DDEを悪用ã™ã‚‹ Macroless Office Document Exploits
2. DDEã¨ã¯ï¼Ÿ •“Dynamic Data Exchange†•1987å¹´ã‹ã‚‰ã‚ã‚‹IPC⼿法ã®ï¼‘㤠(Win 2.0+ã€OS/2) •例:3rdパーティソフトãŒ.xlsデータã«ã‚¢ã‚¯ã‚»ã‚¹ •OLEãŒDDEã«å–ã£ã¦ä»£ã‚ã‚‹ •互æ›æ€§ã®ãŸã‚ã«æ®‹ã•ã‚Œã¦ã„る(T_T) •ターゲット→MS Ofï¬ceドã‚ュメントã€ãã®ä»–?: Word, Excel, Powerpoint, Access, Outlook, OneNote 4. Macroä¸è¦ã®Ofï¬ce攻撃 •2016/05/20 Sensepost : DDE経由ã§.xlsã‹ã‚‰ã‚³ãƒžãƒ³ãƒ‰å®Ÿâ¾ https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/ •2017/10/09 Sensepost : DDE経由ã§.docã‹ã‚‰ã‚³ãƒžãƒ³ãƒ‰å®Ÿâ¾ https:/
Analyzing Malicious Documents Cheat Sheet
This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and PDF files. To print it, use the one-page PDF version; you can also edit the Word version to customize it for you own needs. General Approach to Document AnalysisExamine the document for anomalies, such as risky tags, scripts, and embedded artifacts.Locate embedded code, such as shellcode,
Set up your own malware analysis lab with VirtualBox, INetSim and Burp - Christophe Tafani-Dereeper
In this post we will set up a virtual lab for malware analysis. We’ll create an isolated virtual network separated from the host OS and from the Internet, in which we’ll setup two victim virtual machines (Ubuntu and Windows 7) as well as an analysis server to mimic common Internet services like HTTP or DNS. Then, we’ll be able to log and analyze the network communications of any Linux or Windows m
標的型攻撃ã§ä½¿ã‚ã‚ŒãŸãƒžãƒ«ã‚¦ã‚§ã‚¢ã‚’解æžã—㦠C2 サーãƒã‚’作ã£ãŸã€‚ãã®ãƒžãƒ«ã‚¦ã‚§ã‚¢ã¯ DNSトンãƒãƒªãƒ³ã‚°ã‚’è¡Œã†çã—ã„ã‚‚ã®ã ã£ãŸã€‚ -
↑マルウェアを動ã‹ã—㦠自作 C2 サーãƒã¨ã‚„ã‚Šã¨ã‚Šã‚’ã—ã¦ã„る図。詳ã—ãã¯ãƒšãƒ¼ã‚¸ä¸‹éƒ¨ã«ã¦è§£èª¬ ã—ゅーã¨ã§ã™ã€‚ 去年ã‚ãŸã‚Šã«ã€ã‚µã‚¦ã‚¸ã‚¢ãƒ©ãƒ“ã‚¢ã®é‡‘èžæ©Ÿé–¢ã‚’ç‹™ã£ãŸæ¨™çš„型攻撃ãŒã‚ã£ãŸã®ã§ã™ãŒã€ãã®æ”»æ’ƒã«DNS トンãƒãƒªãƒ³ã‚°ã‚’用ã„ã¦æƒ…å ±ã‚’å¤–éƒ¨ã«é€ä¿¡ã™ã‚‹ãƒžãƒ«ã‚¦ã‚§ã‚¢ã€ŒHelminthã€ãŒä½¿ã‚ã‚Œã¾ã—ãŸã€‚ 詳細レãƒãƒ¼ãƒˆã¯ Palo Alto Networks ã®è„…å¨å¯¾ç–ãƒãƒ¼ãƒ Unit42 ãŒå‡ºã—ã¦ãã‚Œã¦ã„ã¾ã™ã€‚ OilRig攻撃活動: サウジアラビアã®çµ„ç¹”ã¸ã®æ”»æ’ƒã§Helminthãƒãƒƒã‚¯ãƒ‰ã‚¢ã‚’é…ä¿¡ - Palo Alto Networks ã¡ã‚‡ã†ã©æ¤œä½“も出回ã£ã¦ã„ãŸã®ã§ã€ Helminth ã®è§£æžã‚’è¡Œã„ã€C2サーãƒ(C&Cサーãƒ)を作æˆã—ã¦ã¿ã¾ã—ãŸã€‚ ã“ã®è¨˜äº‹ã§ã¯ã€è§£æžã®éŽç¨‹ã§ç™ºè¦‹ã—ãŸä»•æ§˜ã¨ã€ãƒžãƒ«ã‚¦ã‚§ã‚¢ã«é¦´æŸ“ã¿ãŒãªã„æ–¹ã®ãŸã‚ã®DNSトンãƒãƒªãƒ³ã‚°ã®ä»•çµ„ã¿ã¨æ¦‚è¦ã‚’記載ã—ã¦ã„ã¾ã™ã€‚ DNSトンãƒãƒªãƒ³ã‚°ã®ä»•çµ„ã¿
www.reconstructer.org
05.12.2013 Slides about an in depth analysis of CVE-2013-3906 exploiting a TIFF bug inside a Microsoft Office Winword file. This bug was exploited in a targeted attack in November 2013. masTIFF - An in depth analysis of CVE-2013-3906.pptx 25.11.2013 A new version of Officemalscanner/RTFScan has been released. This update includes a generic decryption loop detection, enhanced shellcode patterns and
mnin.org
This is the homepage of Michael Ligh. I am a reverse engineer who specializes in vulnerability research, malware cryptography, and memory forensics. I'm co-founder and CTO of Volexity, a security firm based out of the Washington, D.C. area that specializes in assisting organizations with threat intelligence, incident response, forensics, and trusted security advisory. I'm also a core developer of
PDF Tools << Didier Stevens
Here is a set of free YouTube videos showing how to use my tools: Malicious PDF Analysis Workshop. pdf-parser.py This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The code of the parser is quick-and-dirty, I’m not recommending this as text book case for PDF parsers, but it gets the job done. You can see the parser
Tools | Software Diagnostics Institute
Unix (general) Rosetta Stone for Unix Windows Debugging Tools for Windows 6.12.2.633 Forcing a System Crash from the Keyboard WinDbg Quick Download Links, Symbols, etc. SystemDump Application Verifier IDA (freeware) StressPrinters Dependency Walker Kernel Memory Space Analyzer MS Debug Diagnostic Tool InstantDump (JIT Process Dumper) UDmp2Txt (processing hundreds of user dumps) TestDefaultDebugger
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
GitHub - Mr-Un1k0d3r/MaliciousMacroGenerator: Malicious Macro Generator
GitHub - shutingrz/cuckoo_malware_downloader: Cuckoo Sandbox 用 Webアプリケーション。指定ã•ã‚ŒãŸURLã‹ã‚‰ãƒ•ã‚¡ã‚¤ãƒ«ã‚’å–å¾—ã—ã€Cuckoo REST APIã«é€ä¿¡ã™ã‚‹
GitHub - wtsxDev/Malware-Analysis: List of awesome malware analysis tools and resources
GitHub - mandiant/flare-floss: FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
GitHub - MalwareLu/malwasm: Offline debugger for malware's reverse engineering
GitHub - Rurik/Noriben: Noriben - Portable, Simple, Malware Analysis Sandbox
Programmable Search Engine
Hook Analyser 2.3 - Released
GitHub - krmaxwell/maltrieve: A tool to retrieve malware directly from the source for security researchers.
Ghost is A honeypot for USB malware — PenTestIT
nullsecurity team
https://www.mlsec.org/malheur/index.html
{{#tags}}- {{label}}
{{/tags}}