InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Extracting "Sneaky" Excel XLM Macros

Posted on 2019-01-29 by Amirreza Niakanlahiji and Pedram Amini

In this article, we present our in-depth analysis of a malicious Microsoft Excel document (.xlm format) that we found in the wild. We show how existing open source tools can be utilized to carve out interesting artifacts. During our analysis, we also point out some tool limitations and present our solution to closing the gap. Ultimately, our goal is to orchestrate the carving of as many artifacts as possible, for robust threat detection and prevention.

Detecting Empire with InQuest

Posted on 2019-01-21 by Josiah Smith

Within the last few years, security researchers have released several different toolsets that leverage Microsoft's PowerShell in an offensive role, including PowerSploit, Posh-SecMod, UnmanagedPowerShell, and PowerShell-AD-Recon. These were all fantastic tools but lacked consistency and interoperability.

This is where Empire changed everything.

Ex Machina: A Frolic through the Forests

Posted on 2018-12-28 by Steve Esling

In our previous entry of the Ex Machina series, we gave a broad overview of how machine learning is used in computer security, and briefly mentioned some of the techniques that InQuest is utilizing to apply the insights gained by our artificial co-workers. Today, we’re going to take a deeper dive into two of our classifiers, Random Forests (RF) and Gradient Boosting (GB), and discuss some of their interesting findings. As Gradient Boosting is more a subtype of Random Forest, rather than an entirely separate algorithm in and of itself, we’ll just be given an explanation of RF algorithms; GB forests add a few more high-level mathematical calculations to how they construct and uses their trees.

Short-Circuiting Boolean Operators in YARA

Posted on 2018-12-18 by Rob King

Here at InQuest, YARA is among the many tools we use to perform deep-file inspection, with a fairly extensive rule set. InQuest operates at line speed in very high-traffic networks, so these rules need to be fast.

This blog post is the second in a series discussing YARA performance notes, tips, and hacks.

Ex Machina: Man + Machine

Posted on 2018-11-14 by Stephen Esling

Since its introduction by WheelGroup in 1995, signature-based detection has been a staple of antivirus software. Now, over twenty years later, it seems that it’s reached the limits of its usefulness. In 2016, the Webroot Threat Report published that, thanks to a large spike in the usage of polymorphic, or self-altering, code, 94% of malware that year was found to be unique, having only been encountered once. This is a trend that has only been continuing into 2018, and, like shaking an Etch-A-Sketch, with every shift in form taken by a malicious file, all work done on defining its characteristics becomes obsolete. We at InQuest have found a robust solution to this problem via the use of generalized, heuristic signatures that work together to give an overall likelihood of a file’s potential maliciousness, but such signatures can be difficult and unintuitive to create.