Today, I published the following diary on isc.sans.edu: “macOS: Who’s Behind This Network Connection?“: When you must investigate suspicious behavior or work on an actual incident, you could be asked to determine who’s behind a network connection. From a pure network point of view, your firewall or any network security
Today, I published the following diary on isc.sans.edu: “Python Malware Using Postgresql for C2 Communications“: For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common
Today, I published the following diary on isc.sans.edu: “More Exotic Excel Files Dropping AgentTesla”: Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others!
Today, I published the following diary on isc.sans.edu: “Have You Ever Heard of the Fernet Encryption Algorithm?“: In cryptography, there is a gold rule that states to not develop your own algorithm because… it will be probably weak and broken! They are strong algorithms (like AES) that do a great job
Today, I published the following diary on isc.sans.edu: “Quick Malware Triage With Inotify Tools“: When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It’s impossible to investigate all files and a key point is to find interesting files
Today, I published the following diary on isc.sans.edu: “From a Zalando Phishing to a RAT“: Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German
Today, I published the following diary on isc.sans.edu: “Show me All Your Windows!“: It’s a key point for attackers to implement anti-debugging and anti-analysis techniques. Anti-debugging means the malware will try to detect if it’s being debugged (executed in a debugger or its execution is slower than expected). Anti-analysis refers
Today, I published the following diary on isc.sans.edu: “Are Leaked Credentials Dumps Used by Attackers?“: Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned” help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account
Today, I published the following diary on isc.sans.edu: “Do Attackers Pay More Attention to IPv6?“: IPv6 has always been a hot topic! Available for years, many ISP’s deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all
Today, I published the following diary on isc.sans.edu: “ShellCode Hidden with Steganography“: When hunting, I’m often surprised by the interesting pieces of code that you may discover… Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.
