Musings by Pedram

Pedram Amini

This blog is basically scratch notes cobbled together as a draft blog for potential grooming and release on http://blog.inquest.net

Office DDE With Rad Powershell Obfuscation

$ vti 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967 2017-10-16 19:51:47 INFO Starting VirusTotal Intelligence downloader 2017-10-16 19:51:47 INFO * VirusTotal Intelligence search: 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967 2017-10-16 19:51:47 INFO * Number of files to download: 100 2017-10-16 19:51:47 INFO Creating folder to store the requested files 2017-10-16 19:51:47 INFO Retrieving page of file hashes to download 2017-10-16 ...

Pedram Amini Posted on October 17th, 2017

Microsoft Office DDE Poland Targeted Vortex Ransomware

pedram@PedBook:~/VXFarm/dde/day-5 $ vti bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 2017-10-15 18:14:33 INFO Starting VirusTotal Intelligence downloader 2017-10-15 18:14:33 INFO * VirusTotal Intelligence search: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 2017-10-15 18:14:33 INFO * Number of files to download: 100 2017-10-15 18:14:33 INFO Creating folder to store the requested files 2017-10-15 18:14:33 INFO Retrieving page of file ...

Pedram Amini Posted on October 15th, 2017

Microsoft Office DDE Freddie Mac Targeted Lure

Two more interesting samples came up from our hunts for Microsoft Office document Dynamic Data Exchange (DDE) payloads. For a quick jump into the conversation, the following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations: https://twitter.com/i/moments/918126999738175489 Getting back to the sample, it's available at: https://www.virustotal.com/en/file/313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71...

Pedram Amini Posted on October 14th, 2017

Microsoft Office DDE SEC OMB Approval Lure

Two more interesting samples came up from our hunts for Microsoft Office document Dynamic Data Exchange (DDE) payloads. For a quick jump into the conversation, the following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations: https://twitter.com/i/moments/918126999738175489 Getting back to the sample, it's available at: https://www.virustotal.com/en/file/9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195...

Pedram Amini Posted on October 14th, 2017

Microsoft Office DDE Macro-less Command Execution Vulnerability

On October 9th 2017, SensePost researchers posted a technique allowing for macro-less code execution from Microsoft Office documents through Dynamic Data Exchange (DDE). The following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations. https://twitter.com/i/moments/918126999738175489 Hunting rule: https://github.com/InQuest/yara-rules/blob/master/Microsoft_Office_DDE_Command_Execution.rule Field ...

Pedram Amini Posted on October 11th, 2017

hi.

First post via Evernote and delivered via http://postach.io. Let's check out some formatting... bold italic underline color changed highlighted Lists, with todo items: do meand me Note that the checkboxes above failed to render. How about a numeric lists: wordtobig bird Tried a colored/formatted source code paste from SublimeText Evernote plugin. Failed.... Picture test (Ritto as a puppy)... FIN -pedram

Pedram Amini Posted on March 18th, 2016