Windows Credential Guard & Mimikatz

Here at NVISO, we are proud to have contributed to the new SANS course ‚ÄúSEC599: Defeating Advanced Adversaries – Implementing Kill Chain Defenses‚ÄĚ. This six-day training focuses on implementing effective security controls to prevent, detect and respond to cyber attacks. One of the defenses covered in SEC599 is Credential Guard. Obtaining and using credentials and […]

YARA DDE rules: DDE Command Execution observed in-the-wild

The MS Office DDE YARA rules that we published yesterday detected several malicious documents samples since 10/10/2017. Remark: the malicious samples we mention were detected with our DDEAUTO rule (Office_DDEAUTO_field); as we feared, the second rule (Office_DDE_field) is generating some false positives and we will update it. The first¬†sample¬†uses PowerShell to download an executable¬†and run […]

Detecting DDE in MS Office documents

Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents.¬†Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents. We wrote 2 YARA rules to detect this in Office Open XML files (like .docx): […]

Active exploitation of Struts vulnerability S2-052 CVE-2017-9805

Yesterday night (06 September 2017 UTC) we observed active exploitation of Struts vulnerability S2-052 CVE-2017-9805 (announced a day earlier). Here is the request we observed: The POST request to /struts2-rest-showcase/orders/3 allowed us initially to detect this attempt. The packet capture shows that this is a full exploit attempt for reconnaissance purposes: the payload is a […]

Decoding malware via simple statistical analysis

Intro Analyzing malware often requires code reverse engineering which can scare people away from malware analysis. Executables are often encoded to avoid detection. For example, many malicious Word documents have an embedded executable payload that is base64 encoded (or some other encoding). To understand the encoding, and be able to decode the payload for further […]

Recovering custom hashes for the Petya/Notpetya malware

During our malware analysis, we often come across samples that contain (custom) hashes in stead of cleartext. Hashing is done in an effort to bypass detection and hinder malware analysts. There are tools to recover cleartext from known hashing methods (like John the Ripper and hashcat). But for custom hashing methods, you’ll have to write […]

Malicious PowerPoint Documents Abusing Mouse Over Actions

A new type of malicious MS Office document has appeared: a PowerPoint document that executes a PowerShell command by hovering over a link with the mouse cursor (this attack does not involve VBA macros). In this blogpost, we will show how to analyze such documents with free, open-source tools. As usual in attacks involving malicious […]

Analysis of a CVE-2017-0199 Malicious RTF Document

There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. is a Python tool to analyze RTF documents. Running it on our sample produces a list with¬†all “entities” […]