Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1

We found 6 private keys for rogue Cobalt Strike software, enabling C2 network traffic decryption. The communication between a Cobalt Strike beacon (client) and a Cobalt Strike team server (C2) is encrypted with AES (even when it takes place over HTTPS). The AES key is generated by the beacon, and communicated to the C2 using … Continue reading Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1 →

Kusto hunting query for CVE-2021-40444

Introduction On September 7th 2021, Microsoft published customer guidance concerning CVE-2021-40444, an MSHTML Remote Code Execution Vulnerability: Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.An attacker could craft a … Continue reading Kusto hunting query for CVE-2021-40444 →

Credential harvesting and automated validation: a case study

During our incident response engagements, we very frequently come across phishing lures set up to harvest as many credentials as possible, which will likely be sold afterwards or used in follow-up attacks against an organization (or both). While many of these credential harvesting attacks follow the same pattern, from time to time we stumble upon … Continue reading Credential harvesting and automated validation: a case study →

Epic Manchego – atypical maldoc delivery brings flurry of infostealers

In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention. The creators … Continue reading Epic Manchego – atypical maldoc delivery brings flurry of infostealers →

Nessus’ UserAssist Plugin

A colleague of our German office got in touch with me to help with the interpretation of the hexadecimal output data of the UserAssist Nessus Plugin. That was an interesting request: I did not know Nessus came with such a plugin, although I'm very familiar with the UserAssist registry keys. The UserAssist registry keys register … Continue reading Nessus’ UserAssist Plugin →

Extracting Certificates From the Windows Registry

I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value … Continue reading Extracting Certificates From the Windows Registry →