Analysis of a CVE-2017-0199 Malicious RTF Document

There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. rtfdump.py is a Python tool to analyze RTF documents. Running it on our sample produces a list with all "entities" … Continue reading Analysis of a CVE-2017-0199 Malicious RTF Document

CSCBE Challenge Write-up – Sufbo

The Sufbo challenge was tackled during the Cyber Security Challenge qualifiers and proved to be very difficult to solve. This write-up gives you a possible way of solving it! Credits All challenges of the Cyber Security Challenge are created by security professionals from many different organisations. The Sufbo challenge in particular was created by Adriaan Dens, … Continue reading CSCBE Challenge Write-up – Sufbo

Tracking threat actors through .LNK files

In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in … Continue reading Tracking threat actors through .LNK files