Epic Manchego – atypical maldoc delivery brings flurry of infostealers

In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention. The creators … Continue reading Epic Manchego – atypical maldoc delivery brings flurry of infostealers →

Nessus’ UserAssist Plugin

A colleague of our German office got in touch with me to help with the interpretation of the hexadecimal output data of the UserAssist Nessus Plugin. That was an interesting request: I did not know Nessus came with such a plugin, although I'm very familiar with the UserAssist registry keys. The UserAssist registry keys register … Continue reading Nessus’ UserAssist Plugin →

Extracting Certificates From the Windows Registry

I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value … Continue reading Extracting Certificates From the Windows Registry →