I published the following diary on isc.sans.edu: “Example of Malicious DLL Injected in PowerShell“: For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop
I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to
I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications,
Yesterday, a very interesting article was published on the MISP blog by my friend Koen about a solution to monitor a MISP instance with Cacti. Monitoring your threat intelligence platform is always a good idea because many other tools depend on it. You can feed other tools with MISP data
I published the following diary on isc.sans.edu: “Tracking A Malware Campaign Through VT“: During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded
I published the following diary on isc.sans.edu: “Example of Word Document Delivering Qakbot“: Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I’ll cover today has been reported by one of our
I published the following diary on isc.sans.edu: “Using API’s to Track Attackers“: For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc are attacker’s best friends but Python is also a good candidate to perform malicious activities on
I published the following diary on isc.sans.edu: “A Fork of the FTCode Powershell Ransomware“: Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with
I published the following diary on isc.sans.edu: “Powershell Bot with Multiple C2 Protocols“: I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this
I published the following diary on isc.sans.edu: “Compromized Desktop Applications by Web Technologies”: For a long time now, it has been said that “the new operating system is the browser”. Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform
