests … Issued by a Firewall
• Analyzing Encoded Shellcode with scdbg
• When DOSfuscation Helps…
• Decoding Custom Substitution Encodings with translate.py
• Developing YARA Rules: a Practical Example
• YARA: XOR Strings
• YARA XOR Strings: Some Remarks
• Maldoc: Once More It’s XOR
• CyberChef: BASE64/XOR Recipe
• MSG Files: Compressed RTF
• Detecting Compressed RTF
• Maldoc Duplicating PowerShell Prior to Use
• Windows Defender’s Sandbox
• TriJklcj2HIUCheDES decryption failed?
• Dissecting a CVE-2017-11882 Exploit
• Video: CyberChef: BASE64/XOR Recipe
• Wireshark update 2.6.5 available
• Video: Dissecting a CVE-2017-11882 Exploit
• Word maldoc: yet another place to hide a command
• Reader Malware Submission: MHT File Inside a ZIP File
• Quickie: String Analysis is Still Useful
• Yet Another DOSfuscation Sample
• De-DOSfuscation Example
• Password Protected ZIP with Maldoc
• KringleCon 2018
• Bitcoin “Blacklists”
• Matryoshka Phish
• Video: De-DOSfuscation Example
• Software Crashes: A New Year’s Resolution
• Make a Wheel in 2019!
• Maldoc with Nonfunctional Shellcode
• A Malicious JPEG?
• A Malicious JPEG? Second Example
• Malicious .tar Attachments
• Analyzing Encrypted Malicious Office Documents
• Quick Maldoc Analysis
• Suspicious GET Request: Do You Know What This Is?
• Video: Analyzing Encrypted Malicious Office Documents
• Video: Analyzing a Simple HTML Phishing Attachment
• Maldoc Analysis of the Weekend
• Video: Maldoc Analysis of the Weekend
• Have You Seen an Email Virus Recently?
• Finding Property Values in Office Documents
• Video: Finding Property Values in Office Documents
• Know What You Are Logging
• Identifying Files: Failure Happens
• Sextortion Email Variant: With QR Code
• Maldoc Analysis by a Reader
• Malicious HTA Analysis by a Reader
• Quick and Dirty Malicious HTA Analysis
• Wireshark 3.0.0 and Npcap
• Tip: Ghidra & ZIP Files
• Maldoc: Excel 4.0 Macros
• Video: Maldoc Analysis: Excel 4.0 Macro
• Wireshark 3.0.0 and Npcap: Some Remarks
• “VelvetSweatshop” Maldocs
• Decoding QR Codes with Python
• “VelvetSweatshop” Maldocs: Shellcode Analysis
• “404” is not Malware
• Maldoc Analysis of the Weekend by a Reader
• Analysis of PDFs Created with OpenOffice/LibreOffice
• Analyzing UDF Files with Python
• .rar Files and ACE Exploit CVE-2018-20250
• Malicious VBA Office Document Without Source Code
• Quick Tip for Dissecting CVE-2017-11882 Exploits
• VBA Office Document: Which Version?
• Text and Text
• Do You Remember the SUBST Command?
• Video: nmap Service Detection Customization
• nmap Service Fingerprint
• Office Document & BASE64? PowerShell!
• Analyzing First Stage Shellcode
• Retrieving Second Stage Payload with Ncat
• Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
• Tip: Sysmon Will Log DNS Queries
• Sysmon Version 10: DNS Logging
• Maldoc: Payloads in User Forms
• A “Stream O” Maldoc
• Machine Code?
• Malicious XSL Files
• Machine Code? No!
• isodump.py and Malicious ISO Files
• Malicious RTF Analysis CVE-2017-11882 by a Reader
• Analyzing Compressed PowerShell Scripts
• A Python TCP proxy
• Video: Analyzing Compressed PowerShell Scripts
• Recognizing ZLIB Compression
• Detecting ZLIB Compression
• Nmap Defcon Release: 7.80
• Malicious .DAA Attachments
• Analysis of a Spearphishing Maldoc
• The DAA File Format
• Video: Analyzing DAA Files
• Compressed ISO Files (ISZ)
• Encrypted Sextortion PDFs
• Wireshark 3.0.5 Release: Potential Windows Crash when Updating
• Video: Encrypted Sextortion PDFs
• YARA XOR Strings: an Update
• Encrypted Maldoc, Wrong Password
• Maldoc, PowerShell & BITS
• YARA v3.11.0 released
• YARA’s XOR Modifier
• Wireshark 3.0.6 Released
• Using scdbg to Find Shellcode
• Tip: Password Managers and 2FA
• Remark on EML Attachments
• You Too? “Unusual Activity with Double Base64 Encoding”
• Wireshark 3.0.7 Released
• (Lazy) Sunday Maldoc Analysis
• (Lazy) Sunday Maldoc Analysis: A Bit More …
• VirusTotal Email Submissions
• Malicious .DWG Files?
• Wireshark 3.2.0 Released
• Extracting VBA Macros From .DWG Files
• New oledump.py plugin: plugin_version_vba
• Corrupt Office Documents

NVISO blog posts:

• Malicious Document Targets Belgian Users
• PDF URIs
• Analyzing an Office Maldoc with a VBA Emulator
• Videos: Analyzing an Office Maldoc with a VBA Emulator
• PDF Analysis: Back To Basics
• Decompiling py2exe Executables
• Detecting py2exe Executables: YARA Rule
• Working with GFI Cloud anti-virus quarantine files
• Maldoc: ItÔÇÖs not all VBA these days
• Hunting with YARA rules and ClamAV
• Developing complex Suricata rules with Lua – part 1
• Developing complex Suricata rules with Lua – part 2
• New Hancitor maldocs keep on comingÔǪ
• Analysis of a CVE-2017-0199 Malicious RTF Document
• Hunting malware with metadata
• Critical Samba vulnerability CVE-2017-7494 – Impact on Belgium
• Malicious PowerPoint Documents Abusing Mouse Over Actions
• Decoding malware via simple statistical analysis
• Active exploitation of Struts vulnerability S2-052 CVE-2017-9805
• YARA rules for CCleaner 5.33
• Detecting DDE in MS Office documents
• YARA DDE rules: DDE Command Execution observed in-the-wild
• Windows Credential Guard & Mimikatz
• Creating custom YARA rules
• Painless Cuckoo Sandbox Installation
• Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF
• Sextortion Scam With Leaked Passwords Succeeds
• Shortcomings of blacklisting in Adobe Reader and what you can do about it
• PowerShell Inside a Certificate? – Part 1
• PowerShell Inside a Certificate? – Part 2
• PowerShell Inside a Certificate? – Part 3
• Compiling Our Python Decompiler
• OpenSSH User Enumeration Vulnerability: a Close Look
• Differential Malware Analysis: An Example
• Detecting and Analyzing Microsoft Office Online Video
• Solving a CTF challenge: Exploiting a Buffer Overflow (video)
• Malicious SYLK Files with MS Excel 4.0 Macros
• Extracting Certificates From the Windows Registry
• Analyzing a Malicious Spreadsheet Dropping a DLL
• Nessus’ UserAssist Plugin