KRACKing WPA2

A new vulnerability in the WPA2 protocol was discovered by¬†Mathy¬†Vanhoef¬†(researcher at KU Leuven) and published yesterday. The vulnerability - dubbed¬† "KRACK" - enables an attacker to intercept WPA2 encrypted network traffic between a client device (e.g. mobile or laptop) and a router. Depending on the network configuration¬†it is even possible¬†for an attacker to alter or … Continue reading KRACKing WPA2

YARA DDE rules: DDE Command Execution observed in-the-wild

The MS Office DDE YARA rules that we published yesterday detected several malicious documents samples since 10/10/2017. Remark: the malicious samples we mention were detected with our DDEAUTO rule (Office_DDEAUTO_field); as we feared, the second rule (Office_DDE_field) is generating some false positives and we will update it. The first¬†sample¬†uses PowerShell to download an executable¬†and run … Continue reading YARA DDE rules: DDE Command Execution observed in-the-wild

Detecting DDE in MS Office documents

Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents.¬†Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents. We wrote 2 YARA rules to detect this in Office Open XML files (like .docx): … Continue reading Detecting DDE in MS Office documents