I published the following diary on isc.sans.edu: “Simple Mimikatz & RDPWrapper Dropper“: Let’s review a malware sample that I spotted a few days ago. I found it interesting because it’s not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started
I published the following diary on isc.sans.edu: “May People Be Considered as IOC?“: That’s a tricky question! May we manage a list of people like regular IOC’s? An IOC (Indicator of Compromise) is a piece of information, usually technical, that helps to detect malicious (or at least suspicious) activities. Classic types
I published the following diary on isc.sans.edu: “Interesting JavaScript Obfuscation Example“: Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the
I published the following diary on isc.sans.edu: “Behavioural Malware Analysis with Microsoft ASA“: When you need to quickly analyze a piece of malware (or just a suspicious program), your goal is to determine as quickly as possible what’s the impact. In many cases, we don’t have time to dive very
I published the following diary on isc.sans.edu: “The Risk of Authenticated Vulnerability Scans“: NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack
I published the following diary on isc.sans.edu: “From Phishing To Ransomware?“: On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a
I published the following diary on isc.sans.edu: “DSSuite – A Docker Container with Didier’s Tools“: If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious
I published the following diary on isc.sans.edu: “Another Day, Another Suspicious UDF File“: In my last diary, I explained that I found a malcious UDF image used to deliver a piece of malware. After this, I created a YARA rule on VT to try to spot more UDF files in
I published the following diary on isc.sans.edu: “Malware Sample Delivered Through UDF Image“: I found an interesting phishing email which was delivered with a malicious attachment: an UDF image (.img). UDF means “Universal Disk Format†and, as said by Wikipedia], is an open vendor-neutral file system for computer data storage. It
I published the following diary on isc.sans.edu: “New Waves of Scans Detected by an Old Rule“: Who remembers the famous ShellShock (CVE-2014-6271)? This bug affected the bash shell in 2014 and was critical due to the facts that it was easy to exploit and that bash is a widespread shell
