Forensics
Table of Contents
Disclaimer: These are my personal notes, published "as-is"
without warranty or guarantee of any kind. Use at your own risk. Licensed
CC BY-NC-SA 4.0.
Powershell #
- Often used for obfuscating scripts.
- Use PowerDecode (Windows only)
- PSDecode (inside PowerShell)
- Can run scripts using Any Run
- Analyzing shell code
On Kali #
Need to find the PSModule
path to be able to use PSDecode:
┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ pwsh
┌──(kali㉿kali)-[/home/kali/psd/PSDecode]
└─PS> $Env:PSModulePath
/home/kali/.local/share/powershell/Modules:/usr/local/share/powershell/Modules:/opt/microsoft/powershell/7/Modules
┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ mkdir /home/kali/.local/share/powershell/Modules/PSDecode
┌──(kali㉿kali)-[~/psd/PSDecode]
└─$ mv PSDecode.psm1 /home/kali/.local/share/powershell/Modules/PSDecode
┌──(kali㉿kali)-[/home/kali]
└─PS> PSDecode -dump -beautify -verbose fileToDecode.ps1
Packet capture #
- Wireshark GUI
- tshark CLI
brew install --cask wireshark
tshark -r capture.pcap --export-objects http,http_objs
- A-Packets - Online pcap analysis
Office docs #
- Online file analysis tool: https://hybrid-analysis.com/
- Run the file through https://any.run
- Analyzing Malicious Documents Cheat Sheet
- For both
.docx
and.doc
files, oletoolssudo -H pip install -U oletools
- https://inquest.net/blog/2020/03/18/Getting-Sneakier-Hidden-Sheets-Data-Connections-and-XLM-Macros
.doc or .xls #
- Excel / Macro (XLS) deobfuscation - extracting macros from the file: XLMMacroDeobfuscator
.docx or .xlsx #
- Used OfficeDissector on a Ubuntu 20.04 GCP VM to export to JSON, then search for interesting strings.
- Office file analysis (new format .docx only). Requires python2.
import officedissector
doc = officedissector.doc.Document('file.docx')
doc_json = doc.to_json()