I published the following diary on isc.sans.org: “Blocked Does Not Mean Forget It“: Today, organisations are facing regular waves of attacks which are targeted… or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of
Sometimes, a security incident starts with an email. A suspicious email can be provided to a security analyst for further investigation. Most of the time, the mail is provided in EML or “Electronic Mail Format“. EML files store the complete message in a single file: SMTP headers, mail body and all
I just published a new update of my imap2thehive tool. A quick reminder: this tool is aimed to poll an IMAP mailbox and feed an instance of TheHive with processed emails. This new version is now able to extract interesting IOCs from the email body and attached HTML files. The following indicators are
The number of malicious documents generated every day keeps growing for a while. To produce this huge amount of files, the process must be automated. I found on Pastebin a Python script to generate malicious Office documents. Let’s have a look at it… [Read more]
I published the following diary on isc.sans.org: “The real value of an IOC?“: When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or “Indicators of Compromise†is published. Those indicators
I published the following diary on isc.sans.org: “Webshell looking for interesting files“: Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the
Facebook is in the news for a few days after the disclosure of the Cambridge Analytica scandal. A few days ago, another wave of rumours revealed that the Facebook app could collect your private data. Facebook denied and a ping-pong game started. Is it true or false? The fact is
I published the following diary on isc.sans.org: “How are Your Vulnerabilities?“: Scanning assets for known vulnerabilities is a mandatory process in many organisations. This topic comes in the third position of the CIS Top-20. The major issue with a vulnerability scanning process is not on the technical side but more
I published the following diary on isc.sans.org: “Windows IRC Bot in the Wild“: Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary). I detected the first occurrence
I published the following diary on isc.sans.org: “Surge in blackmailing?“: What’s happening with blackmails? For those who don’t know the word, it is a piece of mail sent to a victim to ask money in return for not revealing compromising information about him/her. For a few days, we noticed a peak
