Sunday 16 July 2023
Overview of Content Published in June
Here is an overview of content I published in June:
Blog posts:
SANS ISC Diary entries:
Thursday 15 June 2023
Overview of Content Published in May
Here is an overview of content I published in May:
Blog posts:
SANS ISC Diary entries:
Monday 1 May 2023
Overview of Content Published in April
Here is an overview of content I published in April:
Blog posts:
SANS ISC Diary entries:
Monday 10 April 2023
New Tool: myjson-transform.py
This tool takes JSON output from tools like oledump, zipdump, base64dump, … via stdin and transforms the data produced by these tools.
The transformation function (name Transform) has to be defined in a Python script provided via option -s.
This Transform function has 2 arguments: items and options.
items is a list of dictionaries produced by the “feeding” tool , e.g., the tool whose JSON output is piped into this tool (oledump, …).
Each dictionary has 3 keys: id, name and content.
The transformation function reads content from the items, and transforms it. The transformed data is the return value of the Transform function, and it can also be stored in the items list (modifying the values of the dictionaries, like the content value for example).
By default, this tool will output the transformed data (return value of Transform function) as binary data.
With options -a, -A, -x, -X, -b, -B this output can be presented as ASCII dump, hex dump and base64 dump. Option -d is also present to explicitly request a binary dump.
If option –jsonoutput is used, then the return value of the Transform function is ignored, and in stead, the transformed items are output as JSON data.
The –jsonouput option can not be combined with the above output format options.
Option -p (–parameter) is a string option that is passed on to the Transform function (via options argument). It is designed to be used by the developer of the Transform function as they see fit.
For example, it can be used to tell the Transform function which item to select for transformation, in case there are several items.
Take a look at my SANS ISC diary entry “Another Malicious HTA File Analysis – Part 2” for an example on how to decrypt an AES encrypted payload.
myjson-transform_V0_0_1.zip (http)MD5: 01669E77D9706317A92112E2918A73B9
SHA256: 5DD1DB80D18480196C5EEF415AA7D22C1EB54B985B4D6ACF56E739B58052D34C
Saturday 1 April 2023
Overview of Content Published in March
Here is an overview of content I published in March:
Blog posts:
- Update: oledump.py Version 0.0.73
- Update: python-per-line.py version 0.0.10
- Update: myjson-filter.py Version 0.0.4
- YARA: Detect The Unexpected …
- String Obfuscation: Character Pair Reversal
- Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files
- CyberChef Version 10 Released
- Extra: “String Obfuscation: Character Pair Reversal”
- Another Malicious HTA File Analysis – Part 1
- Extracting Multiple Streams From OLE Files
Thursday 23 March 2023
Overview of Content Published in February
Content:
Here is an overview of content I published in February:
Blog posts:
SANS ISC Diary entries:
Saturday 4 February 2023
Overview of Content Published in January
Here is an overview of content I published in January:
Blog posts:
SANS ISC Diary entries:
Monday 2 January 2023
Overview of Content Published in 2022
Here is an overview of content I published in 2022:
Blog posts:
- Update: jpegdump.py Version 0.0.9
- Windows Explorer: Improper Exif Data Removal
- Beta: smtp-honeypot.py
- Update: oledump.py Version 0.0.63
- Update: 1768.py Version 0.0.12
- Update: oledump.py Version 0.0.64
- New Tool: xlsbdump.py
- spring4shell Capture File
- Power Consumption Of A Philips Hue lamp In Off State
- .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
- New Tool: myjson-filter.py
- Update: cut-bytes.py Version 0.0.14
- Update: 1768.py Version 0.0.13
- New Tool: pngdump.py (Beta)
- Update: re-search.py Version 0.0.19
- Update: oledump.py Version 0.0.65
- Quickpost: Machine Code Infinite Loop
- Update: oledump.py Version 0.0.66
- Update: cs-parse-traffic.py Version 0.0.5
- Update: zipdump.py Version 0.0.22
- Update: oledump.py Version 0.0.67
- Update: base64dump.py Version 0.0.21
- Update: pecheck.py Version 0.7.15
- Update: re-search.py Version 0.0.20
- Update: pdf-parser.py Version 0.7.6
- Update: 1768.py Version 0.0.14
- Update: Python Templates Version 0.0.7
- PoC: Cobalt Strike mitm Attack
- Update: oledump.py Version 0.0.68
- Update: python-per-line.py Version 0.0.8
- New Tool: dns-query-async.py
- Discovering A Forensic Artifact
- Update: base64dump.py Version 0.0.22
- New Tool: sortcanon.py
- Another Exercise In Encoding Reversing
- Examples Of Encoding Reversing
- Quickpost: Cracking PDF Owner Passwords
- Update: cut-bytes.py Version 0.0.15
- Update: format-bytes.py Version 0.0.14
- simple_listener.py
- Quickpost: Standby Power Consumption Of My USB Chargers
- Update: base64dump.py Version 0.0.23
- Update: sortcanon Version 0.0.2
- Update: oledump.py Version 0.0.69
- Update: re-search.py Version 0.0.21
- Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V)
- Quickpost: iPad Pro Charging ? Power Consumption
- Update: 1768.py Version 0.0.15
- Update: 1768.py Version 0.0.16
- Quickpost: Standby Power Consumption Of My Bosch 18V Chargers
- Update: jpegdump.py Version 0.0.10
- Update: oledump.py Version 0.0.70
- Update: translate.py Version 2.5.12
- Update: xor-kpa.py Version 0.0.6
- Update: hex-to-bin.py Version 0.0.6
- Quickpost: Sun Drying Biodegradable Waste
- Quickpost: Dolmen du roc de l?Arca
- Maldoc Analysis Video ? Rehearsed & Unrehearsed
- Quickpost: An Inefficient Powerbank
- Update: virustotal-search.py Version 0.1.7
- New Tool: split-overlap.py
- Update: strings.py Version 0.0.8
- Update: My Python Templates Version 0.0.8
- Quickpost: Tuning The Electric Energy Consumption Of My TV
- Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3
- Update: rtfdump.py Version 0.0.11
- Quickpost: Standby Power Consumption Of An Old Linear Power Supply
- Update: base64dump.py Version 0.0.24
- Update: rtfdump.py Version 0.0.12
- Quickpost: Testing A Lemon Battery
- Update: byte-stats.py Version 0.0.9
- The Making Of: qa-squeaky-toys.docm
- Quickpost: BruCON Travel Charger
- Quickpost: Testing A USB Fridge
- Update: pdf-parser.py Version 0.7.7
- Update: oledump.py Version 0.0.71
- Quickpost: Testing A USB Fridge (Update)
- Update: what-is-new.py Version 0.0.2
- Update: python-per-line.py Version 0.0.9
- Extracting Certificates For Defender
- Update: count.py Version 0.3.1
- Update: hash.py Version 0.0.9
- Update: virustotal-search.py Version 0.1.8
- Update: zipdump.py Version 0.0.23
- New tool: teeplus.py
- Update: filescanner Version 0.0.0.8
- Update: InteractiveSieve Version 0.9.2.0
- Update: nsrl.py Version 0.0.4
- Update: file-magic.py Version 0.0.5
- Update: myjson-filter.py Version 0.0.3
- Update: dnsresolver.py Version 0.0.2
- New Tool: dns-pydivert.py
- Combining dns-pydivert And dnsresolver
- Powerstrip With Neon Lamp Switch
- Update: zipdump.py Version 0.0.24
- Combining zipdump, file-magic And myjson-filter
- YARA’s Console Module
- Quick & Dirty Shellcode Analysis – CVE-2017-11882
- TShark & Multiple IP Addresses
- Maldoc Cleaned by Anti-Virus
- curl, json & jo
- Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Maldoc .DOCX MSDT Inside Sandbox
- Decoding Obfuscated BASE64 Statistically
- Another Exercise In Encoding Reversing
- Maldoc: non-ASCII VBA Identifiers
- 1768.py’s Sanity Check
- James Webb JPEG With Malware
- VBA Maldoc & UTF7 (APT-C-35)
- An Obfuscated Beacon – Extra XOR Layer
- Maldoc Analysis: Rehearsed vs. Unrehearsed
- Analyzing Obfuscated VBS with CyberChef
- Grep & Tail -f With Notepad++
- Analysis of a Malicious HTML File (QBot)
- PNG Analysis
- PNG + mimikatz.exe
- Extracting Information From “logfmt” Files With CyberChef
- Extracting Information From “logfmt” Files With InteractiveSieve
- YARA?s Console Module
- MSBuild & Cobalt Strike
- Quick & Dirty Shellcode Analysis ? CVE-2017-11882
- TShark & Multiple IP Addresses
- Maldoc Cleaned by Anti-Virus
- curl, json & jo
- Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Maldoc .DOCX MSDT Inside Sandbox
- RTF & ms-msdt & Preview Pane
- Decoding Obfuscated BASE64 Statistically
- Maldoc: non-ASCII VBA Identifiers
- 1768.py?s Sanity Check
- James Webb JPEG With Malware
- VBA Maldoc & UTF7 (APT-C-35)
- An Obfuscated Beacon ? Extra XOR Layer
- Analyzing Obfuscated VBS with CyberChef
- Grep & Tail -f With Notepad++
- Analysis of a Malicious HTML File (QBot)
- PNG Analysis
- PNG + mimikatz.exe
- Extracting Information From ?logfmt? Files With CyberChef
- Expect Regressions
- TShark & jq
- Extracting Cobalt Strike Beacons from MSBuild Scripts
- YARA’s Console Module
- Power over Ethernet and Thermal Imaging
- Wireshark 3.6.2 Released
- Video: YARA’s Console Module
- Sending an Email to an IPv4 Address?
- Windows, Fixed IPv4 Addresses and APIPA
- Video: Quick & Dirty Shellcode Analysis – CVE-2017-11882
- TShark & Multiple IP Addresses
- oledump’s Extra Option
- Video: TShark & Multiple IP Addresses
- ICMP Messages: Original Datagram Field
- YARA 4.2.0 Released
- Curl on Windows
- SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)
- MGLNDD_* Scans
- Maldoc Cleaned by Anti-Virus
- Wireshark 3.6.3 Released
- Video: Maldoc Cleaned by Anti-Virus
- Quickie: Parsing XLSB Documents
- curl 7.82.0 Adds –json Option
- jo
- Method For String Extraction Filtering
- Video: Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Video: Office Protects You From Malicious ISO Files
- Sysmon’s RegistryEvent (Value Set)
- Analyzing a Phishing Word Document
- YARA 4.2.1 Released
- Detecting VSTO Office Files With ExifTool
- Quick Analysis Of Phishing MSG
- Wireshark 3.6.5 Released
- Huge Signed PE File
- Huge Signed PE File: Keeping The Signature
- Extracting The Overlay Of A PE File
- Analysis Of An “ms-msdt” RTF Maldoc
- “ms-msdt” RTF Maldoc Analysis: oledump Plugins
- Quickie: Follina, RTF & Explorer Preview Pane
- Decoding Obfuscated BASE64 Statistically
- Wireshark 3.6.6 Released
- Video: Decoding Obfuscated BASE64 Statistically
- More Decoding Analysis
- My Paste Command
- YARA 4.2.2 Released
- 7-Zip & MoW
- 7-Zip & MoW: “For Office files”
- 7-Zip Editing & MoW
- Python: Files In Use By Another Process
- Adding Your Own Keywords To My PDF Tools
- Maldoc: non-ASCII VBA Identifiers
- Video: Maldoc: non-ASCII VBA Identifiers
- Wireshark 3.6.7 Released
- VBA Maldoc & UTF7 (APT-C-35)
- YARA 4.2.3 Released
- Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01
- Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
- Update: VBA Maldoc & UTF7 (APT-C-35)
- James Webb JPEG With Malware
- Video: James Webb JPEG With Malware
- Video: VBA Maldoc & UTF7 (APT-C-35)
- Quickie: Grep & Tail -f With Notepad++
- Analysis of an Encoded Cobalt Strike Beacon
- Analyzing Obfuscated VBS with CyberChef
- Maldoc With Decoy BASE64
- Wireshark 3.6.8 and 4.0.0rc1 Released
- Word Maldoc With CustomXML and Renamed VBAProject.bin
- Video: Analyzing Obfuscated VBS with CyberChef
- Video: Grep & Tail -f With Notepad++
- Maldoc Analysis Info On MalwareBazaar
- Downloading Samples From Takendown Domains
- PNG Analysis
- Sysmon v14.1 Release
- Wireshark 4.0.0 Released
- Curl’s resolve Option
- Wireshark: Specifying a Protocol Stack Layer in Display Filters
- Analysis of a Malicious HTML File (QBot)
- Video: Analysis of a Malicious HTML File (QBot)
- rtfdump’s Find Option
- Video: PNG Analysis
- Quickie: CyberChef & Microsoft Script Decoding
- Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11
- IPv4 Address Representations
- Update: IPv4 Address Representations
- Extracting Information From “logfmt” Files With CyberChef
- Finger.exe LOLBin
- VLC’s Check For Updates: No Updates?
- Open Now: 2022 SANS Holiday Hack Challenge & KringleCon
- Quickie: CyberChef Sorting By String Length
- CyberChef & Entropy
- YARA v4.3.0-rc1 –print-xor-key
Sunday 1 January 2023
Overview of Content Published in December
Here is an overview of content I published in December:
Blog posts:
- Update: python-per-line.py Version 0.0.9
- Extracting Certificates For Defender
- Update: count.py Version 0.3.1
- Update: hash.py Version 0.0.9
- Update: virustotal-search.py Version 0.1.8
- Update: zipdump.py Version 0.0.23
- New tool: teeplus.py
- Update: filescanner Version 0.0.0.8
- Update: InteractiveSieve Version 0.9.2.0
- Update: nsrl.py Version 0.0.4
- Update: file-magic.py Version 0.0.5
- Update: myjson-filter.py Version 0.0.3
- Update: dnsresolver.py Version 0.0.2
- New Tool: dns-pydivert.py
- Combining dns-pydivert And dnsresolver
- Powerstrip With Neon Lamp Switch
- Update: zipdump.py Version 0.0.24
- Combining zipdump, file-magic And myjson-filter
Monday 26 December 2022
New Tool: dns-pydivert.py
dns-pydivert is a tool that uses WinDivert, a “user-mode packet capture-and-divert package for Windows” to divert IPv4 DNS packets to and from the machine it is running on.
This tool requires admin rights.
When started, it listens for IPv4 UDP packets with source and/or destination port equal to 53.
When this tools processes its first UDP packet with destination port 53, it considers the source address of this packet as the DNS client’s IPv4 address (e.g., the Windows machine this tool is running on) and the destination address to be the IPv4 address of the DNS server used by the client.
From then on, all IPv4 UDP packets with source or destination port 53 (including that first packet) are altered by the tool.
All IPv4 UDP packets with destination port 53, have their destination address changed to the IPv4 address of the client.
All IPv4 UDP packets with source port 53, have their source address changed to the IPv4 address of the DNS server.
This tool can be used to redirect all DNS IPv4 traffic to the machine itself, where a tool like dnsresolver.py can handle the DNS requests.
Caveats:
- This tool does not handle IPv6.
- This tool does not check if the UDP packets to and/or from port 53 are actual DNS packets.
- This tool ignores DNS traffic over TCP.
- This tool does not handle queries to multiple DNS servers (different IPv4 addresses) correctly.
MD5: BEAB8F9D180E15B27EB86CBEF7429216
SHA256: 7CB4BA7A4ABC0788AB8CE3F2DD1006DF86AD5D80943A4716FC3E62F1FA2100F6
Didier Stevens 