ISC Handlers - SANS Internet Storm Center

Back to Handlers

CyberChef: BASE64/XOR Recipe
Maldoc: Once More It's XOR
YARA XOR Strings: Some Remarks
YARA: XOR Strings
Developing YARA Rules: a Practical Example
Decoding Custom Substitution Encodings with translate.py
When DOSfuscation Helps...
Analyzing Encoded Shellcode with scdbg
Suspicious DNS Requests ... Issued by a Firewall
20/20 malware vision
User Agent String "$ua.tools.random()" ? :-) !
"What is dikona or glirote3?"
Video: Using scdbg to analyze shellcode
Another quickie: Using scdbg to analyze shellcode
"When was this machine infected?"
Identifying numeric obfuscation
Microsoft Publisher malware: static analysis
OpenSSH user enumeration (CVE-2018-15473)
Video: Peeking into msg files - revisited
New Extortion Tricks: Now Including Your (Partial) Phone Number!
A URL shortener handy for phishers
Peeking into msg files - revisited
Numeric obfuscation: another example
Video: Maldoc analysis with standard Linux tools
Dealing with numeric obfuscation in malicious scripts
Malicious Word documents using DOSfuscation
Analyzing MSG files
Maldoc analysis with standard Linux tools
BTC pickpockets are back
Extracting BTC addresses from emails
Video: Retrieving and processing JSON data (BTC example)
Retrieving and processing JSON data (BTC example)
dd progress indicator on OSX
dd progress indicator on Linux
XPS Metadata
Progress indication for scripts on Windows
Video: Analyzing XPS Files
XPS samples
Analyzing XPS files
Guilty by association
Encrypted Office Documents
Quick analysis of malware created with NSIS
DASAN GPON home routers exploits in-the-wild
New IE 0-day in the wild
A malicious word document with a VBA form - video
A malicious word document with a VBA form
Metasploit's Payload UUID
Phishing PDFs with multiple links - Detection
Phishing PDFs with multiple links - Animated GIF
Phishing PDFs with multiple links
"Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence."
Wireshark and USB
Retrieving malware over Tor on Windows
Analyzing MSI files
Finding VBA signatures in .docm files
Analyzing compressed shellcode
Finding VBA signatures in Word documents
An autograph from the Dridex gang
Analyzing an HTA file: Update
Analyzing an HTA file
Comment your Packet Captures - Extra!
Is this a pentest?
HTTPS on every port?
Retrieving malware over Tor
An RTF phish
Decrypting malicious PDFs with the key
Peeking into Excel files
PDF documents & URLs: video
What is new?
Analyzing TNEF files
Dealing with obfuscated RTF files
PDF documents & URLs: update
Encrypted PDFs
Phish or scam? - Part 2
Phish or scam? - Part 1
Sometimes it's a dud
BTC Pickpockets
Metasploit's Maldoc
Extracting the text from PDF documents
PDF documents & URLs
PE files and debug info
Remember ACE files?
It's in the signature.
Peeking into .msg files
A strange JPEG file
It is a resume - Part 3
Analyzing JPEG files
Malware analysis output sanitization
It is a resume - Part 2
It is a resume - Part 1
Malware analysis: searching for dots
It's Not An Invoice ...
Sometimes it's just SPAM
The Good Phishing Email
Maldoc Analysis with ViperMonkey
Maldoc Submitted and Analyzed
Static Analysis of Emotet Maldoc
Another .lnk File
Malicious .iso Attachments
Office maldoc + .lnk
Basic Office maldoc analysis
Selecting domains with random names
PE Section Name Descriptions
Malware and XOR - Part 2
Malware and XOR - Part 1
Malicious Documents: A Bit Of News
Password History: Insights Shared by a Reader
Domain Whitelisting With Alexa and Umbrella Lists - update
Domain Whitelisting With Alexa and Umbrella Lists
Another example of maldoc string obfuscation, with extra bonus: UAC bypass
CRA Maldoc Analysis
py2exe Decompiling - Part 2
py2exe Decompiling - Part 1
Pinging All The Way
Sleeping VBS Really Wants To Sleep
Hancitor Maldoc Videos
Extracting Shellcode From JavaScript
Update:ZIP With Comment
ZIP With Comment
VBA Shellcode and Windows 10
VBA Shellcode and EMET
Hancitor Maldoc Bypasses Application Whitelisting
Maldoc VBA Anti-Analysis: Video
Analyzing Office Maldocs With Decoder.xls
Maldoc VBA Anti-Analysis
Radare2: rahash2
VBA and P-code
.PUB Analysis
rtfdump
rtfobj
Malicious RTF Files
Python Malware - Part 4
Practice ntds.dit File
Office Maldoc: Let's Focus on the VBA Macros Later...
Python Malware - Part 3
Python Malware - Part 2
Python Malware - Part 1
VBS + VBE
Handling Malware Samples
VBE: Encoded VBS Script
Tip: Quick Analysis of Office Maldoc
Locky: JavaScript Deobfuscation
Obfuscated MIME Files
Sigcheck and VirusTotal for Offline Machine
BlackEnergy .XLS Dropper
A Tip For The Analysis Of MIME Files
Failure Is An Option
Malfunctioning Malware
Use The Privilege
Maldoc Social Engineering Trick
Ransomware & Entropy: Your Turn -> Solution
Ransomware & Entropy: Your Turn
Ransomware & Entropy
Don't launch that file Adobe Reader!
Test File: PDF With Embedded DOC Dropping EICAR
PDF + maldoc1 = maldoc2
Sigcheck and virustotal-search
Searching Through the VirusTotal Database
Sigcheck and VirusTotal
Autoruns and VirusTotal
Process Explorer and VirusTotal
Jump List Files Are OLE Files
Working with base64
A .BUP File Is An OLE File
Analyzing Quarantine Files
The EICAR Test File
Another Maldoc? I'm Afraid So...
Wireshark TCP Flags: How To Install On Windows Video
Malicious Word Document: This Time The Maldoc Is A MIME File
A Malicious Word Document Inside a PDF Document
Handling Special PDF Compression Methods
Memory Forensics Of Network Devices
The Kill Chain: Now With Pastebin
Wireshark TCP Flags
VMware Product Updates Address Critical Information Disclosure Issue In JRE
SSH Fingerprints Are Important
YARA Rules For Shellcode
Malicious XML: Matryoshka Edition
From PEiD To YARA
Maldoc VBA Sandbox/Virtualization Detection
XML: A New Vector For An Old Trick