I published the following diary on isc.sans.edu: “Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript“: I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script
I published the following diary on isc.sans.edu: “Why Phishing Remains So Popular?“: Probably, some phishing emails get delivered into your mailbox every day and you ask yourself: “Why do they continue to spam us with so many emails? We are aware of phishing and it will not affect my organization!”
I published the following diary on isc.sans.edu: “Complex Obfuscation VS Simple Trick“: Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection. The Emotet malware family does not need to be presented. Very active for years, new waves of
I published the following diary on isc.sans.edu: “Code & Data Reuse in the Malware Ecosystem“: In the past, I already had the opportunity to give some “security awareness” sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, it’s tempting to
I published the following diary on isc.sans.edu: “My Little DoH Setup“: “DoH”, this 3-letters acronym is a buzzword on the Internet in 2019! It has been implemented in Firefox, Microsoft announced that Windows will support it soon. They are pro & con about encrypting DNS requests in  HTTPS but it’s not the
I published the following diary on isc.sans.edu: “Abusing Web Filters Misconfiguration for Reconnaissance“: Yesterday, an interesting incident was detected while working at a customer SOC. They use a “next-generation†firewall that implements a web filter based on categories. This is common in many organizations today: Users’ web traffic is allowed/denied based on an
I published the following diary on isc.sans.edu: “Microsoft Apps Diverted from Their Main Use“: This week, the CERT.eu organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the “cat’n’mouse” game that Blue and Red teams are playing continuously. When the Blue team has
I published the following diary on isc.sans.edu: “Generating PCAP Files from YAML“: BEC or “Business Email Compromize” is a trending thread for a while. The idea is simple: a corporate mailbox (usually from a C-level member) is compromized to send legitimate emails to other employees or partners. That’s the very first
I published the following diary on isc.sans.edu: “Generating PCAP Files from YAML“: The PCAP file format is everywhere. Many applications generate PCAP files based on information collected on the network. Then, they can be used as evidence, as another data source for investigations and much more. There exist plenty of
I published the following diary on isc.sans.edu: “Quick Malicious VBS Analysis“: Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via
