I published the following diary on isc.sans.edu: “Old H-Worm Delivered Through GitHub”: Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver
Category: Security
[SANS ISC] Suspicious PDF Connecting to a Remote SMB Share
I published the following diary on isc.sans.edu: “Suspicious PDF Connecting to a Remote SMB Share”: Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because
[SANS ISC] Phishing Kit with JavaScript Keylogger
I published the following diary on isc.sans.edu: “Phishing Kit with JavaScript Keylogger”: Here is an interesting sample! It’s a phishing page which entice the user to connect to his/her account to retrieve a potentially interesting document. As you can see, it’s a classic one… [Read more]
[SANS ISC] Tracking Unexpected DNS Changes
I published the following diary on isc.sans.edu: “Tracking Unexpected DNS Changes”: DNS is a key element of the Internet and, regularly, we read new bad stories. One of the last one was the Department of Homeland Security warning about recent DNS hijacking attacks. Indeed, when you want to visit the website ‘isc.sans.org’, you
[SANS ISC] DNS Firewalling with MISP
I published the following diary on isc.sans.edu: “DNS Firewalling with MISP”: If IOC’s are very useful to “detect†suspicious activities, why not use also them to “prevent†them to occur? DNS firewalling can be an efficient way to prevent your users to visit malicious online resources. The principle of DNS firewalling
[SANS ISC] Malicious Script Leaking Data via FTP
I published the following diary on isc.sans.edu: “Malicious Script Leaking Data via FTP”: The last day of 2018, I found an interesting Windows cmd script which was uploaded from India (SHA256: dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef) with a very low VT score. The script is not obfuscated and contains a long list of commands based on
[SANS ISC] Using OSSEC Active-Response as a DFIR Framework
I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
“Hunting with OSSEC†at BruCON Spring Training
My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour. OSSEC is sometimes described as
[SANS ISC] Restricting PowerShell Capabilities with NetSh
I published the following diary on isc.sans.edu: “Restricting PowerShell Capabilities with NetSh“: The Christmas break is coming for most of us, let’s take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be
[SANS ISC] Phishing Attack Through Non-Delivery Notification
I published the following diary on isc.sans.edu: “Phishing Attack Through Non-Delivery Notification”: Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to