Tool: zoneidentifier.exe
ISC Diary Entry: Office Protects You From Malicious ISO Files
Author: Didier Stevens
Method For String Extraction Filtering
Tools: zipdump.py, strings.py and myjson-filter.py.
ISC diary entry: Method For String Extraction Filtering
curl, json & jo
ISC diary entries: curl 7.82.0 Adds –json Option, jo
Maldoc Cleaned by Anti-Virus
Tools: oledump.py, OLETemplate.bt, 010 Editor
ISC Diary Entry: Maldoc Cleaned by Anti-Virus
Sample: 0f609e43fa76afd4e2e916acb2ab54cc8fce64750ec372f716b42f34db3da0ce
TShark & Multiple IP Addresses
Quick & Dirty Shellcode Analysis – CVE-2017-11882
Tools: oledump.py, xorsearch, scdbg
ISC Diary Entry: A Good Old Equation Editor Vulnerability Delivering Malware
Sample: c82724520ee5ffbcc6ee13c76d004aa903c2f70c93c505df87fe46e5e8cc53a9
MSBuild & Cobalt Strike
Tools: base64dump.py, translate.py, 1768.py, pecheck.py
ISC Diary Entry: Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
YARA’s Console Module
YARA Rules for Office Maldocs
Tools: oledump.py, zipdump.py
ISC diary entries: Simple YARA Rules for Office Maldocs, YARA Rule for OOXML Maldocs: Less False Positives
Obfuscated Maldoc: Reversed BASE64
Sample: a9490d94cf547e27dcc0d52dc72e74e7
Tools: oledump.py, zipdump.py, xmldump.py, translate.py, base64dump.py
ISC Diary entry: Obfuscated Maldoc: Reversed BASE64
Didier Stevens Videos 