Posted on 2019-11-26 by William MacArthur
The holidays are here! The heavy rotation of holiday music fills our cars with songs like Feliz Navidad and Frosty the Snowman. YES, it is time for some stoplight karaoke with friends, and family (pets). Since this time of year is both fun and a bit stressful, we wanted to briefly go over some commonly observed threats that folks will encounter this holiday season and beyond.
Posted on 2019-11-13 by Josiah Smith
Field notes pertaining to a low detection (5/60) malicious document that leverages a macro+form to pivot to VBE in serb.xml from jplymell[.]com. The lure then pivots to smartapp.jpg, a PE32 executable from the same source. An executable with much better detection than the carrier which delivered it (17/69).
Posted on 2019-10-30 by Rob King
Earlier this year, we here at InQuest launched our new InQuest Labs data portal. Labs is an amazing resource, with a plethora of useful tools and intelligence offerings. Much could be written about the site, and much has been...but not about this part right here: Base64 Regular Expression Generator.
Posted on 2019-10-16 by Adam Musciano
Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. This allows heuristic analysis to better determine the intent by analysis of the file contents (containers, objects, etc.) as an artifact.
Posted on 2019-09-30 by Amini, Remen
In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. This last tenet is critical to our needs as we'll be tracking the usage and re-usage of both malicious and benign graphics within common Microsoft and Adobe document lures.