I published the following diary on isc.sans.edu: “Running your Own Passive DNS Service“: Passive DNS is not new but remains a very interesting component to have in your hunting arsenal. As defined by CIRCL, a passive DNS is “a database storing historical DNS records from various resources. The historical data
I published the following diary on isc.sans.edu: “New Wave of Extortion Emails: Central Intelligence Agency Case“: The extortion attempts haved moved to another step recently. After the “sextortion†emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless… I
I published the following diary on isc.sans.edu: “Keep an Eye on Disposable Email Addresses“: In many organisations, emails still remain a classic infection path today. The good old email is still today a common communication channel to exchange information with people outside of the security perimeter. Many security controls are
I published the following diary on isc.sans.edu: “Simple Powershell Keyloggers are Back”: Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad! While hunting, I found a bunch of malicious Powershell scripts that
I published the following diary on isc.sans.edu: “Old H-Worm Delivered Through GitHub”: Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver
I published the following diary on isc.sans.edu: “Suspicious PDF Connecting to a Remote SMB Share”: Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because
I published the following diary on isc.sans.edu: “Phishing Kit with JavaScript Keylogger”: Here is an interesting sample! It’s a phishing page which entice the user to connect to his/her account to retrieve a potentially interesting document. As you can see, it’s a classic one… [Read more]
I published the following diary on isc.sans.edu: “Tracking Unexpected DNS Changes”: DNS is a key element of the Internet and, regularly, we read new bad stories. One of the last one was the Department of Homeland Security warning about recent DNS hijacking attacks. Indeed, when you want to visit the website ‘isc.sans.org’, you
I published the following diary on isc.sans.edu: “DNS Firewalling with MISP”: If IOC’s are very useful to “detect†suspicious activities, why not use also them to “prevent†them to occur? DNS firewalling can be an efficient way to prevent your users to visit malicious online resources. The principle of DNS firewalling
I published the following diary on isc.sans.edu: “Malicious Script Leaking Data via FTP”: The last day of 2018, I found an interesting Windows cmd script which was uploaded from India (SHA256: dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef) with a very low VT score. The script is not obfuscated and contains a long list of commands based on
