I published the following diary on isc.sans.edu: “Abusing Web Filters Misconfiguration for Reconnaissance“: Yesterday, an interesting incident was detected while working at a customer SOC. They use a “next-generation†firewall that implements a web filter based on categories. This is common in many organizations today: Users’ web traffic is allowed/denied based on an
My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour. OSSEC is sometimes described as
I published the following diary on isc.sans.edu: “Querying DShield from Cortex”: Cortex is a tool part of the TheHive project. As stated on the website, it is a “Powerful Observable Analysis Engine”. Cortex can analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services.
I published the following diary on isc.sans.edu: “Dissecting Malicious Office Documents with Linux”: A few months ago, Rob wrote a nice diary to explain how to dissect a (malicious) Office document (.docx). The approach was to use the OpenXML SDK with Powershell. This is nice but how to achieve the
I published the following diary on isc.sans.edu: “‘OG’ Tools Remain Valuable“: For vendors, the cybersecurity landscape is a nice place to make a very lucrative business. New solutions and tools are released every day and promise you to easily detect malicious activities on your networks. And it’s a recurring story.
I’m proud to have been selected to give a training at DeepSec (Vienna, Austria) in November: “Hunting with OSSEC“. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.
I published the following diary on isc.sans.org: “Searching for Geographically Improbable Login Attempts“: For the human brain, an IP address is not the best IOC because, like phone numbers, we are bad to remember them. That’s why DNS was created. But, in many log management applications, there are features to
I published the following diary on isc.sans.org: “Converting PCAP Web Traffic to Apache Log“: PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol
I published the following diary on isc.sans.org: “Extending Hunting Capabilities in Your Network“: Today’s diary is an extension to the one I posted yesterday about hunting for malicious files crossing your network. Searching for new IOCs is nice but there are risks of missing important pieces of information! Indeed, the first
I published the following diary on isc.sans.org: “Automatic Hunting for Malicious Files Crossing your Network“: If classic security controls remain mandatory (antivirus, IDS, etc), it is always useful to increase your capacity to detect suspicious activities occurring in your networks. Here is a quick recipe that I’m using to detect
