I published the following diary on isc.sans.org: “UAC Bypass in JScript Dropper“. Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It’s always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a
I published the following diary on isc.sans.org: “Free Software Quick Security Checklist“. Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if
I published the following diary on isc.sans.org: “Example of Getting Analysts & Researchers Away“. It is well-known that bad guys implement pieces of code to defeat security analysts and researchers. Modern malware’s have VM evasion techniques to detect as soon as possible if they are executed in a sandbox environment. The same applies
I published the following diary on isc.sans.org: “Full Packet Capture for Dummies” When a security incident occurred and must be investigated, the Incident Handler’s Holy Grail is a network capture file. It contains all communications between the hosts on the network. These metadata are already in goldmine: source and destination
I published the following diary on isc.sans.org: “Spam Delivered via .ICS Files“. Yesterday, I received a few interesting emails in my honeypot. I set up catch-all email addresses for domains that are well known by spammers. I’m capturing emails and extracting MIME attachments for further analysis. Today, my honeypot received three
I published the following diary on isc.sans.org: “Another Day, Another Malicious Behaviour“. Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request: … [Read more]
I published the following diary on isc.sans.org: “SNMP Pwn3ge“. Sometimes getting access to company assets is very complicated. Sometimes it is much easier (read: too easy) than expected. If one of the goals of a pentester is to get juicy information about the target, preventing the IT infrastructure to run
I published the following diary on isc.sans.org: “Collecting Users Credentials from Locked Devices“. It’s a fact: When a device can be physically accessed, you may consider it as compromised. And if the device is properly hardened, it’s just a matter of time. The best hacks are the ones which use
I published the following diary on isc.sans.org: “Malware Delivered via ‘.pub’ Files“. While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version
I published the following diary on isc.sans.org: “Maxmind.com (Ab)used As Anti-Analysis Technique“. A long time ago I wrote a diary[1] about malware samples which use online geolocalization services. Such services are used to target only specific victims. If the malware detects that it is executed from a specific area, it
