I published the following diary on isc.sans.edu: “Simple but Undetected PowerShell Backdoor“: For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is
I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.
I published the following diary on isc.sans.edu: “Python Backdoor Talking to a C2 Through Ngrok“: I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most
I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function
I published the following diary on isc.sans.edu: “PowerShell Backdoor Launched from a ShellCode“: When you need to perform malicious actions on a victim’s computer, the Internet is full of resources that can be reused, forked, slightly changed to meet your requirements. After all, why reinvent the wheel if some pieces
I published the following diary on isc.sans.org: “Another webshell, another backdoor!“. I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “cor0.idâ€. The best place to find webshells remind pastebin.com[1]. When I’m testing a webshell, I copy it in a VM located
I published the following diary on isc.sans.org: “When Bad Guys are Pwning Bad Guys…“. A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. They’re plenty of web shells available, there are easy to find and install. They are usually delivered as one
I published the following diary on isc.sans.org: “Analysis of a Simple PHP Backdoor“. With the huge surface attack provided by CMS like Drupal or WordPress, webshells remain a classic attack scenario. A few months ago, I wrote a diary about the power of webshells. A few days ago, a friend
I’d like to come back to an issue I faced yesterday with one my servers. I think that this story could be a good example as part of an IPv6 awareness program… One of my servers in my home lab runs several virtual machines. This server is reachable from outside
I found UNIX a wonderful OS, whatever the flavors! I use it for 17 years and almost every week, I learn new stuffs. One of the particularities of UNIX is the way it communicate with devices. Except some specific devices, most of them are managed and visible as files or
