I published the following diary on isc.sans.edu: “Simple Powershell Keyloggers are Back”: Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad! While hunting, I found a bunch of malicious Powershell scripts that
Last week, I had a unique opportunity to attend a demo of a “cool” product (I insist on the quotes around cool): A complete solution to track and intercept mobile devices. The company presents itself as a partner of law enforcement services, governments or special agencies (you know all the
I published the following diary on isc.sans.edu: “Old H-Worm Delivered Through GitHub”: Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver
I published the following diary on isc.sans.edu: “Suspicious PDF Connecting to a Remote SMB Share”: Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because
I published the following diary on isc.sans.edu: “Phishing Kit with JavaScript Keylogger”: Here is an interesting sample! It’s a phishing page which entice the user to connect to his/her account to retrieve a potentially interesting document. As you can see, it’s a classic one… [Read more]
I published the following diary on isc.sans.edu: “Tracking Unexpected DNS Changes”: DNS is a key element of the Internet and, regularly, we read new bad stories. One of the last one was the Department of Homeland Security warning about recent DNS hijacking attacks. Indeed, when you want to visit the website ‘isc.sans.org’, you
I published the following diary on isc.sans.edu: “DNS Firewalling with MISP”: If IOC’s are very useful to “detect” suspicious activities, why not use also them to “prevent” them to occur? DNS firewalling can be an efficient way to prevent your users to visit malicious online resources. The principle of DNS firewalling
I published the following diary on isc.sans.edu: “Malicious Script Leaking Data via FTP”: The last day of 2018, I found an interesting Windows cmd script which was uploaded from India (SHA256: dff5fe50aae9268ae43b76729e7bb966ff4ab2be1bd940515cbfc0f0ac6b65ef) with a very low VT score. The script is not obfuscated and contains a long list of commands based on
I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for
My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour. OSSEC is sometimes described as
