Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server… exactly like a malware with it’s C2 server but this time
I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place. It is also important to mention that the injection technique used is similar
I published the following diary on isc.sans.edu: “Simple but Undetected PowerShell Backdoor“: For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is
I published the following diary on isc.sans.edu: “Python Shellcode Injection From JSON Data“: My hunting rules detected a niece piece of Python code. It’s interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56!. I see more and more malicious Python code
I published the following diary on isc.sans.edu: “The UPX Packer Will Never Die!“: Today, many malware samples that you can find in the wild are “packed”. The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack
I published the following diary on isc.sans.edu: “Info-Stealer Using webhook.site to Exfiltrate Data“: We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. Today, many
I’m using Tor for so long that I can’t remember! The main reasons to use it are to access some websites while preserving my anonymity (after all that’s the main purpose of Tor) but also to access dangerous resources like command & control servers or sites delivering malicious content. The
Short tutorial about the installation of a malware analyzis lab on Proxmox.
I published the following diary on isc.sans.edu: “Shadow IT Makes People More Vulnerable to Phishing“: Shadow IT is a real problem in many organizations. Behind this term, we speak about pieces of hardware or software that are installed by users without the approval of the IT department. In many cases,
I published the following diary on isc.sans.edu: “(Ab)Using Security Tools & Controls for the Bad“: As security practitioners, we give daily advice to our customers to increase the security level of their infrastructures. Install this tool, enable this feature, disable this function, etc. When enabled, these techniques can also be
