- Update: oledump.py Version 0.0.66
- Update: cs-parse-traffic.py Version 0.0.5
- Update: zipdump.py Version 0.0.22
- Update: oledump.py Version 0.0.67
- Update: base64dump.py Version 0.0.21
- Update: pecheck.py Version 0.7.15
- Update: re-search.py Version 0.0.20
- Update: pdf-parser.py Version 0.7.6
- Update: 1768.py Version 0.0.14
- Update: Python Templates Version 0.0.7
- PoC: Cobalt Strike mitm Attack
Monday 6 June 2022
Overview of Content Published in May
Here is an overview of content I published in May:
Blog posts:
Sunday 1 May 2022
Overview of Content Published in April
Here is an overview of content I published in April:
Blog posts:
- Power Consumption Of A Philips Hue lamp In Off State
- .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
- New Tool: myjson-filter.py
- Update: cut-bytes.py Version 0.0.14
- Update: 1768.py Version 0.0.13
- New Tool: pngdump.py (Beta)
- Update: re-search.py Version 0.0.19
- Update: oledump.py Version 0.0.65
- Quickpost: Machine Code Infinite Loop
- curl 7.82.0 Adds –json Option
- jo
- Method For String Extraction Filtering
- Video: Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Video: Office Protects You From Malicious ISO Files
- Sysmon’s RegistryEvent (Value Set)
- Analyzing a Phishing Word Document
- YARA 4.2.1 Released
Monday 18 April 2022
New Tool: pngdump.py (Beta)
Here is a new tool I’m releasing as beta: pngdump.py.
It’s a tool to analyze PNG files. Unlike jpegdump, you can not yet select items for further analysis.
Saturday 9 April 2022
New Tool: myjson-filter.py
A couple of my tools can produce JSON output, using my own format (myjson).
This output can then be piped into another tool, like strings.py or file-magic.py.
I’m now releasing a tool that can be put into a command pipe to filter the JSON data: myjson-filter.py
For example, here I use myjson-filter.py to remove all items that are XML files (based on the content: starting with <?xml) before strings are extracted with strings.py:
More info in this ISC diary entry I wrote: “Method For String Extraction Filtering“.
MD5: 15DDC15DE65F447CE6DA94F8B34C5066
SHA256: EB330FE49421A13A8743F18064788DC2E8189A9B63FD19D517F0B830D1569321
Friday 1 April 2022
Overview of Content Published in March
Here is an overview of content I published in March:
Blog posts:
YouTube videos:
Videoblog posts:
- YARA?s Console Module
- MSBuild & Cobalt Strike
- Quick & Dirty Shellcode Analysis ? CVE-2017-11882
- TShark & Multiple IP Addresses
- Maldoc Cleaned by Anti-Virus
- TShark & Multiple IP Addresses
- oledump’s Extra Option
- Video: TShark & Multiple IP Addresses
- ICMP Messages: Original Datagram Field
- YARA 4.2.0 Released
- Curl on Windows
- SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)
- MGLNDD_* Scans
- Maldoc Cleaned by Anti-Virus
- Wireshark 3.6.3 Released
- Video: Maldoc Cleaned by Anti-Virus
- Quickie: Parsing XLSB Documents
Saturday 5 March 2022
Overview of Content Published in February
Here is an overview of content I published in February:
Blog posts:
YouTube videos:
SANS ISC Diary entries:
Wednesday 2 February 2022
Overview of Content Published in January
Here is an overview of content I published in January:
SANS ISC Diary entries:
SANS ISC Diary entries:
Saturday 1 January 2022
Overview of Content Published in December
Here is an overview of content I published in December:
Blog posts:
- MiTM Cobalt Strike Network Traffic
- Update: base64dump.py Version 0.0.19
- Update: cs-decrypt-metadata.py Version 0.0.4
- Update: cs-parse-traffic.py Version 0.0.4
- Update: 1768.py Version 0.0.11
- Update: cs-extract-key.py Version 0.0.4
- Update: cs-analyze-processdump.py Version 0.0.3
- VBA: __SRP_ Streams
- Update: pecheck Version 0.7.14
- Update: base64dump.py Version 0.0.20
Wednesday 1 December 2021
Overview of Content Published in November
Here is an overview of content I published in November:
Blog posts:
Blog posts:
- New Tool: cs-extract-key.py
- Update: 1768.py Version 0.0.9
- Update: cs-decrypt-metadata.py Version 0.0.2
- Update: 1768.py Version 0.0.10
- Update: base64dump.py Version 0.0.18
- Update: cs-decrypt-metadata.py Version 0.0.3
- New tool: cs-analyze-processdump.py
- New Tool: cs-parse-traffic.py
- Update: cs-extract-key.py Version 0.0.3
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions
- Obfuscated Maldoc: Reversed BASE64
- YARA Rules for Office Maldocs
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions
- Obfuscated Maldoc: Reversed BASE64
- YARA Rules for Office Maldocs
- Decrypting Cobalt Strike Traffic With a “Leaked” Private Key
- Sysinternals: Autoruns and Sysmon updates
- Video: Phishing ZIP With Malformed Filename
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Obfuscated Maldoc: Reversed BASE64
- Video: Obfuscated Maldoc: Reversed BASE64
- External Email System FBI Compromised: Sending Out Fake Warnings
- Backdooring PAM
- Simple YARA Rules for Office Maldocs
- YARA Rule for OOXML Maldocs: Less False Positives
- YARA’s Private Strings
- Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
- Video: YARA Rules for Office Maldocs
- Wireshark 3.6.0 Released
Monday 29 November 2021
New Tool: cs-parse-traffic.py
This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.
By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.
cs-parse-traffic_V0_0_3.zip (https)MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD
Didier Stevens 