I published the following diary on isc.sans.edu: “Simple Python Keylogger“: A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, …), just by having a look at
I published the following diary on isc.sans.edu: “Defenders, Know Your Operating System Like Attackers Do!“: Not a technical diary today but more a reflection… When I’m teaching FOR610, I always remind students to “RTFM” or “Read the F… Manual”. I mean to not hesitate to have a look at the
I published the following diary on isc.sans.edu: “Spotting the Red Team on VirusTotal!“: Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but… VirusTotal remains a cloud service. It means that, once you uploaded a
I published the following diary on isc.sans.edu: “Spam Farm Spotted in the Wild: If there is a place where you can always find juicy information, it’s your spam folder! Yes, I like spam and I don’t delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or
I published the following diary on isc.sans.edu: “From VBS, PowerShell, C Sharp, Process Hollowing to RAT“: VBS files are interesting to deliver malicious content to a victim’s computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian
I published the following diary on isc.sans.edu: “Dynamic Data Exchange (DDE) is Back in the Wild?‘”: DDE or “Dynamic Data Exchange” is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. FOr a while,
I published the following diary on isc.sans.edu: “Agent Tesla Dropped Through Automatic Click in Microsoft Help File‘”: Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files), others look really safe and make the victim confident
I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive technique
I published the following diary on isc.sans.edu: “New Example of XSL Script Processing aka ‘Mitre T1220‘”: Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided
I published the following diary on isc.sans.edu: “Sensitive Data Shared with Cloud Services“: Yesterday was the data protection day in Europe. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many
