I published the following diary on isc.sans.edu: “Dissecting Malicious Office Documents with Linux”: A few months ago, Rob wrote a nice diary to explain how to dissect a (malicious) Office document (.docx). The approach was to use the OpenXML SDK with Powershell. This is nice but how to achieve the
I published the following diary on isc.sans.edu: “Diving into Malicious AutoIT Code”: Following my yesterday diary, I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If
I published the following diary on isc.sans.edu: “Malicious Powershell using a Decoy Picture“: I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of
I published the following diary on isc.sans.edu: “More Equation Editor Exploit Waves“: This morning, I spotted another wave of malicious documents that (ab)use again CVE-2017-11882 in the Equation Editor (see my yesterday’s diary). This time, malicious files are RTF files. One of the samples is SHA256:bc84bb7b07d196339c3f92933c5449e71808aa40a102774729ba6f1c152d5ee2 (VT score: 19/57)… [Read more]
I published the following diary on isc.sans.edu: “New Campaign Using Old Equation Editor Vulnerability“: Yesterday, I found a phishing sample that looked interesting: From: sales@tjzxchem[.]com To: me Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08 Reply-To: exports.sonyaceramics@gmail[.]com [Read more]
I published the following diary on isc.sans.edu: “‘OG’ Tools Remain Valuable“: For vendors, the cybersecurity landscape is a nice place to make a very lucrative business. New solutions and tools are released every day and promise you to easily detect malicious activities on your networks. And it’s a recurring story.
I published the following diary on isc.sans.edu: “More Excel DDE Code Injection“: The “DDE code injection†technique is not brand new. DDE stands for “Dynamic Data Exchangeâ€. It has already been discussed by many security researchers. Just a quick reminder for those who missed it. In Excel, it is possible to
I published the following diary on isc.sans.edu: “Hunting for Suspicious Processes with OSSEC“: Here is a quick example of how OSSEC can be helpful to perform threat hunting. OSSEC is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the
I published the following diary on isc.sans.edu: “Malware Delivered Through MHT Files“: What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other
I published the following diary on isc.sans.edu: “Crypto Mining in a Windows Headless Browser“: Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic). This time, it’s another way to deliver the
