Tag: SANS Internet Storm Center, InfoCON: green

Protected OOXML Spreadsheets, (Mon, Jul 15th)

I was asked a question about the protection of an .xlsm spreadsheet. I've written before on the protection of .xls spreadsheets, for example in diary entries “Unprotecting Malicious Documents For Inspection” and “16-bit Hash Collisions in .xls Spreadsheets”; and blog…

Wireshark 4.2.6 Released, (Sun, Jul 14th)

Wireshark release 4.2.6 fixes 1 vulnerability (SPRT parser crash) and 10 bugs. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.2.6 Released, (Sun, Jul 14th)

16-bit Hash Collisions in .xls Spreadsheets, (Sat, Jul 13th)

A couple years ago, in diary entry “Unprotecting Malicious Documents For Inspection” I explain how .xls spreadsheets are password protected (but not encrypted). And in follow-up diary entry “Maldocs: Protection Passwords”, I talk about an update to my oledump plugin…

Microsoft Patch Tuesday July 2024, (Tue, Jul 9th)

Microsoft today released patches for 142 vulnerabilities. Only four of the vulnerabilities are rated as “critical”. There are two vulnerabilities that have already been discussed and two that have already been exploited. This article has been indexed from SANS Internet…

Handling BOM MIME Files, (Wed, Jun 19th)

A reader contacted me with an eml file (which turned out to be benign) that emldump.py could not parse correctly. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Handling BOM MIME Files,…

Video Meta Data: DJI Drones, (Sun, Jun 16th)

Many years ago, I wrote about the EXIF data in pictures taken with Smartphones. Smartphones often record extensive meta data including GPS and accelerometer data. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original…

Overview of My Tools That Handle JSON Data, (Sat, Jun 15th)

I wrote a couple of diary entries showing my tools that produce and consume JSON data. Like “Analyzing PDF Streams”, “Another PDF Streams Example: Extracting JPEGs” and “Analyzing MSG Files”. This article has been indexed from SANS Internet Storm Center,…

Microsoft Patch Tuesday June 2024, (Tue, Jun 11th)

Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today. This article has…

“K1w1” InfoStealer Uses gofile.io for Exfiltration, (Fri, May 31st)

Python remains a nice language for attackers and I keep finding interesting scripts that are usually not very well detected by antivirus solutions. The one I found has a VT score of 7/65! (SHA256:a6230d4d00a9d8ecaf5133b02d9b61fe78283ac4826a8346b72b4482d9aab54c[1]). I decided to call it “k1w1”…

Feeding MISP with OSSEC, (Thu, May 30th)

I'm a big fan of OSSEC[1] for years. OSSEC (“Open Source Security Event Correlator”) is a comprehensive, open-source host-based intrusion detection system (HIDS). It is designed to monitor and analyze system logs, detect suspicious activities, and provide real-time alerts for…

YARA 4.5.1 Release, (Sun, May 26th)

YARA 4.5.0 was released with a small change to the regex syntax (allowing more whitespace) and many bugfixes. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA 4.5.1 Release, (Sun, May 26th)

csvkit, (Sat, May 25th)

After reading my diary entry “Checking CSV Files”, a reader informed me that CSV toolkit csvkit also contains a command to check CSV files: csvstat.py. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original…

Analyzing MSG Files, (Mon, May 20th)

.msg email files are ole files and can be analyzed with my tool oledump.py. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Analyzing MSG Files, (Mon, May 20th)

Wireshark 4.2.5 Released, (Sat, May 18th)

Wireshark release 4.2.5 fixes 3 vulnerabilities (%%cve:2024-4853%%, %%cve:2024-4854%% and %%cve:2024-4855%%) and 19 bugs. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.2.5 Released, (Sat, May 18th)

Why yq? Adventures in XML, (Thu, May 16th)

I was recently asked to “recover” a RADIUS key from a Microsoft NPS server.  No problem I think, just export the config and it's all there in clear text right? This article has been indexed from SANS Internet Storm Center,…

Got MFA? If not, Now is the Time!, (Wed, May 15th)

I had an interesting call from a client recently – they had a number of “net use” and “psexec” commands pop up on a domain controller, all called from PSEXEC (thank goodness for a good EDR deployed across the board!!).…

Microsoft May 2024 Patch Tuesday, (Tue, May 14th)

This month we got patches for 67 vulnerabilities. Of these, 1 are critical, and 1 is being exploited according to Microsoft. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Microsoft May 2024…

DNS Suffixes on Windows, (Sun, May 12th)

I was asked if I could provide mote details on the following sentence from my diary entry “nslookup's Debug Options”: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: DNS Suffixes on Windows,…

Analyzing PDF Streams, (Thu, May 9th)

Occasionaly, Xavier and Jim will ask me specific students' questions about my tools when they teach FOR610: Reverse-Engineering Malware. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Analyzing PDF Streams, (Thu, May…

Analyzing Synology Disks on Linux, (Wed, May 8th)

Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I&#x27m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of…