I published the following diary on isc.sans.org: “Administrator’s Password Bad Practice“: Just a quick reminder about some bad practices while handling Windows Administrator credentials. I’m constantly changing my hunting filters on VT. A few days ago, I started to search for files/scripts that use the Microsoft SysInternals tool psexec. For system administrators,
Tag: Security
TROOPERS 18 Wrap-Up Day #2
Hello Readers, here is my wrap-up of the second day. Usually, the second day is harder in the morning due to the social events but, at TROOPERS, they organize the hacker run started at 06:45 for the most motivated of us. Today, the topic of the 3rd track switched from
TROOPERS 18 Wrap-Up Day #1
I’m back to Heidelberg (Germany) for my yearly trip to the TROOPERS conference. I really like this event and I’m glad to be able to attend it again (thanks to the crew!). So, here is my wrap-up for the first day. The conference organization remains the same with a good venue.
[SANS ISC] CRIMEB4NK IRC Bot
I published the following diary on isc.sans.org: “CRIMEB4NK IRC Bot“: Yesterday, I got my hands on the source code of an IRC bot written in Perl. Yes, IRC (“Internet Relay Chat”) is still alive! If the chat protocol is less used today to handle communications between malware and their C2 servers, it
SMBv1, The Phoenix of Protocols?
Everybody still reminds the huge impact that Wannacry had in many companies in 2017? The ransomware exploited the vulnerability, described in MS17-010, which abuse of the SMBv1 protocol. One of the requirements to protect against this kind of attacks was to simply disable SMBv1 (besides the fact to NOT expose
[SANS ISC] Malicious Bash Script with Multiple Features
I published the following diary on isc.sans.org: “Malicious Bash Script with Multiple Features“: It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik who twitted about it. I had a
[SANS ISC] Reminder: Beware of the “Cloud”
I published the following diary on isc.sans.org: “Beware of the “Cloud”“: Today, when you buy a product, there are chances that it will be “connected†and use cloud services for, at least, one of its features. I’d like to tell you a bad story that I had this week. Just
[SANS ISC] Common Patterns Used in Phishing Campaigns Files
I published the following diary on isc.sans.org: “Common Patterns Used in Phishing Campaigns Files“: Phishing campaigns remain a common way to infect computers. Every day, I’m receiving plenty of malicious documents pretending to be sent from banks, suppliers, major Internet actors, etc. All those emails and their payloads are indexed
[SANS ISC] Malware Delivered via Windows Installer Files
I published the following diary on isc.sans.org: “Malware Delivered via Windows Installer Files“: For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software†with “malwareâ€. MSI
Imap2TheHive: Support of Attachments
I just published a quick update of my imap2thehive tool. Files attached to an email can now be processed and uploaded as an observable attached to a case. It is possible to specify which MIME types to process via the configuration file. The example below will process PDF & EML