Skip to main content

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

New tool

I read an article on Fireeye's website the other day where they used Machine Learning to eliminate a lot of the noise that comes out of tools like strings.  It's pretty interesting and looks like it would save me some time when looking through malware.

I wondered how effective scores would be in helping to eliminate the noise.  45 minutes and 29 lines of Python code later I have something that looks like it works.  Check out

Before here is the output of strings on a piece of malware:

student@573:~/freq$ strings -n 6 malware.exe | head -n 20
!This program cannot be run in DOS mode.
|$ H;_
|$ AVH

After the useful stings quickly bubble to the top.  Its not perfect but the frequency tables are not tuned for EXE's.  Some binary based frequency tables will yield better results.

student@573:~/freq$ strings -n 6 malware.exe |python3 | head -n 20
Failed to convert Wflag %s using mbstowcs (invalid multibyte string)
Failed to convert pypath to ANSI (invalid multibyte string)
Failed to convert pyhome to ANSI (invalid multibyte string)
WARNING: file already exists but should not: %s
opyi-windows-manifest-filename freq_server.exe.manifest
Failed to get address for PyMarshal_ReadObjectFromString
INTERNAL ERROR: cannot create temporary directory!
Failed to get address for Py_FileSystemDefaultEncoding
Failed to convert executable path to UTF-8.
Failed to get address for Py_NoUserSiteDirectory
Cannot allocate memory for ARCHIVE_STATUS
Failed to get address for PyString_FromString
Failed to get address for PyString_FromFormat
Failed to get address for Py_IgnoreEnvironmentFlag
Failed to get address for PyUnicode_FromString
Failed to get address for PyObject_SetAttrString
Failed to convert progname to wchar_t
Failed to get address for PyUnicode_FromFormat
Failed to convert %s to ShortFileName

Give it a try and tell me what you think.  If you find it useful or would like some features added send me a note.


Popular posts from this blog

SRUM-DUMP and SRUM_DUMP_CSV Ported to Python 3

SRUM_DUMP and SRUM_DUMP_CSV have been ported to Python3 and are available for download from the PYTHON3 branch of my github page.

In moving to Python3 I also updated the modules that I depend upon to parse and create XLSX files and access the ESE database that contains the SRUM data.  I hope that this will fix the issue that some users have experienced with SRUDB.dat files that create very large spreadsheets.  If it does not please let me know and continue to use SRUM_DUMP_CSV.EXE to avoid the XLSX problem.

In moving to Python3 you will find the process to be faster.

If you would like to run the tools from source instructions for doing so are in the README on the github page.

Awesome Keyboard Tricks - Clevo/Sager Backlight control from Powershell

I'm back on Windows.   After 8 years on a Macintosh I just couldn't go another day with ONLY 16GB of RAM.   I priced it out and for the cost of a top of the line MacBook I could get a tricked out PC with 32GB of ram and 2.5 TB or hard drive space (1.5 of it being SSD).   So I made the switch.  To get a top performing laptop I ended up buying a gaming machine from   The model is Sager NP9752 (Clevo P750ZM).    I have to say I like it quite a bit.    One of the features I was curious about was the "Programmable backlit keyboard".   With it you can set your keyboard backlight to various colors and light movement patterns.    Now, when I hear "programmable" I think APIs.   I was a little disappointed to find out there weren't any documented APIs that I could use to control the keyboard.    Your only choice is to use their built in tool to configure the lights on the keyboard.   That stinks.  I want to be able to change key colors automatically …

Use Python and Scapy to Easily Do Full Duplex Stream Reassembly!

Check out this blog on how to get scapy to do full packet reassembly in just a few lines of Python code.


While sitting in SANS SEC511 I listened to @sethmisenar lament the difficulty in using existing tools to detect DGA (Dynamically Generation Algorithm) hostnames used by malware. There are lots of AI based tools out there that do this but some are rather complex. I thought I could quickly write a tool that would work. In about 30 minutes I threw together some old code I had lying around from a SQL Inction tool I worked on and I had a working proof of concept. was born and it worked pretty well. A year later @securitymapper had me wrap it in a web interface so he could query it from a SIM and then the tool took off. It turns out to be a pretty effective technique and gained some popularity and wide use! This is a rewrite of the tool that incorporates some lessons learned and performance enhancments.
Improvements: -Only one table is required for case sensitve or insensitive lookups. The tables are all case sensitive. You can turn off and on case sensitivity and the .probability l…