I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (“Background Intelligent Transfer Serviceâ€) is a tool present[1] in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between
I published the following diary on isc.sans.org: “Ransomware as a Service“: Hunting on the dark web is interesting to find new malicious activities running in the background. Besides the classic sites where you can order drugs and all kind of counterfeited material, I discovered an interesting website which offers a
I published the following diary on isc.sans.org: “Comment your Packet Captures!“: When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best†way to take notes, some people use electronic solutions while others are using good
I published the following diary on isc.sans.org: “Mining or Nothing!“: Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic.
I published the following diary on isc.sans.org: “2017, The Flood of CVEs“: 2017 is almost done and it’s my last diary for this year. I made a quick review of my CVE database (I’m using a local cve-search instance). The first interesting number is the amount of CVE’s created this
I published the following diary on isc.sans.org: “Example of ‘MouseOver’ Link in a Powerpoint File“: I really like Microsoft Office documents…Â They offer so many features that can be (ab)used to make them virtual bombs. Yesterday, I found a simple one but nicely prepared Powerpoint presentation: Payment_copy.ppsx (SHA256:7d6f3eb45c03a8c2fca4685e9f2d4e05c5fc564c3c81926a5305b6fa6808ac3f). It was still
I published the following diary on isc.sans.org: “Tracking Newly Registered Domains“: Here is the next step in my series of diaries related to domain names. After tracking suspicious domains with a dashboard and proactively searching for malicious domains, let’s focus on newly registered domains. They are a huge number of
I published the following diary on isc.sans.org: “Using Bad Material for the Good“: There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with
I published the following diary on isc.sans.org: “Phishing Kit (Ab)Using Cloud Services“: When you build a phishing kit, they are several critical points to address. You must generate a nice-looking page which will match as close as possible to the original one and you must work stealthily to not be blocked
I published the following diary on isc.sans.org: “Fileless Malicious PowerShell Sample“: Pastebin.com remains one of my favourite place for hunting. I’m searching for juicy content and report finding in a Splunk dashboard: Yesterday, I found an interesting pastie with a simple Windows CMD script… [Read more]
