SlideShare a Scribd company logo

Automatic MIME Attachments Triage

Xavier Mertens
Xavier Mertens

Presentation of mime2vy.py @ BotConfi 2015 (lightning talk)

Internet
1 of 12
Download to read offline
Automatic MIME Attachments Triage Botconf 2015 - Lightning Talk
TrueSec $ cat ~/whoami.xml 2 <profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>
TrueSec $ cat ~/.profile • I like (your) data • Playing “Active Defense” • I prefer t-shirts than ties • I like to play with gadgets! 3
TrueSec Problem • Computers are compromised to join botnets • Main infection vectors remains: • HTTP • SMTP • Huge amount of data to process • Infosec people needs knowledge • Infosec people are lazy / don’t have time 4
TrueSec Solution 5
TrueSec Mime2VT 6 • Extracts MIME attachments from emails • Checks / submits interesting ones toVT • AnalysesVBA macros using olevba.py API(*) • Support zip files • Archive them • Extract URLs from emails • Export data to ELK (*) http://www.decalage.info/python/olevba
TrueSec Example 7 Nov 30 21:49:09 marge postfix/qmgr[22867]: 00F547C016C: from=<SaundersThelma17@telepac.pt>, size=188819, nrcpt=1 (queue active) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: message/rfc822 (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: application/vnd.ms-excel (invoice_details_32247759.xls) Nov 30 21:49:10 marge mime2vt.py[20225]: Found interesting file: invoice_details_32247759.xls (application/vnd.ms-excel) Nov 30 21:49:12 marge mime2vt.py[20225]: File: invoice_details_32247759.xls (0026d60cf0838a943793ce61fa0366a1) Score: 8/56 Scanned: 2015-11-30 20:45:07 (1:04:05) Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: dbAddMD5: 0026d60cf0838a943793ce61fa0366a1 Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Analyzing with oletools Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Detected file type: OLE Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: VBA Macros found Nov 30 21:49:19 marge mime2vt.py[20225]: DEBUG: Analysis dumped to /var/tmp/mime/ 2015/11/30/invoice_details_32247759.xls.analysis
TrueSec Example 8 $ cat /var/tmp/mime/2015/11/30/invoice_details_32247759.xls.analysis AutoExec | Workbook_Open | Runs when the Excel Workbook is opened Suspicious | Kill | May delete a file Suspicious | Open | May open a file Suspicious | Shell | May run an executable file or a system command Suspicious | Run | May run an executable file or a system command Suspicious | CreateObject | May create an OLE object Suspicious | WriteText | May create a text file Suspicious | SaveToFile | May create a text file Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | VBA obfuscated Strings | VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all) IOC | UpdateWinrar.js | Executable file name IOC | UpdOffice.exe | Executable file name VBA string | Total | "To" & "tal" VBA string | Code | ("Co" & "de") VBA string | B3 | ("B" & "3") VBA string | Total | ("To" & "tal") VBA string | Warning | ("War" & "ning")
TrueSec Setup 9 $ cat /etc/mime2vt.conf [virustotal] apikey: <redacted> exclude: image/png,image/gif,image/jpeg,image/bmp,text/plain,text/html,text/ english,application/pgp-signature [elasticsearch] server: 192.168.254.65:9200 index: virustotal [database] dbpath: /var/tmp/mime2vt.db $ cat $HOME/.procmailrc :0 { :0c | /usr/local/bin/mime2vt.py -d /var/tmp/mime/%y/%m/%d -c /etc/mime2vt.conf -l /var/ tmp/messages.dump :0 incoming }
TrueSec Bonus 10
TrueSec Wanna Play? 11 https://github.com/xme/mime2vt
TrueSec @xme xavier@truesec.be https://blog.rootshell.be https://www.truesec.be 12 Thank you!

Recommended

Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 

Recommended

Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem FraudXavier Mertens
 

More Related Content

What's hot

Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryJoe Desimone
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit KitsJoe Desimone
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityJie Liau
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 

What's hot (20)

Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Hunting For Exploit Kits
Hunting For Exploit KitsHunting For Exploit Kits
Hunting For Exploit Kits
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Pa or die
Pa or diePa or die
Pa or die
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 

Viewers also liked

All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humansXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the BadXavier Mertens
 

Viewers also liked (13)

InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
 

Similar to Automatic MIME Attachments Triage

PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Chris Hernandez
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdfBeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Ed Marshall
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Reproducibility and automation of machine learning process
Reproducibility and automation of machine learning processReproducibility and automation of machine learning process
Reproducibility and automation of machine learning processDenis Dus
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Idguest215c4e
 

Similar to Automatic MIME Attachments Triage (20)

PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
L27
L27L27
L27
 
Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...Useful Shareware for Technical Communicators - STC New England Interchange co...
Useful Shareware for Technical Communicators - STC New England Interchange co...
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi 6 ways to hack your JavaScript application by Viktor Turskyi
6 ways to hack your JavaScript application by Viktor Turskyi
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Reproducibility and automation of machine learning process
Reproducibility and automation of machine learning processReproducibility and automation of machine learning process
Reproducibility and automation of machine learning process
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 

More from Xavier Mertens

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?Xavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Xavier Mertens
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkXavier Mertens
 
Belnet events management
Belnet events managementBelnet events management
Belnet events managementXavier Mertens
 

More from Xavier Mertens (9)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 

Recently uploaded

Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 

Recently uploaded (20)

Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 

Automatic MIME Attachments Triage

  • 2. TrueSec $ cat ~/whoami.xml 2 <profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Consultant</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>
  • 3. TrueSec $ cat ~/.profile • I like (your) data • Playing “Active Defense” • I prefer t-shirts than ties • I like to play with gadgets! 3
  • 4. TrueSec Problem • Computers are compromised to join botnets • Main infection vectors remains: • HTTP • SMTP • Huge amount of data to process • Infosec people needs knowledge • Infosec people are lazy / don’t have time 4
  • 6. TrueSec Mime2VT 6 • Extracts MIME attachments from emails • Checks / submits interesting ones toVT • AnalysesVBA macros using olevba.py API(*) • Support zip files • Archive them • Extract URLs from emails • Export data to ELK (*) http://www.decalage.info/python/olevba
  • 7. TrueSec Example 7 Nov 30 21:49:09 marge postfix/qmgr[22867]: 00F547C016C: from=<SaundersThelma17@telepac.pt>, size=188819, nrcpt=1 (queue active) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: message/rfc822 (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: application/vnd.ms-excel (invoice_details_32247759.xls) Nov 30 21:49:10 marge mime2vt.py[20225]: Found interesting file: invoice_details_32247759.xls (application/vnd.ms-excel) Nov 30 21:49:12 marge mime2vt.py[20225]: File: invoice_details_32247759.xls (0026d60cf0838a943793ce61fa0366a1) Score: 8/56 Scanned: 2015-11-30 20:45:07 (1:04:05) Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: dbAddMD5: 0026d60cf0838a943793ce61fa0366a1 Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Analyzing with oletools Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Detected file type: OLE Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: VBA Macros found Nov 30 21:49:19 marge mime2vt.py[20225]: DEBUG: Analysis dumped to /var/tmp/mime/ 2015/11/30/invoice_details_32247759.xls.analysis
  • 8. TrueSec Example 8 $ cat /var/tmp/mime/2015/11/30/invoice_details_32247759.xls.analysis AutoExec | Workbook_Open | Runs when the Excel Workbook is opened Suspicious | Kill | May delete a file Suspicious | Open | May open a file Suspicious | Shell | May run an executable file or a system command Suspicious | Run | May run an executable file or a system command Suspicious | CreateObject | May create an OLE object Suspicious | WriteText | May create a text file Suspicious | SaveToFile | May create a text file Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) Suspicious | VBA obfuscated Strings | VBA string expressions were detected, may be used to obfuscate strings (option --decode to see all) IOC | UpdateWinrar.js | Executable file name IOC | UpdOffice.exe | Executable file name VBA string | Total | "To" & "tal" VBA string | Code | ("Co" & "de") VBA string | B3 | ("B" & "3") VBA string | Total | ("To" & "tal") VBA string | Warning | ("War" & "ning")
  • 9. TrueSec Setup 9 $ cat /etc/mime2vt.conf [virustotal] apikey: <redacted> exclude: image/png,image/gif,image/jpeg,image/bmp,text/plain,text/html,text/ english,application/pgp-signature [elasticsearch] server: 192.168.254.65:9200 index: virustotal [database] dbpath: /var/tmp/mime2vt.db $ cat $HOME/.procmailrc :0 { :0c | /usr/local/bin/mime2vt.py -d /var/tmp/mime/%y/%m/%d -c /etc/mime2vt.conf -l /var/ tmp/messages.dump :0 incoming }