I published the following diary on isc.sans.org: “Malicious Powershell Targeting UK Bank Customers”: I found a very interesting sample thanks to my hunting rules… It is a PowerShell script that was uploaded on VT for the first time on the 16th of May from UK. The current VT score is still
I published the following diary on isc.sans.org: “Nice Phishing Sample Delivering Trickbot“: Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like “Click on me, it’s urgent!â€. Yesterday, I put my
I published the following diary on isc.sans.org: “Adding Persistence Via Scheduled Tasks“: Once a computer has been infected by a malware, one of the next steps to perform is to keep persistence. Usually, endpoints (workstations) are primary infection vectors due to the use made of it by people: they browse
The number of malicious documents generated every day keeps growing for a while. To produce this huge amount of files, the process must be automated. I found on Pastebin a Python script to generate malicious Office documents. Let’s have a look at it… [Read more]
I published the following diary on isc.sans.org: “Malicious Network Traffic From /bin/bash“: One of our readers from Germany sent me a malicious shell script captured by our honeypot running on his Raspberry. It’s a simple UNIX Bash script that performs a bunch of malicious tasks: Kills existing crypto miner processes
I published the following diary on isc.sans.org: “A Suspicious Use of certutil.exe“: The Microsoft operating system is full of command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite[1] and psexec.exe, others are builtin in Windows and available to everybody. The presence of
I published the following diary on isc.sans.org: “Windows IRC Bot in the Wild“: Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary). I detected the first occurrence
I published the following diary on isc.sans.org: “Extending Hunting Capabilities in Your Network“: Today’s diary is an extension to the one I posted yesterday about hunting for malicious files crossing your network. Searching for new IOCs is nice but there are risks of missing important pieces of information! Indeed, the first
I published the following diary on isc.sans.org: “Automatic Hunting for Malicious Files Crossing your Network“: If classic security controls remain mandatory (antivirus, IDS, etc), it is always useful to increase your capacity to detect suspicious activities occurring in your networks. Here is a quick recipe that I’m using to detect
I published the following diary on isc.sans.org: “Payload delivery via SMB“: This weekend, while reviewing the collected data for the last days, I found an interesting way to drop a payload to the victim. This is not brand new and the attack surface is (in my humble opinion) very restricted
