Kusto hunting query for CVE-2021-40444

Introduction On September 7th 2021, Microsoft published customer guidance concerning CVE-2021-40444, an MSHTML Remote Code Execution Vulnerability: Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.An attacker could craft a … Continue reading Kusto hunting query for CVE-2021-40444

Credential harvesting and automated validation: a case study

During our incident response engagements, we very frequently come across phishing lures set up to harvest as many credentials as possible, which will likely be sold afterwards or used in follow-up attacks against an organization (or both). While many of these credential harvesting attacks follow the same pattern, from time to time we stumble upon … Continue reading Credential harvesting and automated validation: a case study

Epic Manchego – atypical maldoc delivery brings flurry of infostealers

In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention. The creators … Continue reading Epic Manchego – atypical maldoc delivery brings flurry of infostealers

Extracting Certificates From the Windows Registry

I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value … Continue reading Extracting Certificates From the Windows Registry