I published the following diary on isc.sans.org: “Searching for Geographically Improbable Login Attempts“: For the human brain, an IP address is not the best IOC because, like phone numbers, we are bad to remember them. That’s why DNS was created. But, in many log management applications, there are features to
Category: SANS Internet Storm Center
[SANS ISC] Cryptominer Delivered Though Compromized JavaScript File
I published the following diary on isc.sans.org: “Cryptominer Delivered Though Compromized JavaScript File“: Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer’s IDS alerts on the following URL: hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js This website is not referenced as malicious and the
[SANS ISC] Are Your Hunting Rules Still Working?
I published the following diary on isc.sans.org: “Are Your Hunting Rules Still Working?“: You are working in an organization which implemented good security practices: log events are collected then indexed by a nice powerful tool. The next step is usually to enrich this (huge) amount of data with external sources. You
[SANS ISC] PowerShell: ScriptBlock Logging… Or Not?
I published the following diary on isc.sans.org: “PowerShell: ScriptBlock Logging… Or Not?“: Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256:Â eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command… [Read more]
[SANS ISC] Malicious JavaScript Targeting Mobile Browsers
I published the following diary on isc.sans.org: “Malicious JavaScript Targeting Mobile Browsers“: A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running WordPress (again, I would say![1]). The code was obfuscated,
[SANS ISC] A Bunch of Compromized WordPress Sites
I published the following diary on isc.sans.org: “A Bunch of Compromized WordPress Sites“: A few days ago, one of our readers contacted reported an incident affecting his website based on WordPress. He performed quick checks by himself and found some pieces of evidence: The main index.php file was modified and some
[SANS ISC] Converting PCAP Web Traffic to Apache Log
I published the following diary on isc.sans.org: “Converting PCAP Web Traffic to Apache Log“: PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol
[SANS ISC] Malicious Post-Exploitation Batch File
I published the following diary on isc.sans.org: “Malicious Post-Exploitation Batch File“: Here is another interesting file that I found while hunting. It is a malicious Windows batch file (.bat) which helps to exploit a freshly compromised system (or… to be used by a rogue user). I don’t have a lot of
[SANS ISC] Antivirus Evasion? Easy as 1,2,3
I published the following diary on isc.sans.org: “Antivirus Evasion? Easy as 1,2,3“: For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products.
[SANS ISC] “Blocked” Does Not Mean “Forget It”
I published the following diary on isc.sans.org: “Blocked Does Not Mean Forget It“: Today, organisations are facing regular waves of attacks which are targeted… or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of