I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
Category: SANS Internet Storm Center
[SANS ISC] Restricting PowerShell Capabilities with NetSh
I published the following diary on isc.sans.edu: “Restricting PowerShell Capabilities with NetSh“: The Christmas break is coming for most of us, let’s take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be
[SANS ISC] Phishing Attack Through Non-Delivery Notification
I published the following diary on isc.sans.edu: “Phishing Attack Through Non-Delivery Notification”: Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to
[SANS ISC] More obfuscated shell scripts: Fake MacOS Flash update
I published the following diary on isc.sans.edu: “More obfuscated shell scripts: Fake MacOS Flash update”: Yesterday, I wrote a diary about a nice obfuscated shell script. Today, I found another example of a malicious shell script embedded in an Apple .dmg file (an Apple Disk Image). The file was delivered through
[SANS ISC] Obfuscated bash script targeting QNap boxes
I published the following diary on isc.sans.edu: “Obfuscated bash script targeting QNap boxes“: One of our readers, Nathaniel Vos, shared an interesting shell script with us and thanks to him! He found it on an embedded Linux device, more precisely, a QNap NAS running QTS 4.3. After some quick investigations,
[SANS ISC] Divided Payload in Multiple Pasties
I published the following diary on isc.sans.edu: “Divided Payload in Multiple Pasties”: In politic, there is a strategy which says “divide and conquerâ€. It’s also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found
[SANS ISC] Querying DShield from Cortex
I published the following diary on isc.sans.edu: “Querying DShield from Cortex”: Cortex is a tool part of the TheHive project. As stated on the website, it is a “Powerful Observable Analysis Engine”. Cortex can analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services.
[SANS ISC] The Challenge of Managing Your Digital Library
I published the following diary on isc.sans.edu: “The Challenge of Managing Your Digital Library”: How do you manage your digital library on a daily basis? If like me, you are receiving a lot of emails, notifications, tweets, [name your best technology here], they are chances that you’re flooded by tons
[SANS ISC] Quickly Investigating Websites with Lookyloo
I published the following diary on isc.sans.edu: “Quickly Investigating Websites with Lookyloo”: While we are enjoying our weekend, it’s always a good time to learn about new pieces of software that could be added to your toolbox. Security analysts have often to quickly investigate a website for malicious content and
[SANS ISC] Basic Obfuscation With Permissive Languages
I published the following diary on isc.sans.edu: “Basic Obfuscation With Permissive Languages”: For attackers, obfuscation is key to keep their malicious code below the radar. Code is obfuscated for two main reasons: defeat automatic detection by AV solutions or tools like YARA (which still rely mainly on signatures) and make the code