Toby Lewis
@tobaslouis.co.uk
Global Head of Threat Analysis at @Darktrace.com
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
All things Cyber Security Ops, Threat Hunting, Threat Intel and Incident Mgmt.
By default, and unless you have a premium subscription, Graphs made in VirusTotal are public and form part of their community engagement.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
December 31, 2024 at 12:19 PM
By default, and unless you have a premium subscription, Graphs made in VirusTotal are public and form part of their community engagement.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
Want to know if anybody is researching an IOC? Want to know what other steps they've made in the investigation? VirusTotal public graphs will tell you.
We can also use VirusTotal to tell us how many times this file has been uploaded, and a little bit of information about them.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
December 31, 2024 at 12:19 PM
We can also use VirusTotal to tell us how many times this file has been uploaded, and a little bit of information about them.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
In this case, by a single user based in the US (by IP-GEO) and uploaded via API.
This means that it either formed part of a script, or via an integration with another tool.
What else was in that "sharedStrings.xml" file - VirusTotal gives you the ability to view the contents of files.
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
December 31, 2024 at 12:19 PM
What else was in that "sharedStrings.xml" file - VirusTotal gives you the ability to view the contents of files.
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In this case, the only unique strings in the parent XLSX files are the IOCs we already know about. Maybe not the most exciting in this case, but worth a check!
In other words, somebody uploaded an XLSX of IOCs to VirusTotal, which then broke apart the constituent components as separate files.
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
December 31, 2024 at 12:19 PM
In other words, somebody uploaded an XLSX of IOCs to VirusTotal, which then broke apart the constituent components as separate files.
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
Then, realising that they made a mistake, requested that VirusTotal take down the original XLSX file.
Unfortunately, that still left behind the constituent files
So what Excel file was this "sharedStrings.xml" file originally part of?
VirusTotal's "Compressed Parents" field reveals a SHA256 hash of a file.... which doesn't exist on VirusTotal.
Or at least, it doesn't any more.
VirusTotal's "Compressed Parents" field reveals a SHA256 hash of a file.... which doesn't exist on VirusTotal.
Or at least, it doesn't any more.
December 31, 2024 at 12:19 PM
So what Excel file was this "sharedStrings.xml" file originally part of?
VirusTotal's "Compressed Parents" field reveals a SHA256 hash of a file.... which doesn't exist on VirusTotal.
Or at least, it doesn't any more.
VirusTotal's "Compressed Parents" field reveals a SHA256 hash of a file.... which doesn't exist on VirusTotal.
Or at least, it doesn't any more.
A modern day Excel file (xlsx), is actually just a compressed file (zip), containing lots of individual components, such as fonts, graphics and other rich text content.
This blog is a good breakdown if you're interested in diving in more:
henrikmassow.medium.com/hacking-exce...
This blog is a good breakdown if you're interested in diving in more:
henrikmassow.medium.com/hacking-exce...
December 31, 2024 at 12:19 PM
A modern day Excel file (xlsx), is actually just a compressed file (zip), containing lots of individual components, such as fonts, graphics and other rich text content.
This blog is a good breakdown if you're interested in diving in more:
henrikmassow.medium.com/hacking-exce...
This blog is a good breakdown if you're interested in diving in more:
henrikmassow.medium.com/hacking-exce...
But what is sharedStrings.xml? Or more specifically "xl/sharedStrings.xml"?
December 31, 2024 at 12:19 PM
But what is sharedStrings.xml? Or more specifically "xl/sharedStrings.xml"?
Interesting OpSec aspect with regards to the BeyondTrust compromise.
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
December 31, 2024 at 12:19 PM
Interesting OpSec aspect with regards to the BeyondTrust compromise.
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
(H/T to @GossiTheDog.cyberplace.social.ap.brid.gy for first spotting this)
Having a search for some of the IOCs from the BeyondTrust blog, reveals that they appear in a file uploaded to VirusTotal on the 19th December
5) BeyondTrust have shared the following IOCs, presumably IP addresses used by attackers to access BeyondTrusts infrastructure and to pivot into customers:
24.144.114[.]85
142.93.119[.]175
157.230.183[.]1
192.81.209[.]168
As well as some additional IPv6 addresses:
24.144.114[.]85
142.93.119[.]175
157.230.183[.]1
192.81.209[.]168
As well as some additional IPv6 addresses:
December 31, 2024 at 7:19 AM
5) BeyondTrust have shared the following IOCs, presumably IP addresses used by attackers to access BeyondTrusts infrastructure and to pivot into customers:
24.144.114[.]85
142.93.119[.]175
157.230.183[.]1
192.81.209[.]168
As well as some additional IPv6 addresses:
24.144.114[.]85
142.93.119[.]175
157.230.183[.]1
192.81.209[.]168
As well as some additional IPv6 addresses:
More information on the breach:
1) In a letter to US Senators, it is revealed that attackers were able to gain access to a service at BeyondTrust that gave them remote access to US Treasury workstations.
legacy.www.documentcloud.org/documents/25...
1) In a letter to US Senators, it is revealed that attackers were able to gain access to a service at BeyondTrust that gave them remote access to US Treasury workstations.
legacy.www.documentcloud.org/documents/25...
December 31, 2024 at 7:19 AM
More information on the breach:
1) In a letter to US Senators, it is revealed that attackers were able to gain access to a service at BeyondTrust that gave them remote access to US Treasury workstations.
legacy.www.documentcloud.org/documents/25...
1) In a letter to US Senators, it is revealed that attackers were able to gain access to a service at BeyondTrust that gave them remote access to US Treasury workstations.
legacy.www.documentcloud.org/documents/25...
I can only read this in the voice of the guy who reads out the Football results.
December 4, 2024 at 3:30 PM
I can only read this in the voice of the guy who reads out the Football results.
November 30, 2024 at 2:42 PM
As we're in this rapid growth of @bsky.app, not only are we going to see accnts impersonating high profile individuals, but critically, impersonating high reputation news sources.
All it would take is some imaginative "Breaking News" to hit public confidence.
Can the real BBC News please stand up?
All it would take is some imaginative "Breaking News" to hit public confidence.
Can the real BBC News please stand up?
November 19, 2024 at 8:04 AM
As we're in this rapid growth of @bsky.app, not only are we going to see accnts impersonating high profile individuals, but critically, impersonating high reputation news sources.
All it would take is some imaginative "Breaking News" to hit public confidence.
Can the real BBC News please stand up?
All it would take is some imaginative "Breaking News" to hit public confidence.
Can the real BBC News please stand up?
A friend asked if I had any pre-prepared content on phishing.
I was feeling particularly lazy, so got ChatGPT to give it a go. I actually quite like the simplicity of its response.
I was feeling particularly lazy, so got ChatGPT to give it a go. I actually quite like the simplicity of its response.
November 17, 2024 at 9:20 AM
A friend asked if I had any pre-prepared content on phishing.
I was feeling particularly lazy, so got ChatGPT to give it a go. I actually quite like the simplicity of its response.
I was feeling particularly lazy, so got ChatGPT to give it a go. I actually quite like the simplicity of its response.
Is it…. Not speeding?
November 16, 2024 at 4:32 PM
Is it…. Not speeding?