I published the following diary on isc.sans.edu: “Security Monitoring: At Network or Host Level?“: Today, to reach a decent security maturity, the keyword remains “visibility”. There is nothing more frustrating than being blind about what’s happening on a network or starting an investigation without any data (logs, events) to process.
This BruCON edition (also called “0x0B”) is already over! This year, we welcomed more than 500 hackers from many countries to follow wonderful speakers and learn new stuff with practical workshops. Like the previous editions, I played with the network deployed for our attendees. Here is a short debriefing of
I published the following diary on isc.sans.edu: ““Lost_Files” Ransomware“: Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers! They don’t reinvent the wheel and re-use code published here and there. I spotted a ransomware which looked like an old one… [Read
I published the following diary on isc.sans.edu: “Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs“: I’m keeping an eye on the certificate transparency logs using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some
I published the following diary on isc.sans.edu: “Agent Tesla Trojan Abusing Corporate Email Accounts“: The trojan ‘Agent Tesla’Â is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP. I found a
I published the following diary on isc.sans.edu: “Rig Exploit Kit Delivering VBScript“: I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the
I published the following diary on isc.sans.edu: “Blocking Firefox DoH with Bind“: For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS) by default in its Firefox browser. Since this announcement, Google also scheduled a move
After the 2018 DeepSec edition in November and the BruCON Spring Training in April, I’m happy to come back on the DeepSec 2019 schedule! OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help
Last Tuesday, I launched a small challenge to win a ticket for the BruCON conference. The challenge was solved in approximatively 20:30 and I received the first correct submission of the hash at 23:30 (congratulations to Quentin Kaiser!). It’s time to give you the solution to this small challenge. It
I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution
