ANALYZING MALICIOUS DOCUMENTS oledump.py List all OLE2 streams present /XObject can embed an image for phishing.

file.xls -i in file.xls.
This cheat sheet outlines tips and tools for analyzing Be mindful of obfuscation with hex codes, such as
malicious documents, such as Microsoft Office, RTF, oledump.py Extract VBA source code /JavaScript vs. /J#61vaScript. (See examples.)
and PDF files. file.xls -s 3 -v from stream 3 in file.xls. Useful PDF File Analysis Commands
General Approach to Document Analysis xmldump.py pretty Format XML file supplied via pdfid.py Display risky keywords present in
STDIN for easier analysis. file.pdf -n file file.pdf.
1. Examine the document for anomalies, such as
risky tags, scripts, and embedded artifacts. oledump.py file.xls -p Find obfuscated URLs pdf-parser.py Show stats about keywords. Add
plugin_http_heuristics in file.xls macros. file.pdf -a “-O” to include object streams.
2. Locate embedded code, such as shellcode,
macros, JavaScript, or other suspicious objects. vmonkey Emulate the execution of macros pdf-parser.py Display contents of object id. Add
file.doc in file.doc to analyze them. file.pdf -o id “-d” to dump object’s stream.
3. Extract suspicious code or objects from the file.
evilclippy -uu Remove the password prompt pdf-parser.py Display objects that
4. If relevant, deobfuscate and examine macros, file.ppt from macros in file.ppt. file.pdf -r id reference object id.
JavaScript, or other embedded code.
msoffcrypto-tool Decrypt outfile.docm using qpdf --password=pass Decrypt infile.pdf using
5. If relevant, emulate, disassemble and/or debug specified password to create
infile.docm --decrypt infile.pdf password pass to create
shellcode that you extracted from the document. outfile.docm -p outfile.docm. outfile.pdf outfile.pdf.
6. Understand the next steps in the infection chain. pcodedmp Disassemble VBA-stomped Shellcode and Other Analysis Commands
file.doc p-code macro from file.doc.
Microsoft Office Format Notes xorsearch -W Locate shellcode patterns inside
Binary Microsoft Office document files (.doc, .xls, pcode2code Decompile VBA-stomped -d 3 file.bin the binary file file.bin.
etc.) use the OLE2 (a.k.a. Structured Storage) format. file.doc p-code macro from file.doc.
scdbgc /f Emulate execution of shellcode in
SRP streams in OLE2 documents sometimes store a rtfobj.py Extract objects embedded file.bin file.bin. Use “/off” to specify offset.
file.rtf into RTF file.rtf.
cached version of earlier VBA macro code. runsc32 -f Execute shellcode in file.bin to
OOXML document files (.docx, .xlsm, etc.) supported rtfdump.py List groups and structure of file.bin -n observe behavior in an isolated lab.
file.rtf RTF file file.rtf.
by Microsoft Office are compressed zip archives. base64dump.py List Base64-encoded strings
VBA macros in OOXML documents are stored inside rtfdump.py Examine objects in RTF file file.txt present in file file.txt.
file.rtf -O file.rtf.
an OLE2 binary file, which is within the zip archive. numbers-to- Convert numbers that represent
Excel supports XLM macros that are embedded as rtfdump.py file.rtf Extract hex contents from string.py file characters in file to a string.
-s 5 -H -d group in RTF file file.rtf.
formulas in sheets without the OLE2 binary file. Additional Document Analysis Tools
RTF documents don’t support macros but can contain xlmdeobfuscator Deobfuscate XLM (Excel 4)
--file file.xlsm macros in file.xlsm. SpiderMonkey, cscript, and box-js help deobfuscate
malicious embedded files and objects. JavaScript that you extract from document files.
Useful MS Office File Analysis Commands Risky PDF Keywords
Use the debugger built into Microsoft Office to
zipdump.py Examine contents of OOXML /OpenAction and /AA specify the script or action to deobfuscate macros in an isolated lab.
file.pptx file file.pptx. run automatically.
Use AMSIScriptContentRetrieval.ps1 to observe
zipdump.py Extract file with index 3 from /JavaScript, /JS, /AcroForm, and /XFA can specify Microsoft Office execute macros in an isolated lab.
file.pptx -s 3 -d file.pptx to STDOUT. JavaScript to run.
Some automated analysis sandboxes can analyze
olevba file.xlsm Locate and extract macros /URI accesses a URL, perhaps for phishing. aspects of malicious document files.
from file.xlsm. /SubmitForm and /GoToR can send data to URL. REMnux distro includes many of the free document
/ObjStm can hide objects inside an object stream. analysis tools mentioned above.
Authored by Lenny Zeltser with feedback from Pedro Bueno and Didier Stevens. Malicious document analysis and related topics are covered in the SANS Institute course
FOR610: Reverse-Engineering Malware, which Lenny co-authored. Creative Commons v3 “Attribution” License for this cheat sheet version 4.1. More at zeltser.com/cheat-sheets.
TIPS FOR GETTING THE RIGHT IT JOB Look for job postings on companies’ websites and on Research the people who will interview you, so you
dedicated job websites. (That’s a given.) can better engage them during the conversation.
This cheat sheet presents practical tips for finding
and getting the right job in Information Technology. Establish a relationship with a few recruiters in your Find out the dress code for the interview. When in
industry and make sure they understand you. doubt, it’s usually safer to overdress.
Preparing Yourself in Advance
Allow potential employers to find you even when you Be ready to ask a few insightful, nonobvious
Understand what jobs you want to pursue in the
aren’t looking for your job, so serendipity can occur. questions during the interview.
short term and as part of your long-term career.
Consider whether you’ll need to move to the Treat the interview as a conversation, not a one-
Determine what skill and experience will help you get
locations that have the job openings you seek. sided Q&A session.
the jobs you desire.
Explore multiple single social circles when looking a Use the interview as a chance to explore the culture
Devise and begin executing the plan to obtain the
job: friends, former colleagues, college friends, etc. of the company where you might end up working.
relevant education, training, and certifications.
Participate in events attended by the people within Send a thank-you note after the interview, referring
Obtain the skills and experience through personal
the industries or companies where you want to work. to the specific topics discussed in the interview.
and work projects. Balance depth with breadth.
Network within the companies you want to join to Negotiating the Compensation Package
Be careful not to become complacent in a job that
find positions that might not be officially advertised. Understand what salary you can expect by looking at
makes you too comfortable.
Consider whether you’ll accept a less attractive job to survey findings, job postings, peer discussions, etc.
Build an online persona that’s both appropriate for
break into the field, industry, or company you desire. Be prepared to answer the potential employer’s
you and desirable by potential employers.
Find a way to contact the hiring manager directly in questions about your current compensation.
Craft several elevator pitches to briefly explain who
addition to applying through the official channel. Consider all aspects of the compensation package,
you are and what jobs might interest you.
Crafting and Polishing Your Resume including salary, bonus, benefits, training, perks, etc.
Treat yourself as a multifaceted company when
managing your career. Review resumes of similarly skilled people to Understand which aspects of the compensation
understand your job options and competition. package the employer can actually negotiate.
Social Networking as Part of Your Career
Understand the job requirements of the position Understand your alternatives to a negotiated
Build professional relationships with people before
beyond what's in the official description. agreement (BATNA) to know when to say “no.”
you start asking them for job search favors.
Customize your resume to match the specific Stay engaged with the hiring manager throughout
Consider how you might help others along their
requirements of the position you’re pursuing. the negotiations process, which might span weeks.
career path and offer assistance when appropriate.
Make sure that every bullet point in your resume Remember to show that you’re excited about the
Ask for advice, feedback, and guidance of the
answers the question “So What?” new job and that you also value your self-worth.
professionals whom you respect.
Don’t rely on your resume as the primary way of Research and practices influence techniques that
Seek informational interviews when learning about a
getting the job for which you’re applying. might add to your negotiating power of confidence.
potential company or a job you might pursue later.
Be truthful and brief in the text of your resume. Career Tips for Information Security
Don’t take for granted the help and advice that
people in your professional network offer. Describe both technical as well as “soft” skills Lesley Carhart's Starting an InfoSec Career advice.
(communications, sales. etc.) in your resume. Brian Krebs’ series of interviews on breaking into the
Keep the members of your social network regularly
apprised of your career progress. Handling the Interview for an IT Job information security industry
Finding the IT Position Worth Pursuing Research the organization and the position you’re Hal Pomeranz’ advice on getting started in
pursuing. How are they different from others? information security or any other career
Understand what characteristics make you stand out
from your competition. What makes you an expert? Lenny Zeltser on recruiting infosec professionals

Authored by Lenny Zeltser, who writes an information security blog at zeltser.com; you can also find him on Twitter as @lennyzeltser. You can explore Lenny’s other information security and IT tips
at zeltser.com/cheat-sheets. This document is at version 1.2. It is distributed according to the Creative Commons v3 “Attribution” License.
TROUBLESHOOTING HUMAN Research non-technical aspects of the issue Be mindful of cultural differences in gestures and the
beforehand. What objections or new data may arise? distance between speaking parties.
COMMUNICATIONS
This cheat sheet offers communication tips for Practice in front of a friendly less technical person. Smile. Breathe. Don’t avoid eye contact.
technologists, engineers, and information workers. Tips for Better Email Messages Practice a strong handshake. No limp wrist!
If you haven’t persuaded after several back and forth
What if They Just Don’t Get It? Conclude by agreeing on the next steps and timeline.
emails, pick up the phone, or speak in-person.
The person might want to agree, but emotions won’t If sending a thank-you note, send it ASAP.
let them. Help them back out without losing face. If your message is longer than 2 paragraphs, shorten
Presenting to Managers and Executives
it or use another medium.
Don’t assume they don’t understand your reasoning; Be brief. (E.g., consider “the elevator pitch.”)
explaining again in the same way often doesn’t help. If your email is being ignored, send a follow-up.
Don’t take it personally—people get too much email. Make your message business-relevant.
Empathy is the key. What is your listener’s If showing slides, use fewer bullet points. Consider
perspective? What’s important to him or her? Note time of day/day of the week when the recipient
responds most often. Send your message then. skipping the slides altogether.
Acknowledge your differences in perspectives. In preparation, ask yourself and answer, “So what?”
Lead with the strongest statement to grab attention.
Phrase your argument using the other person’s for the facts and conclusions you will discuss.
terminology, objectives, and world view. Assume only your first 2 sentences will be read.
Find an “executive sponsor” who will offer feedback
Maybe you’re not yelling loudly enough. (Kidding!) Use the Subject line to get your main point across. in before and support you during the presentation.
Take a time out. Switch the venue or medium. Use email to prepare the person for an in-person Use the tools, terminology, and conventions that
meeting or a phone conversation. your audience employs (e.g., the SWOT matrix).
Involve an impartial, respected person as a mediator.
Don’t respond in the heat of the moment. Let your At a Social Networking Reception
Watch out for jargon. If it obfuscates the issue, look emotions cool off before hitting the Send button.
for a way to get it rephrased. Come early—fewer people and attendees are fresh.
Don’t forget about non-email mediums: phone, post,
Track interaction approaches that work with the Don’t stay by your friends’ side. Meet new people.
LinkedIn, Twitter, Facebook, billboard, tattoo, etc.
person; stick to the method that succeeded earlier. It's OK to come up to groups of strangers and join a
In-Person Conversations
Maybe you’re wrong. It happens to the best of us. conversation. Receptions are public conversations.
Dress appropriately for the venue, topic,
Persuading a More Technical Person Welcome newcomers into your conversations.
expectations, and social norms.
Research technical aspects of the issue beforehand. Consider where to speak: your workplace, his or her Prepare chit-chat topics by reading news, books, etc.
What objections or new data may arise? workplace, water cooler, lunchroom, etc. Hold an appropriate prop (e.g., wine glass) in one
Get solid data to support your argument. Be ready to Find the best timing: some are grumpy in the hand, but have one hand free to shake hands.
drill into details. mornings, sleepy after lunch, in a hurry at 5pm, etc. Use people’s names when speaking with them.
Remember that people often decide based on Come prepared. Impromptu talks on important Be enthusiastic. Try to look friendly, approachable.
emotions, even when presented with data. topics have been known to lead to trouble. Improving Communication Skills
Practice in front of a friendly more technical person. Harness the power of sharing a tasty treat. Improvisational or stand-up comedy classes help.
Persuading a Less Technical Person When in doubt, use a breath freshener. Consider joining a local Toastmasters club.
Don’t make the other party feel dumb due to the
If you or the other party are in a foul mood, consider Attend writing workshops (creative, resume, etc.).
lack of technical insight. Sounding superior backfires.
putting the conversation on hold and resuming later.
State your conclusion first, before discussing the Practice on friends and in low-risk environments.
Mimic the other party’s general posture and
details of how you arrived at it. Article: How to Be Heard in IT Security and Business
gestures, but not exactly movement for movement.

Authored by Lenny Zeltser, who writes an information security blog at zeltser.com; you can also find him on Twitter as @lennyzeltser. You can explore Lenny’s other information security and IT
tips at zeltser.com/cheat-sheets. This document is at version 1.5. It is distributed according to the Creative Commons v3 “Attribution” License.
MALWARE ANALYSIS CHEAT SHEET Adjust the runtime environment for the specimen as Edit data in memory or Select data or
it requests additional local or network resources. instruction opcode instruction » Ctrl+e
The analysis and reversing tips behind this reference
are covered in the SANS Institute course FOR610: Ghidra for Static Code Analysis Extract API call Right-click in disassembler
Reverse-Engineering Malware. references » Search for » Current
Go to specific destination g
module » Intermodular calls
Overview of the Malware Analysis Process Show references to instruction Ctrl+Shift+f
1. Use automated analysis sandbox tools for an Unpacking Malicious Code
Insert a comment ;
initial assessment of the suspicious file. Determine whether the specimen is packed by using
Follow jump or call Enter
2. Set up a controlled, isolated laboratory in which Detect It Easy, Exeinfo PE, Bytehist, peframe, etc.
Return to previous location Alt+Left
to examine the malware specimen. To try unpacking the specimen quickly, infect the lab
Go to next location Alt+Right system and dump from memory using Scylla.
3. Examine static properties and meta-data of the
Undo Ctrl+z For more precision, find the Original Entry Point
specimen for triage and early theories.
Define data type t (OEP) in a debugger and dump with OllyDumpEx.
4. Emulate code execution to identify malicious
capabilities and contemplate next steps. Add a bookmark Ctrl+d To find the OEP, anticipate the condition close to the
Text search Ctrl+Shift+e end of the unpacker and set the breakpoint.
5. Perform behavioral analysis to examine the
specimen’s interactions with its environment. Add or edit a label l Try setting a memory breakpoint on the stack in the
unpacker’s beginning to catch it during cleanup.
6. Analyze relevant aspects of the code statically Disassemble values d
with a disassembler and decompiler. To get closer to the OEP, set breakpoints on APIs
x64dbg/x32dbg for Dynamic Code Analysis such as LoadLibrary, VirtualAlloc, etc.
7. Perform dynamic code analysis to understand
the more difficult aspects of the code. Run the code F9 To intercept process injection set breakpoints on
Step into/over instruction F7 / F8 VirtualAllocEx, WriteProcessMemory, etc.
8. If necessary, unpack the specimen.
Execute until selected instruction F4 If cannot dump cleanly, examine the packed
9. Repeat steps 4-8 above as necessary (the order
specimen via dynamic code analysis while it runs.
may vary) until analysis objectives are met. Execute until the next return Ctrl+F9
Rebuild imports and other aspects of the dumped
10. Augment your analysis using other methods, Show previous/next executed instruction - / +
file using Scylla and pe_unmapper.
such as memory forensics and threat intel. Return to previous view *
11. Document findings, save analysis artifacts and Bypassing Other Analysis Defenses
Go to specific expression Ctrl+g
clean-up the laboratory for future analysis. Decode obfuscated strings statically using FLOSS,
Insert comment / label ; / : xorsearch, Balbuzard, etc.
Behavioral Analysis Show current function as a graph g Decode data in a debugger by setting a breakpoint
Be ready to revert to good state via virtualization Select instruction after the decoding function and examining results.
Set software breakpoint
snapshots, Clonezilla, dd, FOG, PXE booting, etc. » F2
on specific instruction Conceal x64dbg/x32dbg via the ScyllaHide plugin.
Monitor local interactions (Process Hacker, Process Go to Command prompt
Set software To disable anti-analysis functionality, locate and
Monitor, ProcDOT, Noriben). » SetBPX API Name
breakpoint on API patch the defensive code using a debugger.
Detect major local changes (RegShot, Autoruns). h » Click on
Highlight all occurrences of Look out for tricky jumps via TLS, SEH, RET, CALL, etc.
Monitor network interactions (Wireshark, Fiddler). the keyword in disassembler keyword
when stepping through the code in a debugger.
Redirect network traffic (fakedns, accept-all-ips). Assemble instruction in Select instruction
If analyzing shellcode, use scdbg and runsc.
Activate services (INetSim or actual services) place of selected one » Spacebar
Disable ASLR via setdllcharacteristics, CFF Explorer.
requested by malware and reinfect the system.

Authored by Lenny Zeltser, who is the CISO at Axonius and Faculty Fellow at SANS Institute. You can find him at twitter.com/lennyzeltser and zeltser.com.
Download this and other Lenny’s security cheat sheets from zeltser.com/cheat-sheets. Creative Commons v3 “Attribution” License for this cheat sheet version 2.2.
REMNUX USAGE TIPS FOR MALWARE Reverse-Engineer Linux Binaries Hashes: malwoverview.py, nsrllookup, Automater.py,
Static Properties: trid, exiftool, pyew, readelf.py vt, virustotal-search.py
ANALYSIS ON LINUX
This cheat sheet outlines some of the commands and Disassemble/Decompile: ghidra, cutter, objdump, r2 Files: yara, scalpel, bulk_extractor, ioc_writer
tools for analyzing malware using the REMnux distro. Debugging: edb, gdb Other: dexray, viper, time-decode.py

Get Started with REMnux Behavior Analysis: ltrace, strace, frida, sysdig, unhide Other Analysis Tasks
Get REMnux as a virtual appliance, install the distro Investigate Other Forms of Malicious Code Memory Forensics: vol.py, vol3, linux_mem_diff.py,
on a dedicated system, or add it to an existing one. aeskeyfind, rsakeyfind, bulk_extractor
Android: apktool, droidlysis, androgui.py, baksmali,
Review REMnux documentation at docs.remnux.org. dex2jar File Editing: wxHexEditor, scite, code, xpdf, convert
Keep your system up to date by periodically running Java: cfr, procyon, jad, jd-gui, idx_parser.py File Extraction: 7z, unzip, unrar, cabextract
“remnux upgrade” and “remnux update”. Python: pyinstxtractor.py, pycdc Use Docker Containers for Analysis
Become familiar with REMnux malware analysis tools Thug Honeyclient: remnux/thug
JavaScript: js, js-file, objects.js, box-js
available as Docker images.
Shellcode: shellcode2exe.bat, scdbg, xorsearch JSDetox JavaScript Analysis: remnux/jsdetox
Know default logon credentials: remnux/malware
PowerShell: pwsh, base64dump Rekall Memory Forensics: remnux/recall
Operate Your REMnux System
Flash: swfdump, flare, flasm, swf_mastah.py, xxxswf RetDec Decompiler: remnux/retdec
Shut down the system shutdown
Examine Suspicious Documents Radare2 Reversing Framework: remnux/radare2
Reboot the system reboot
Microsoft Office Files: vmonkey, pcodedmp, olevba, Ciphey Automatic Decrypter: remnux/ciphey
Switch to a root shell sudo -s
xlmdeobfuscator, oledump.py, msoffice-crypt, ssview Viper Binary Analysis Framework: remnux/viper
Renew DHCP lease renew-dhcp
RTF Files: rtfobj, rtfdump REMnux in a Container: remnux/remnux-distro
See current IP address myip
Email Messages: emldump, msgconvert
Edit a text file code file Interact with Docker Images
PDF Files: pdfid, pdfparser, pdfextract, pdfdecrypt, List local images docker images
View an image file feh file
peepdf, pdftk, pdfresurrect, qpdf, pdfobjflow
Update local image docker pull image
Start web server httpd start
General: base64dump, tesseract, exiftool
Delete local image docker rmi imageid
Start SSH server sshd start
Explore Network Interactions Delete unused resources docker system prune
Analyze Windows Executables Monitoring: burpsuite, networkminer, polarproxy, docker run --rm -it
Open a shell inside a
Static Properties: manalyze, peframe, pefile, exiftool, mitmproxy, wireshark, tshark, ngrep, tcpxtract transient container image bash
clamscan, pescan, portex, bearcommander, pecheck Connecting: thug, nc, tor, wget, curl, irc, ssh, unfurl Map a local TCP port 80 docker run --rm -it
Strings and Deobfuscation: pestr, bbcrack, brxor.py, Services: fakedns, fakemail, accept-all-ips, nc, httpd, to container’s port 80 -p 80:80 image bash
base64dump, xorsearch, flarestrings, floss, cyberchef inetsim, fakenet, sshd, myip Map your current docker run --rm -it
Code Emulation: binee, capa, vivbin Gather and Analyze Data directory into container -v .:dir image bash
Disassemble/Decompile: ghidra, cutter, objdump, r2 Network: Automater.py, shodan, ipwhois_cli.py,
Unpacking: bytehist, de4dot, upx pdnstool

Authored by Lenny Zeltser for REMnux v7. Lenny writes a security blog at zeltser.com and is active on Twitter as @lennyzeltser. Many REMnux tools and techniques are discussed in the
Reverse-Engineering Malware course at SANS Institute, which Lenny co-authored. This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License.
TIPS FOR REVERSE-ENGINEERING FS F segment register; FS:[0] points to SEH Decoding Conditional Jumps
chain, FS:[0x30] points to the PEB. JA / JG Jump if above/jump if greater.
MALICIOUS CODE
JB / JL Jump if below/jump if less.
Cheat sheet for reversing malicious Windows Common x86 Assembly Instructions
executables via static and dynamic code analysis. mov EAX,0xB8 Put the value 0xB8 in EAX. JE / JZ Jump if equal; same as jump if zero.
push EAX Put EAX contents on the stack. JNE / JNZ Jump if not equal; same as jump if
Overview of the Code Analysis Process
pop EAX Remove contents from top of the not zero.
1. Examine static properties of the Windows
executable for initial assessment and triage. stack and put them in EAX . JGE/ JNL Jump if greater or equal; same as
lea EAX,[EBP-4] jump if not less.
2. Identify strings and API calls that highlight the Put the address of variable
program’s suspicious or malicious capabilities. EBP-4 in EAX. Some Risky Windows API Calls
3. Perform automated and manual behavioral call EAX Call the function whose address Code injection: CreateRemoteThread, OpenProcess,
analysis to gather additional details. resides in the EAX register. VirtualAllocEx, WriteProcessMemory, EnumProcesses
4. Emulate code execution to identify add esp,8 Increase ESP by 8 to shrink the Dynamic DLL loading: LoadLibrary, GetProcAddress
characteristics and areas for further analysis. stack by two 4-byte arguments. Memory scraping: CreateToolhelp32Snapshot,
5. Use a disassembler and decompiler to statically sub esp,0x54 Shift ESP by 0x54 to make room OpenProcess, ReadProcessMemory, EnumProcesses
examine code related to risky strings and APIs. on the stack for local variable(s).
Data stealing: GetClipboardData, GetWindowText
6. Use a debugger for dynamic analysis to examine xor EAX,EAX Set EAX contents to zero.
Keylogging: GetAsyncKeyState, SetWindowsHookEx
how risky strings and API calls are used. test EAX,EAX Check whether EAX contains zero,
Embedded resources: FindResource, LockResource
7. If appropriate, unpack the code and its artifacts. set the appropriate EFLAGS bits.
cmp EAX,0xB8 Unpacking/self-injection: VirtualAlloc, VirtualProtect
8. As your understanding of the code increases, add Compare EAX to 0xB8, set the
appropriate EFLAGS bits. Query artifacts: CreateMutex, CreateFile,
comments, labels; rename functions, variables.
FindWindow, GetModuleHandle, RegOpenKeyEx
9. Progress to examine the code that references or Understanding 64-Bit Registers
Execute a program: WinExec, ShellExecute,
depends upon the code you’ve already analyzed. EAX→RAX, ECX→RCX, EBX→RBX, ESP→RSP, EIP→RIP
CreateProcess
10. Repeat steps 5-9 above as necessary (the order Additional 64-bit registers are R8-R15.
Web interactions: InternetOpen, HttpOpenRequest,
may vary) until analysis objectives are met. RSP is often used to access stack arguments and local HttpSendRequest, InternetReadFile
Common 32-Bit Registers and Uses variables, instead of EBP.
Additional Code Analysis Tips
EAX Addition, multiplication, function results |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| R8 (64 bits) Be patient but persistent; focus on small,
ECX Counter; used by LOOP and others ________________________________|||||||||||||||||||||||||||||||| R8D (32 bits) manageable code areas and expand from there.
EBP Baseline/frame pointer for referencing ________________________________________________|||||||||||||||| R8W (16 bits) Use dynamic code analysis (debugging) for code
function arguments (EBP+offset) and local ________________________________________________________|||||||| R8B (8 bits) that’s too difficult to understand statically.
variables (EBP-offset)
Passing Parameters to Function on Windows Look at jumps and calls to assess how the specimen
ESP Points to the current “top” of the stack; flows from “interesting” code block to the other.
arg0 [EBP+8] on 32-bit, RCX on 64-bit
changes via PUSH, POP, and others
arg1 [EBP+0xC] on 32-bit, RDX on 64-bit If code analysis is taking too long, consider whether
EIP Instruction pointer; points to the next behavioral or memory analysis will achieve the goals.
instruction; shellcode gets it via call/pop arg2 [EBP+0x10] on 32-bit, R8 on 64-bit
When looking for API calls, know the official API
EFLAGS Contains flags that store outcomes of arg3 [EBP+0x14] on 32-bit, R9 on 64-bit
names and the associated native APIs (Nt, Zw, Rtl).
computations (e.g., Zero and Carry flags)

Authored by Lenny Zeltser with feedback from Anuj Soni. Malicious code analysis and related topics are covered in the SANS Institute course FOR610: Reverse-Engineering Malware, which they’ve
co-authored. This cheat sheet, version 1.1, is released under the Creative Commons v3 “Attribution” License. For additional reversing, security and IT tips, visit zeltser.com/cheat-sheets.
TIPS FOR CREATING A STRONG Fill in the gaps in your understanding with follow-up Provide a practical remediation path, accounting for
scans, documentation requests, and interviews. the organization’s strengths and weaknesses.
CYBERSECURITY ASSESSMENT REPORT
This cheat sheet offers advice for creating a strong Involve colleagues in your analysis to obtain other Qualities of a Good Assessment Report
report as part of your penetration test, vulnerability people’s perspectives on the data and conclusions. Open with a strong executive summary that a non-
assessment, or an information security audit. Assessment Methodology Documentation technical reader can understand.
Document the methodology used to perform the Provide meaningful analysis, instead of merely
General Approach to Creating the Report
assessment, analyze data, and prioritize findings. presenting the output of the assessment tools.
1. Analyze the data collected during the
assessment to identify relevant issues. Demonstrate a systemic and well-reasoned Include the figures to support your analysis, placing
assessment and analysis approach. non-critical information in the appendix.
2. Prioritize your risks and observations; formulate
remediation steps. Clarify the type of the assessment you performed: Craft a professional, easy-to-follow look.
penetration test, vulnerability assessment, etc. Offer remediation guidance beyond merely pointing
3. Document the assessment methodology and
scope. If applicable, explain what tools you used and how out security problems.
they were configured. Find and fix your typos. Ask for help, if you can.
4. Describe your prioritized findings and
recommendations. If applicable, describe what approach guided the Structure the report in logical sections to
questions you asked during interviews. accommodate the different types of readers.
5. Attach the relevant figures and data to support
the main body of your report. Describe the criteria you used to assign severity or Additional Assessment Report Tips
criticality levels to the findings of the assessment.
6. Create the executive summary to highlight the Create templates based on prior reports, so you
key findings and recommendations. Refer to the relevant frameworks you used to don’t have to write every document from scratch.
structure the efforts (PCI DSS, ISO 27001, etc.).
7. Proofread and edit the document. Safeguard (encrypt) the report when storing and
Scope of the Security Assessment sending it, since its contents are probably sensitive.
8. Consider submitting the report draft to weed out
false positives and confirm expectations. Specify what systems, networks and/or applications Use concrete statements; avoid passive voice.
were reviewed as part of the security assessment.
9. Submit the final report to the intended recipient Explain the significance of your findings in the
using agreed-upon secure transfer mechanism. State what documentation you reviewed, if any. context of current threats and recent events.
10. Discuss the report’s contents with the recipient List the people whom you interviewed, if any. Put effort into making the report as brief as possible
on the phone, teleconference, or in person. Clarify the primary goals of the assessment. without omitting important and relevant contents.
Analysis of the Security Assessment Data Discuss what contractual obligations or regulatory More Security Assessment Tips
Share your insights beyond regurgitating the data requirements were accounted for in the assessment. Qualities of a Good Information Security Report
already in existence. Document any items that were specifically excluded Tips for a Strong Executive Summary of a Security
Consider what information provided to you is from the assessment’s scope and explain why. Assessment Report
incomplete or might be a lie or half-truth. Documenting Conclusions Security Assessment Report as Critique, Not Criticism
Look for patterns by grouping your initial findings by Include both negative and positive findings.
Why Your Security Assessment Recommendations
the affected resources, risk, issue category, etc. Account for the organization’s industry, business Get Ignored
Identify for trends that highlight the existence of model, and compliance requirements.
Training to Improve Your Writing
underlying problems that affect security. Stay consistent with the methodology and scope. Lenny Zeltser, the author of this cheat sheet, created
If examining scanner output, consider exploring the Prioritize the findings related to security risks and a writing course for cybersecurity professionals,
data using spreadsheets and pivot tables. remediation steps. which you can take from SANS Institute.

Authored by Lenny Zeltser, who has written his share of security assessment and other reports. Thanks for the feedback on this cheat sheet to Dave Shackleford and John Strand. It’s distributed
according to the Creative Commons v3 “Attribution” License. You’re looking at version 1.1 of this document. For more security cheat sheets see zeltser.com/cheat-sheets.
HOW TO SUCK AT Run regular vulnerability scans, but don’t follow Assume your patch management process is working,
through on the results. without checking on it.
INFORMATION SECURITY
This cheat sheet presents common information Let your anti-malware, log management, and other Delete logs because they get too big to read.
security mistakes, so you can avoid making them. security tools run on “auto-pilot.” Expect SSL to address all security problems with your
Employ multiple security technologies without web application.
Security Policy and Compliance understanding how each of them contributes. Ban the use of external USB drives while not
Ignore regulatory compliance requirements.
Focus on widgets, while omitting to consider the restricting outbound access to the Internet.
Assume the users will read the security policy importance of maintaining accountability. Act superior to your counterparts on the network,
because you’ve asked them to.
Buy expensive product when a simple and cheap fix system admin, and development teams.
Use security templates without customizing them. may address 80% of the problem. Stop learning about technologies and attacks.
Jump into a full-blown adoption of frameworks such Risk Management Adopt hot new IT or security technologies before
as ISO 27001/27002 before you’re ready. Attempt to apply the same security rigor to all IT they have had a chance to mature.
Create security policies you cannot enforce. assets, regardless of their risk profiles.
Hire somebody just because he or she has a lot of
Enforce policies that are not properly approved. Make someone responsible for managing risk, but certifications.
don’t give the person any power to make decisions.
Blindly follow compliance requirements without Don’t apprise your manager of the security problems
creating overall security architecture. Ignore the big picture while focusing on quantitative your efforts have avoided.
risk analysis.
Create a security policy just to mark a checkbox. Don’t cross-train the IT and security staff.
Pay someone to write your security policy without Assume you don’t have to worry about security,
Password Management
any knowledge of your business or processes. because your company is too small or insignificant.
Require your users to change passwords too
Translate policies in a multi-language environment Assume you’re secure because you haven’t been frequently.
without consistent meaning across the languages. compromised recently.
Expect your users to remember passwords without
Make sure none of the employees finds the policies. Be paranoid without considering the value of the writing them down.
asset or its exposure factor.
Assume that if the policies worked for you last year, Impose overly-onerous password selection
they’ll be valid for the next year. Classify all data assets as “top secret.” requirements.
Assume that being compliant means you’re secure. Security Practices Use the same password on systems that differ in risk
Don’t review system, application, and security logs. exposure or data criticality.
Assume that policies don’t apply to executives.
Expect users to forgo convenience in place of Impose password requirements without considering
Hide from the auditors.
security. the ease with which a password could be reset.
Security Tools
Lock down the infrastructure so tightly, that getting More Security Mistakes
Deploy a security product out of the box without work done becomes very difficult.
tuning it. The 10 Dumbest Things People Do...
Say “no” whenever asked to approve a request. http://www.sans.org/newsletters/ouch...
Tune the security event management tool to be too
noisy, or too quiet. Impose security requirements without providing the 10 common security mistakes...
necessary tools and training. http://www.techrepublic.com/blog/10-things...
Buy security products without considering the
maintenance and implementation costs. Focus on preventative mechanisms while ignoring Mistakes ... that Lead to Security Breaches
detective controls. https://www.sans.org/security-resources/mistakes...
Rely on anti-virus and firewall products without
having additional controls. Have no DMZ for Internet-accessible servers.

Authored by Lenny Zeltser, with contributions from SANS Internet Storm Center handlers. Lenny aims to help enterprise and home users avoid making information security mistakes and
publishes advice at zeltser.com/blog. Creative Commons v3 “Attribution” License for this cheat sheet version 1.4. For more cheat sheets, see zeltser.com/cheat-sheets.