At NVISO, we do webinars over lunchtime. We call them “brown bags”.
In this brown bag, I talk about the development of my free, open source tools. As an example, I explain how to make your own tool to analyze ISO files using my templates.
my software
Lua CSV Wireshark Dissector
Decoding Cobalt Strike Traffic
Tools: parse-cs-http-traffic.py, 1768.py, pecheck.py and pybeacon.
ISC diary entry: Decoding Cobalt Strike Traffic
Finding Metasploit & Cobalt Strike URLs
oledump and YARA DDE Rules
Tools: oledump.py, YARA.
NVISO blog post: Detecting DDE in MS Office documents
ISC diary entry: DDE and oledump
tshark & Malware Analysis
pdftool.py: Incremental Updates
Tool: pdftool.py
Blog posts: Solving a Little PDF Puzzle, Shoulder Surfing a Malicious PDF Author, New Tool: pdftool.py.
Decoding a Payload Using a Dynamic XOR Key
Tool: XORSelection.1sc
Sample: 8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0
Blog post: Update: XORSelection.1sc Version 6.0
If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.
Doc & RTF Malicious Document
Inspecting Process Explorer Traffic With Fiddler
Tools: Fiddler, Process Explorer
ISC diary entry: Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
