I’m a huge fan of MS file formats, mostly because they provide for the possibility of an immense (and often untapped, unexploited) amount of metadata. Anyone who’s followed me for any length of time, or has read my blog, knows that I’m a huge fan of file formats such as Registry hives (and non-Registry files with the same structure), as well as LNK files.
Historically, lots of different MS file formats have contained significant, and often damning, metadata. Anyone remember the issue of MSWord metadata that the Blair administration encountered over two decades ago? I shared some information related to coding, using the file as an exemplar, in the WindowsIR blog.
I ran across a LinkedIn post from Maurice Fielenbach, where he talked about an infostealer bundled in an MSI file. Interestingly enough, MSI files are structured storage files, following the OLE format, albeit with different streams, the same as MSWord docs and JumpList files.
I’m not a malware RE guy, so I don’t have a specialized tool set for parsing these kinds of files. I generally start with the MiTeC Structured Storage Viewer, something I’ve used before. In the image to the left, you can see the S
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: