I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise†is published. Those indicators
I’m just back from the 2018 edition of the FIRST TC (“Technical Colloquium”) organized in Amsterdam. This was the second edition for me. The format was the same, one day of workshops and two days with normal presentations. And always 100% free! During the quick introduction, Jeff Bollinger from Cisco, which
I published the following diary on isc.sans.org: “Webshell looking for interesting files“: Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the
I published the following diary on isc.sans.org: “A Suspicious Use of certutil.exe“: The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of
Facebook is in the news for a few days after the disclosure of the Cambridge Analytica scandal. A few days ago, another wave of rumours revealed that the Facebook app could collect your private data. Facebook denied and a ping-pong game started. Is it true or false? The fact is
I published the following diary on isc.sans.org: “How are Your Vulnerabilities?“: Scanning assets for known vulnerabilities is a mandatory process in many organisations. This topic comes in the third position of the CIS Top-20. The major issue with a vulnerability scanning process is not on the technical side but more
I published the following diary on isc.sans.org: “Windows IRC Bot in the Wild“: Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary). I detected the first occurrence
I published the following diary on isc.sans.org: “Extending Hunting Capabilities in Your Network“: Today’s diary is an extension to the one I posted yesterday about hunting for malicious files crossing your network. Searching for new IOCs is nice but there are risks of missing important pieces of information! Indeed, the first
I published the following diary on isc.sans.org: “Automatic Hunting for Malicious Files Crossing your Network“: If classic security controls remain mandatory (antivirus, IDS, etc), it is always useful to increase your capacity to detect suspicious activities occurring in your networks. Here is a quick recipe that I’m using to detect
I published the following diary on isc.sans.org: “Surge in blackmailing?“: What’s happening with blackmails? For those who don’t know the word, it is a piece of mail sent to a victim to ask money in return for not revealing compromising information about him/her. For a few days, we noticed a peak
