Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py...

4w

Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py...

4w

Update: base64dump.py Version 0.0.20

This new version brings a new encoding: zxcn zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma). Example of zxc: 0x90,0x0A,0x4D,0x5A Remark the leading zero for value 0x0A (values smaller than 0x10). With zxcn encoding, there is no leading zero for values smaller...

4w

Update: base64dump.py Version 0.0.20

This new version brings a new encoding: zxcn zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma). Example of zxc: 0x90,0x0A,0x4D,0x5A Remark the leading zero for value 0x0A (values smaller than 0x10). With zxcn encoding, there is no leading zero for values smaller...

4w

Update: pecheck Version 0.7.14

This new version of pecheck adds support for dumping files (-D) while using option -l P. pecheck-v0_7_14.zip (https)MD5: 3B5CED47987F0395CC4BC795A938EA4ASHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D

4w

Update: pecheck Version 0.7.14

This new version of pecheck adds support for dumping files (-D) while using option -l P. pecheck-v0_7_14.zip (https)MD5: 3B5CED47987F0395CC4BC795A938EA4ASHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D

4w

VBA: __SRP_ Streams

Office documents with a VBA project that contains streams whose name starts with __SRP_, have had their VBA macros executed at least once. As Dr. Bontchev describes in the documentation for his pcodedmp tool: When the p-code has been executed at least once, a further tokenized form of it is stored elsewhere in the document (in streams,...

4w

VBA: __SRP_ Streams

Office documents with a VBA project that contains streams whose name starts with __SRP_, have had their VBA macros executed at least once. As Dr. Bontchev describes in the documentation for his pcodedmp tool: When the p-code has been executed at least once, a further tokenized form of it is stored elsewhere in the document (in streams,...

4w

Update: cs-analyze-processdump.py Version 0.0.3

This new version brings some options to guide the XOR-key detection algorithm. The beacon’s AES and HMAC key are contained in writable process memory: my tool cs-extract-key.py can detect these keys. But the beacon can be configured to encode these keys while it is sleeping. This feature is called a sleep mask, and uses a 13-byte long XOR...

5w

Update: cs-analyze-processdump.py Version 0.0.3

This new version brings some options to guide the XOR-key detection algorithm. The beacon’s AES and HMAC key are contained in writable process memory: my tool cs-extract-key.py can detect these keys. But the beacon can be configured to encode these keys while it is sleeping. This feature is called a sleep mask, and uses a 13-byte long XOR...

5w