I published the following diary on isc.sans.org: “Proactive Malicious Domain Search“: In a previous diary, I presented a dashboard that I’m using to keep track of the DNS traffic on my networks. Tracking malicious domains is useful but what if you could, in a certain way, “predict†the upcoming domains
I published the following diary on isc.sans.org: “Top-100 Malicious IP STIX Feed“. Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX means “Structured Threat Information eXpression†and enables organizations to share indicator
I published the following diary on isc.sans.org: “Suspicious Domains Tracking Dashboard“. Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page dedicated to domain names. But how
I published the following diary on isc.sans.org: “If you want something done right, do it yourself!“. Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a
I published the following diary on isc.sans.org: “Keep An Eye on your Root Certificates“. A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers
I published the following diary on isc.sans.org: “Interesting VBA Dropper“. Here is another sample that I found in my spam trap. The technique to infect the victim’s computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd) that exploits the OLE2Link vulnerability (CVE-2017-0199). Once opened, the
I published the following diary on isc.sans.org: “Simple Analysis of an Obfuscated JAR File“. Yesterday, I found in my spam trap a file named ‘0.19238000 1509447305.zip’ (SHA256: 7bddf3bf47293b4ad8ae64b8b770e0805402b487a4d025e31ef586e9a52add91). The ZIP archive contained a Java archive named ‘0.19238000 1509447305.jar’ (SHA256: b161c7c4b1e6750fce4ed381c0a6a2595a4d20c3b1bdb756a78b78ead0a92ce4). The file had a score of 0/61 in VT and
I published the following diary on isc.sans.org: “Some Powershell Malicious Code“. Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it
I published the following diary on isc.sans.org: “Stop relying on file extensions“. Yesterday, I found an interesting file in my spam trap. It was called ‘16509878451.XLAM’. To be honest, I was not aware of this extension and I found this on the web: “A file with the XLAM file extension is an
I published the following diary on isc.sans.org: “Version control tools aren’t only for Developers“. When you start to work on a big project or within a team of developers, it is very useful to use a version control system. The most known are probably ’svn’ or ‘git’. For developers, such
