Didier Stevens

Here is an overview of content I published in March:

Blog posts:

• Update: nsrl.py Version 0.0.3
• Update pecheck.py Version 0.7.13
• Update: 1768.py Version 0.0.5
• Quickpost: “ProxyLogon PoC” Capture File
• FileZilla Uses PuTTY’s Registry Fingerprint Cache

YouTube videos:

• Finding Metasploit & Cobalt Strike URLs

Videoblog posts:

• Finding Metasploit & Cobalt Strike URLs

SANS ISC Diary entries:

• PCAPs and Beacons
• YARA and CyberChef
• Wireshark 3.4.4 Released
• Finding Metasploit & Cobalt Strike URLs
• YARA Pre-release v4.1.0
• Video: Finding Metasploit & Cobalt Strike URLs
• Nim Strings
• TCPView v4.0 Released

Here is an overview of content I published in February:

Blog posts:

• Update: oledump.py Version 0.0.59
• Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets
• Update: re-search.py Version 0.0.16
• re-search.py And Custom Validations
• Update: oledump.py Version 0.0.60

YouTube videos:

• tshark & Malware Analysis
• oledump and YARA DDE Rules

Videoblog posts:

• tshark & Malware Analysis
• oledump and YARA DDE Rules

SANS ISC Diary entries:

• YARA v4.0.5
• Quickie: tshark & Malware Analysis
• Video: tshark & Malware Analysis
• Quickie: Extracting HTTP URLs With tshark
• DDE and oledump
• Unprotecting Malicious Documents For Inspection
• Maldocs: Protection Passwords

Here is an overview of content I published in January:

Blog posts:

• Update: Python Templates Version 0.0.3
• Update: oledump.py Version 0.0.58
• Decrypting TLS Streams With Wireshark: Part 3
• Update: count.py Version 0.3.0
• Update: Python Templates Version 0.0.4
• Video: Maldoc Analysis With CyberChef
• Update: re-search.py Version 0.0.14
• Update: re-search.py Version 0.0.15
• Update: strings.py Version 0.0.7
• Update: XORSelection.1sc Version 6.0
• New Tool: pdftool.py

YouTube videos:

• December 2020: Jupiter & Saturn
• Maldoc Analysis With CyberChef
• My Encrypted Storage
• My Encrypted Storage: Read-Only
• CyberChef: Analyzing OOXML Files for URLs
• Doc & RTF Malicious Document
• Decoding a Payload Using a Dynamic XOR Key
• pdftool.py: Incremental Updates

Videoblog posts:

• Maldoc Analysis With CyberChef
• My Encrypted Storage
• My Encrypted Storage: Read-Only
• CyberChef: Analyzing OOXML Files for URLs
• Doc & RTF Malicious Document
• Decoding a Payload Using a Dynamic XOR Key
• pdftool.py: Incremental Updates

SANS ISC Diary entries:

• Strings 2021
• Maldoc Strings Analysis
• Maldoc Analysis With CyberChef
• New Release of Sysmon Adding Detection for Process Tampering
• Doc & RTF Malicious Document
• CyberChef: Analyzing OOXML Files for URLs
• Video: Doc & RTF Malicious Document
• YARA v4.0.4
• Wireshark 3.4.3 Released

Here is an overview of content I published in 2020:

Blog posts:

• Analysis Of Unusual ZIP Files
• Using CveEventWrite From VBA (CVE-2020-0601)
• Update: cut-bytes.py Version 0.0.11
• Update: format-bytes.py Version 0.0.11
• Update: hash.py Version 0.0.8
• etl2pcapng: Support For Process IDs
• Update: pecheck.py Version 0.7.9
• Update: oledump.py Version 0.0.45
• Update: xmldump.py Version 0.0.4
• Update: hex-to-bin.py Version 0.0.4
• Update: format-bytes.py Version 0.0.13
• Update: translate.py Version 0.2.7
• Update: Python Templates Version 0.0.2
• Contextual Grepping: Proxmark3 Key Scan Example
• Update: oledump.py Version 0.0.47
• Update: oledump.py Version 0.0.48
• CLSIDs in OLE Files
• Update: cmd.dll Version 0.0.5
• pecheck.py Version 0.7.10
• Windows Assembly Program To Create New User
• Quickpost: User-Agent: Microsoft Office Excel 2014
• Carving PE Files With pecheck.py
• Quickpost: Windows Domain Controllers Have No Local Accounts
• Update: oledump.py Version 0.0.49
• mimikatz Is My New EICAR
• Update: msoffcrypto-crack.py Version 0.0.5
• April 1st 2020: FlashPix File With VBA Code
• Video: GNU Radio Companion: Acoustic Beats
• Update XORSearch Version 1.11.3
• Update: zipdump.py Version 0.0.17
• Update: zipdump.py Version 0.0.18
• Analyzing Malformed ZIP Files
• Update: xmldump.py Version 0.0.6
• Update: hex-to-bin.py Version 0.0.5
• Update: python-per-line.py Version 0.0.7
• Handling Diacritics
• Quickpost: My SpiderMonkey’s Cheat Sheet
• NVISO Innovation Coin
• Update: zipdump.py Version 0.0.19
• Quickpost: Empty ZIP File
• Quickpost: Go: Building For Multiple Operating Systems
• Update: XORSelection.1sc Version 5.0
• Quickpost: curl And SSPI Proxy Authentication
• Update: oledump.py Version 0.0.50
• AdHoc GitHub Repository
• New Tool: simple_ip_stats.py
• add-admin: Tiny EXE To Add Administrative Account
• Update: translate.py Version 2.5.8
• FalsePositive GitHub Repository
• VBA Purging
• Update: base64dump.py Version 0.0.12
• Tampering With Digitally Signed VBA Projects
• Quickpost: curl
• Update XORSearch Version 1.11.4
• Update: oledump.py Version 0.0.51
• Cracking VBA Project Passwords
• ndisasm 2.15 stdin Bug Fix
• Update: oledump.py 0.0.52
• Update: zipdump.py Version 0.0.20
• Update: InteractiveSieve 0.9.1
• Update: pecheck.py Version 0.7.11
• Videos: Defective USB Cable
• Update: numbers-to-string.py Version 0.0.10
• New Tool: XORSearch.py
• Update: oledump.py 0.0.53
• Quickpost: Downloading Files With Windows Defender & User Agent String
• Quickpost: dig On Windows
• Quickpost: Ext2explore
• Quickpost: USB Passive Load
• “Epic Manchego” And My Tools
• Update: oledump.py Version 0.0.54
• Quickpost: 4 Bytes To Crash Excel
• Update: translate.py version 2.5.9
• Update: strings.py Version 0.0.5 Pascal Strings
• Quickpost: VMware OS Version Snapshots
• Quickpost: Portable Power
• 1768 K
• The Qwerty Effect And Passwords
• Update: translate.py Version 2.5.10
• oledump Indicators
• Update: oledump.py Version 0.0.55
• Decrypting With translate.py
• Update: disitool.py Version 0.4
• Update: emldump.py Version 0.0.11
• Update: oledump.py Version 0.0.56
• Update: pecheck.py Version 0.7.12
• Quickpost: finger.exe
• Update: numbers-to-string.py Version 0.0.11
• Update: oledump.py version 0.0.57
• Decrypting TLS Streams With Wireshark: Part 1
• Update: strings.py Version 0.0.6
• Update: translate.py Version 2.5.11
• Update: cut-bytes.py Version 0.0.13
• Update: byte-stats.py Version 0.0.8
• Video: Using numbers-to-string.py To Analyze FireEye Maldocs
• Update: zipdump.py Version 0.0.21
• Update: base64dump.py Version 0.0.13
• Update: 1768.py Version 0.0.4
• Decrypting TLS Streams With Wireshark: Part 2
• Update: rtfdump.py Version 0.0.10

YouTube videos:

• Analyzing Unusual ZIP Files
• Stego & Cryptominers
• oledump: plugin_http_heuristics
• pecheck: Carving PE Files
• YARA: Ad Hoc Rules
• GNU Radio Companion: Acoustic Beat
• GNU Radio Companion: Simple Filters
• GNU Radio Companion: .WAV File
• zipdump.py: Malformed .docm File
• EICAR File, Memorized
• ZIP(EICAR File), Memorized
• Maldoc Analysis With xlm-deobfuscator
• YARA’s BASE64 Strings
• Defective USB Cable
• Testing a Defective USB Cable
• Measuring a Defective USB Cable
• Cracking Maldoc VBA Project Passwords
• oledump.py: plugin_msg_summary
• strings.py: Pascal strings
• Measuring a USB Cable – 4-Wire Method
• Tools in my Wallet
• Decrypting With translate.py
• oledump Indicators
• Analyzing FireEye Maldocs
• Inspecting Process Explorer Traffic With Fiddler
• Hobo Knife
• Process Explorer & VirusTotal: Fixed!
• December 2020: Jupiter & Saturn

Videoblog posts:

• Analyzing Unusual ZIP Files
• Stego & Cryptominers
• oledump: plugin_http_heuristics
• pecheck: Carving PE Files
• GNU Radio Companion: Acoustic Beats
• YARA: Ad Hoc Rules
• GNU Radio Companion: Simple Filters
• GNU Radio Companion: .WAV File
• zipdump.py: Malformed .docm File
• EICAR File, Memorized
• ZIP(EICAR File), Memorized
• Maldoc Analysis With xlm-deobfuscator
• SANS@MIC – Maldocs: a bit of blue, a bit of red
• YARA’s BASE64 Strings
• Defective USB Cable
• Testing a Defective USB Cable
• Measuring a Defective USB Cable
• Cracking Maldoc VBA Project Passwords
• oledump.py: plugin_msg_summary
• strings.py: Pascal Strings
• Tools in my Wallet
• Decrypting With translate.py
• oledump Indicators
• Analyzing FireEye Maldocs
• Inspecting Process Explorer Traffic With Fiddler
• Hobo Knife
• Process Explorer & VirusTotal: Fixed!
• December 2020: Jupiter & Saturn

SANS ISC Diary entries:

• “Nim httpclient/1.0.4”
• KringleCon 2019
• etl2pcapng: Convert .etl Capture Files To .pcapng Format
• Citrix ADC Exploits: Overview of Observed Payloads
• Wireshark 3.2.1 Released
• Video: Stego & Cryptominers
• bsdtar on Windows 10
• curl and SSPI
• Maldoc: Excel 4 Macros in OOXML Format
• Maldoc: Excel 4 Macros and VBA, Devil and Angel?
• Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please
• Excel Maldocs: Hidden Sheets
• Malicious Spreadsheet With Data Connection and Excel 4 Macros
• Phishing PDF With Incremental Updates.
• More COVID-19 Themed Malware
• KPOT Deployed via AutoIt Script
• Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
• Covid19 Domain Classifier
• Obfuscated Excel 4 Macros
• New Bypass Technique or Corrupt Word Document?
• Password Protected Malicious Excel Files
• Wireshark 3.2.3 Released: Mac Users Pay Attention Please
• Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.”
• KPOT Analysis: Obtaining the Decrypted KPOT EXE
• KPOT AutoIt Script: Analysis
• MALWARE Bazaar
• Video: Malformed .docm File
• ZIP & AES
• Sysmon and File Deletion
• YARA v4.0.0: BASE64 Strings
• Excel 4 Macro Analysis: XLMMacroDeobfuscator
• Antivirus & Multiple Detections
• Some Strings to Remember
• Wireshark 3.2.4 Released
• Zloader Maldoc Analysis With xlm-deobfuscator
• YARA v4.0.1
• XLMMacroDeobfuscator: An Update
• Translating BASE64 Obfuscated Scripts
• YARA’s BASE64 Strings
• ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red
• Comparing Office Documents with WinMerge
• Video: YARA’s BASE64 Strings
• Sysmon and Alternate Data Streams
• Wireshark 3.2.5 Released
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt
• CVE-2020-5902: F5 BIG-IP RCE Vulnerability
• Maldoc: VBA Purging Example
• VBA Project Passwords
• Zone.Identifier: A Couple Of Observations
• ndisasm Update 2.15
• Cracking Maldoc VBA Project Passwords
• Analyzing Metasploit ASP .NET Payloads
• Small Challenge: A Simple Word Maldoc
• Small Challenge: A Simple Word Maldoc – Part 2
• Wireshark 3.2.6 Released
• Small Challenge: A Simple Word Maldoc – Part 3
• Small Challenge: A Simple Word Maldoc – Part 4
• Malicious Excel Sheet with a NULL VT Score: More Info
• Finding The Original Maldoc
• Office: About OLE and ZIP Files
• Office Documents with Embedded Objects
• Wireshark 3.2.7 Released
• Decoding Corrupt BASE64 Strings
• Nmap 7.90 Released
• Obfuscation and Repetition
• Open Packaging Conventions
• Analyzing MSG Files With plugin_msg_summary
• Nested .MSGs: Turtles All The Way Down
• File Selection Gaffe
• Video: Pascal Strings
• Excel 4 Macros: “Abnormal Sheet Visibility”
• More File Selection Gaffes
• Wireshark 3.2.8 and 3.4.0 Released
• AV Cleaned Maldoc
• Quick Tip: Extracting all VBA Code from a Maldoc
• oledump’s ! Indicator
• Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format
• Quick Tip: Cobalt Strike Beacon Analysis
• Quick Tip: Using JARM With a SOCKS Proxy
• Decrypting PowerShell Payloads (video)
• oledump’s Indicators (video)
• Corrupt BASE64 Strings: Detection and Decoding
• Office 95 Excel 4 Macros
• Wireshark 3.4.1 Released
• KringleCon 2020
• Analyzing FireEye Maldocs
• Wireshark 3.4.2 Released
• Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
• Quickie: String Analysis & Maldocs
• base64dump.py Supported Encodings
• Quickie: Bit Shifting With translate.py

NVISO blog posts:

• Nessus’ UserAssist Plugin
• Evidence of VBA Purging Found in Malicious Documents
• Video: Attack Surface Reduction (ASR) Bypass using VBA
• Tampering with Digitally Signed VBA Projects
• Epic Manchego – atypical maldoc delivery brings flurry of infostealers

Here is an overview of content I published in December:

Blog posts:

• Update: oledump.py Version 0.0.56
• Update: pecheck.py Version 0.7.12
• Quickpost: finger.exe
• Update: numbers-to-string.py Version 0.0.11
• Update: oledump.py version 0.0.57
• Decrypting TLS Streams With Wireshark: Part 1
• Update: strings.py Version 0.0.6
• Update: translate.py Version 2.5.11
• Update: cut-bytes.py Version 0.0.13
• Update: byte-stats.py Version 0.0.8
• Video: Using numbers-to-string.py To Analyze FireEye Maldocs
• Update: zipdump.py Version 0.0.21
• Update: base64dump.py Version 0.0.13
• Update: 1768.py Version 0.0.4
• Decrypting TLS Streams With Wireshark: Part 2
• Update: rtfdump.py Version 0.0.10

YouTube videos:

• Analyzing FireEye Maldocs
• Inspecting Process Explorer Traffic With Fiddler
• Hobo Knife
• Process Explorer & VirusTotal: Fixed!
• December 2020: Jupiter & Saturn

Videoblog posts:

• Analyzing FireEye Maldocs
• Inspecting Process Explorer Traffic With Fiddler
• Hobo Knife
• Process Explorer & VirusTotal: Fixed!
• December 2020: Jupiter & Saturn

SANS ISC Diary entries:

• oledump’s Indicators (video)
• Corrupt BASE64 Strings: Detection and Decoding
• Office 95 Excel 4 Macros
• Wireshark 3.4.1 Released
• KringleCon 2020
• Analyzing FireEye Maldocs
• Wireshark 3.4.2 Released
• Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
• Quickie: String Analysis & Maldocs
• base64dump.py Supported Encodings
• Quickie: Bit Shifting With translate.py

Here is an overview of content I published in November:

Blog posts:

• Quickpost: Portable Power
• 1768 K
• The Qwerty Effect And Passwords
• Update: translate.py Version 2.5.10
• oledump Indicators
• Update: oledump.py Version 0.0.55
• Decrypting With translate.py
• Update: disitool.py Version 0.4
• Update: emldump.py Version 0.0.11

YouTube videos:

• Tools in my Wallet
• Decrypting With translate.py
• oledump Indicators

Videoblog posts:

• Decrypting With translate.py
• oledump Indicators
• Tools in my Wallet

SANS ISC Diary entries:

• Wireshark 3.2.8 and 3.4.0 Released
• AV Cleaned Maldoc
• Quick Tip: Extracting all VBA Code from a Maldoc
• oledump’s ! Indicator
• Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format
• Quick Tip: Cobalt Strike Beacon Analysis
• Quick Tip: Using JARM With a SOCKS Proxy
• Decrypting PowerShell Payloads (video)

Blog posts:

• Update: oledump.py Version 0.0.54
• Quickpost: 4 Bytes To Crash Excel
• Update: translate.py version 2.5.9
• Update: strings.py Version 0.0.5 Pascal Strings
• Quickpost: VMware OS Version Snapshots

YouTube videos:

• oledump.py: plugin_msg_summary
• strings.py: Pascal strings
• Measuring a USB Cable – 4-Wire Method

Videoblog posts:

• oledump.py: plugin_msg_summary
• strings.py: Pascal Strings
• Measuring a USB Cable – 4-Wire Method

SANS ISC Diary entries:

• Nmap 7.90 Released
• Obfuscation and Repetition
• Open Packaging Conventions
• Analyzing MSG Files With plugin_msg_summary
• Nested .MSGs: Turtles All The Way Down
• File Selection Gaffe
• Video: Pascal Strings
• Excel 4 Macros: “Abnormal Sheet Visibility”
• More File Selection Gaffes

Here is an overview of content I published in September:

Blog posts:

• Quickpost: Downloading Files With Windows Defender & User Agent String
• Quickpost: dig On Windows
• Quickpost: Ext2explore
• Quickpost: USB Passive Load
• “Epic Manchego” And My Tools

SANS ISC Diary entries:

• Office: About OLE and ZIP Files
• Office Documents with Embedded Objects
• Wireshark 3.2.7 Released
• Decoding Corrupt BASE64 Strings

NVISO blog posts:

• Epic Manchego – atypical maldoc delivery brings flurry of infostealers

Over the last months, I’ve been quite busy working with my colleagues on report “Epic Manchego – atypical maldoc delivery brings flurry of infostealers“: we’ve tracked an actor creating a new type of malicious Office document.

To help with the automatic analysis of all the maldocs produced by this actor (several per day), I added new features to existing tools and created new tools.

I’m releasing this work in the coming months (some has already been published: oledump.py and zipdump.py).