Tool: zoneidentifier.exe
ISC Diary Entry: Office Protects You From Malicious ISO Files
malware
Method For String Extraction Filtering
Tools: zipdump.py, strings.py and myjson-filter.py.
ISC diary entry: Method For String Extraction Filtering
Maldoc Cleaned by Anti-Virus
Tools: oledump.py, OLETemplate.bt, 010 Editor
ISC Diary Entry: Maldoc Cleaned by Anti-Virus
Sample: 0f609e43fa76afd4e2e916acb2ab54cc8fce64750ec372f716b42f34db3da0ce
Quick & Dirty Shellcode Analysis – CVE-2017-11882
Tools: oledump.py, xorsearch, scdbg
ISC Diary Entry: A Good Old Equation Editor Vulnerability Delivering Malware
Sample: c82724520ee5ffbcc6ee13c76d004aa903c2f70c93c505df87fe46e5e8cc53a9
MSBuild & Cobalt Strike
Tools: base64dump.py, translate.py, 1768.py, pecheck.py
ISC Diary Entry: Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Obfuscated Maldoc: Reversed BASE64
Sample: a9490d94cf547e27dcc0d52dc72e74e7
Tools: oledump.py, zipdump.py, xmldump.py, translate.py, base64dump.py
ISC Diary entry: Obfuscated Maldoc: Reversed BASE64
Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
Phishing ZIP With Malformed Filename
Tool: zipdump.py
ISC diary entries: Reader Malware: ZIP/HTML Phish, Phishing ZIP With Malformed Filename, Video: Phishing ZIP With Malformed Filename
Cobalt Strike: Decrypting C2 Traffic With A “Leaked” Private Key
Network capture: 2021-02-02 – QUICK POST: HANCITOR INFECTION WITH FICKER STEALER, COBALT STRIKE, & NETSUPPORT RAT
Tools: cs-decrypt-metadata.py, cs-parse-http-traffic.py, 1768.py
Blog posts: Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1, Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2, Decrypting Cobalt Strike Traffic With a “Leaked” Private Key
Didier Stevens Videos 