I published the following diary on isc.sans.org: “Truncating Payloads and Anonymizing PCAP files“: Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to
I published the following diary on isc.sans.org: “Exploiting the Power of Curl“: Didier explained in a recent diary that it is possible to analyze malicious documents with standard Linux tools. I’m using Linux for more than 20 years and, regularly, I find new commands or new switches that help me
I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play
TheHive is an awesome tool to perform incident management. One of the software components that is linked to TheHive is Cortex defined as a “Powerful observable analysis engine“. Let’s me explain why Cortex can save you a lot of time. When you are working on an incident in TheHive, observables are
Sometimes, a security incident starts with an email. A suspicious email can be provided to a security analyst for further investigation. Most of the time, the mail is provided in EML or “Electronic Mail Format“. EML files store the complete message in a single file: SMTP headers, mail body and all
I published the following diary on isc.sans.org: “Malicious Powershell Targeting UK Bank Customers”: I found a very interesting sample thanks to my hunting rules… It is a PowerShell script that was uploaded on VT for the first time on the 16th of May from UK. The current VT score is still
I just published a new update of my imap2thehive tool. A quick reminder: this tool is aimed to poll an IMAP mailbox and feed an instance of TheHive with processed emails. This new version is now able to extract interesting IOCs from the email body and attached HTML files. The following indicators are
I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise†is published. Those indicators
I just published a quick update of my imap2thehive tool. Files attached to an email can now be processed and uploaded as an observable attached to a case. It is possible to specify which MIME types to process via the configuration file. The example below will process PDF & EML
A quick blog post about a module that I wrote to interconnect the malware analysis framework Viper and the malware analysis platform A1000 from ReversingLabs. The module can perform two actions at the moment: to submit a new sample for analysis and to retrieve the analysis results (categorization): viper sample.exe
