I just published a new update of my imap2thehive tool. A quick reminder: this tool is aimed to poll an IMAP mailbox and feed an instance of TheHive with processed emails. This new version is now able to extract interesting IOCs from the email body and attached HTML files. The following indicators are
I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise†is published. Those indicators
I just published a quick update of my imap2thehive tool. Files attached to an email can now be processed and uploaded as an observable attached to a case. It is possible to specify which MIME types to process via the configuration file. The example below will process PDF & EML
A quick blog post about a module that I wrote to interconnect the malware analysis framework Viper and the malware analysis platform A1000 from ReversingLabs. The module can perform two actions at the moment: to submit a new sample for analysis and to retrieve the analysis results (categorization): viper sample.exe
TheHive is a great incident response platform which has the wind in its sails for a while. More and more organization are already using it or are strongly considering to deploy it in a near future. TheHive is tightly integrated with MISP to push/pull IOC’s. Such tool must be fed with
I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (“Background Intelligent Transfer Serviceâ€) is a tool present[1] in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between
Who said that all computers are connected today? They are many classified environments where computers can simply never connect to the wild Internet. But sometimes, you need to install some pieces of software from online resources. The classic case is Python modules. Let’s take a practical example with the PyMISPÂ which
I published the following diary on isc.sans.org: “Using Bad Material for the Good“: There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with
While you use a tool every day, you get more and more knowledge about it but you also have plenty of ideas to improve it. I’m using Splunk on a daily basis within many customers’ environments as well as for personal purposes. When you have a big database of events,
The idea of this Docker container came after reading the excellent Micah Hoffman’s blog post:Â Dark Web Report + TorGhost + EyeWitness == Goodness. Like Micah, I’m also receiving a daily file with new websites discovered on the (dark|deep) web (name it as you prefer). This service is provided by @hunchly
