I published the following diary on isc.sans.edu: “Clean Binaries with Suspicious Behaviour“: EDR or “Endpoint Detection & Response” is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in
[SANS ISC] Malicious Post-Exploitation Batch File
I published the following diary on isc.sans.org: “Malicious Post-Exploitation Batch File“: Here is another interesting file that I found while hunting. It is a malicious Windows batch file (.bat) which helps to exploit a freshly compromised system (or… to be used by a rogue user). I don’tÂ have a lot of
[SANS ISC] A Suspicious Use of certutil.exe
I published the following diary on isc.sans.org: “A Suspicious Use of certutil.exe“: The Microsoft operating system is full ofÂ command line tools that help to perform administrative tasks. Some can be easily installed, like the SysInternal suite and psexec.exe, others are builtin in Windows and available to everybody. The presence of
[SANS ISC] Windows IRC Bot in the Wild
I published the following diary on isc.sans.org: “Windows IRC Bot in the Wild“: Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my â€˜psexecâ€™ hunting rule which looks definitively an interesting keyword (see my previous diary). I detected the first occurrence
SMBv1, The Phoenix of Protocols?
Everybody still reminds the huge impact that Wannacry had in many companies in 2017? The ransomware exploited the vulnerability, described in MS17-010, which abuse of the SMBv1 protocol. One of the requirements to protect against this kind of attacks was to simply disable SMBv1 (besides the fact to NOT expose
Interesting List of Windows Processes Killed by Malicious Software
Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity
The Impact of a Ransomware Infection
For a while, ransomware is a plague… Just byÂ surfing to a website or by opening an invoice received by email, people get a nice popup window while their files are being encrypted. Everyday, we hear about nightmare stories withÂ companies infected by such malicious code and which do not have a
Tracking Administrator Sessions in Windows Environments
Tracking users with privileged access is a critical taskÂ in your security policy (SANS Critical Security Control #12). If the key point is to restrict the number of “power users” to the lowest, it’s not always easy. Most of them will argue that they need administrator rights “to be able to
Sending Windows Event Logs to Logstash
This topic is not brand new, there exists plenty of solutions to forwardÂ Windows event logs to Logstash (OSSEC,Â Snare or NXlogÂ amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific
How to Prevent the Windows Screensaver Autolock Feature?
A quick and dirty tip if you need to keep a Windows workstation or server console unlocked. This can be required for several purposes, good or bad. In my case, I’m working on a workstation to access network resources. I don’t have a login and cannot know the local password.