InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Analyzing Sophisticated PowerShell Targeting Japan

Posted on 2019-03-09 by Amirreza Niakanlahiji
In this article, we dissect a sophisticated multi-stage PowerShell script that is targeting users in Japan. We found this instance on HybridAnalysis a few days back (on March 7). This malware sample is unique because it utilizes multi-layer of obfuscation, encryption, and steganography to protect its final payload from detection. As of writing this article, none of the AntiViruses on VirusTotal detect this attack.

Family Matters: Using MinHash to Cluster Data

Posted on 2019-02-28 by Steve Esling
As we’ve discussed in our previous two Ex Machina articles, one of the goals in our machine learning efforts is to use artificial intuition as an aid in the construction of our signatures. This was previously illustrated by examining the importance of features in GB and RF algorithms, both of which are supervised techniques.

Quick Analysis of A Customer Malspam Encounter

Posted on 2019-02-26 by Josiah Smith
The InQuest platform is fully open in the sense that all analytical areas are extensible via customer defined intelligence which can include keywords, hashes, standard IOCs, and fully fledged YARA rules. This article covers the analysis of an interesting customer malspam encounter that was identified with a customer-defined YARA signature focusing on abnormally high levels of entropy within the semantic context of document files. This attack occurred at an undisclosed customer site and specifically targeted three different individuals across the organization.

Extracting "Sneaky" Excel XLM Macros

Posted on 2019-01-29 by Amirreza Niakanlahiji
In this article, we present our in-depth analysis of a malicious Microsoft Excel document (.xlm format) that we found in the wild. We show how existing open source tools can be utilized to carve out interesting artifacts. During our analysis, we also point out some tool limitations and present our solution to closing the gap.

Detecting Empire with InQuest

Posted on 2019-01-21 by Josiah Smith
Within the last few years, security researchers have released several different toolsets that leverage Microsoft's PowerShell in an offensive role, including PowerSploit, Posh-SecMod, UnmanagedPowerShell, and PowerShell-AD-Recon. These were all fantastic tools but lacked consistency and interoperability.
Blog Archive