Posted on 2019-11-13 by Josiah Smith
Field notes pertaining to a low detection (5/60) malicious document that leverages a macro+form to pivot to VBE in serb.xml from jplymell[.]com. The lure then pivots to smartapp.jpg, a PE32 executable from the same source. An executable with much better detection than the carrier which delivered it (17/69).
Posted on 2019-10-30 by Rob King
Earlier this year, we here at InQuest launched our new InQuest Labs data portal. Labs is an amazing resource, with a plethora of useful tools and intelligence offerings. Much could be written about the site, and much has been...but not about this part right here: Base64 Regular Expression Generator.
Posted on 2019-10-16 by Adam Musciano
Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. This allows heuristic analysis to better determine the intent by analysis of the file contents (containers, objects, etc.) as an artifact.
Posted on 2019-09-30 by Amini, Remen
In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. This last tenet is critical to our needs as we'll be tracking the usage and re-usage of both malicious and benign graphics within common Microsoft and Adobe document lures.
Posted on 2019-09-24 by Josiah Smith
InQuest provides an automated platform for SOC hunter that includes powerful means for inspecting files to detect the presence of malicious code. The platform ingests network data and then goes through a variety of analytic functions resulting in an effective risk score. Check out this interview between Ed Amoroso of Tag Cyber and Pedram Amini, our CTO.