I published the following diary on isc.sans.org: “When Bad Guys are Pwning Bad Guys…“. A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. They’re plenty of web shells available, there are easy to find and install. They are usually delivered as one
I published the following diary on isc.sans.org: “The story of the CFO and CEO…“. I read an interesting article in a Belgian IT magazine[1]. Every year, they organise a big survey to collect feelings from people working in the IT field (not only security). It is very broad and covers their
I published the following diary on isc.sans.org: “HTTP Headers… the Achilles’ heel of many applications“. When browsing a target web application, a pentester is looking for all “entry†or “injection†points present in the pages. Everybody knows that a static website with pure HTML code is less juicy compared to a
I published the following diary on isc.sans.org: “Analysis of a Maldoc with Multiple Layers of Obfuscation“. Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called “Invoice_6083.doc” (which was delivered in a zip archive). I had a quick
I published the following diary on isc.sans.org: “DNS Query Length… Because Size Does Matter“. In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass security controls. DNS tunnelling is a common way to establish connections with remote systems. It is
I published the following diary on isc.sans.org: “Hunting for Malicious Excel Sheets“. Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file.
I published the following diary on isc.sans.org: “Tracking Website Defacers with HTTP Referers”. In a previous diary, I explained how pictures may affect your website reputation. Although a suggested recommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog,
I published the following diary on isc.sans.org: “Whitelists: The Holy Grail of Attackers“. As a defender, take the time to put yourself in the place of a bad guy for a few minutes. You’re writing some malicious code and you need to download payloads from the Internet or hide your
I published the following diary on isc.sans.org: “Pro & Con of Outsourcing your SOC“. I’m involved in a project to deploy a SIEM (“Security Information &Event Management“) / SOC (“Security Operation Center“) for a customer. The current approach is to outsource the services to an external company also called a
I published the following diary on isc.sans.org: “Diverting built-in features for the bad“. Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code… [Read more]
