When you have a look at the schedule of infosec conferences, the number of events is already very high. There is one at least every week around the world. So, when a new one is born and is nice, it must be mentioned. “Pass-The-Salt” (SALT means “Security And Libre Talks“)
Category: Security
[SANS ISC] Are Your Hunting Rules Still Working?
I published the following diary on isc.sans.org: “Are Your Hunting Rules Still Working?“: You are working in an organization which implemented good security practices: log events are collected then indexed by a nice powerful tool. The next step is usually to enrich this (huge) amount of data with external sources. You
[SANS ISC] PowerShell: ScriptBlock Logging… Or Not?
I published the following diary on isc.sans.org: “PowerShell: ScriptBlock Logging… Or Not?“: Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256:Â eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command… [Read more]
[SANS ISC] Malicious JavaScript Targeting Mobile Browsers
I published the following diary on isc.sans.org: “Malicious JavaScript Targeting Mobile Browsers“: A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running WordPress (again, I would say![1]). The code was obfuscated,
SSTIC 2018 Wrap-Up Day #3
And here we go with the wrap-up of the 3rd day of the SSTIC 2018 “Immodium” edition. Indeed, yesterday, a lot of people suffered from digestive problems (~40% of the 800 attendees were affected!). This will for sure remains a key story for this edition. Anyway, it was a good
SSTIC 2018 Wrap-Up Day #2
The second day started with a topic this had a lot of interest for me: Docker containers or “Audit de sécurité d’un environnement Docker†by Julien Raeis and Matthieu Buffet. Docker is everywhere today and, like new technologies, is not always mature when deployed, sometimes in a corner by developers.
[SANS ISC] A Bunch of Compromized WordPress Sites
I published the following diary on isc.sans.org: “A Bunch of Compromized WordPress Sites“: A few days ago, one of our readers contacted reported an incident affecting his website based on WordPress. He performed quick checks by himself and found some pieces of evidence: The main index.php file was modified and some
SSTIC 2018 Wrap-Up Day #1
Hello Readers, I’m back in the beautiful city of Rennes, France to attend my second edition of the SSTIC. My first one was a very good experience (you can find my previous wrap-up’s on this blog – day 1, day 2, day 3) and this one was even more interesting
[SANS ISC] Converting PCAP Web Traffic to Apache Log
I published the following diary on isc.sans.org: “Converting PCAP Web Traffic to Apache Log“: PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol
[SANS ISC] Malicious Post-Exploitation Batch File
I published the following diary on isc.sans.org: “Malicious Post-Exploitation Batch File“: Here is another interesting file that I found while hunting. It is a malicious Windows batch file (.bat) which helps to exploit a freshly compromised system (or… to be used by a rogue user). I don’t have a lot of