FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Hashes in PowerShell, (Fri, May 15th)

As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:
  • May 15th 2020 at 14:18
  • ↗

Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe, (Thu, May 14th)

Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:
  • May 14th 2020 at 14:36
  • ↗

Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)

I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day.  For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?"  Conversions of the same type crop up all the time in decoding constructs in packets.  Wireshark and Burp will both often anticipate what you want to do on this score, but not always.
  • May 14th 2020 at 13:50
  • ↗

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.
  • May 12th 2020 at 17:43
  • ↗

Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)

Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.
  • May 11th 2020 at 19:58
  • ↗

Nmap Basics - The Security Practitioner's Swiss Army Knife, (Sat, May 9th)

To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to go back to basics on nmap and demonstrate why nmap really is a security practitioner’s swiss army knife and should be in each of our testing toolkits.
  • May 9th 2020 at 20:10
  • ↗

VMWare vRealize Critical vulnerabilities due to SaltStack - VMSA-2020-0009, (Sat, May 9th)

VMWare has announced two vulnerabiliities in their vRealize product related to their integration of the popular open source server management software SaltStack, for which vulnerabilities were disclosed by F-Secure late last week.
  • May 9th 2020 at 14:05
  • ↗

Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)

Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan's diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the '-sV' flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 
  • May 8th 2020 at 05:57
  • ↗

Scanning with nmap?s NSE scripts, (Thu, May 7th)

If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.
  • May 7th 2020 at 09:06
  • ↗

Keeping an Eye on Malicious Files Life Time, (Wed, May 6th)

We know that today's malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But can we spot some malicious files coming on stage regularly or, suddenly, just popping up from nowhere?
  • May 6th 2020 at 06:13
  • ↗

Cloud Security Features Don't Replace the Need for Personnel Security Capabilities, (Tue, May 5th)

We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We'd certainly like to open this up to reader comments, insights, and feedback. 
  • May 5th 2020 at 02:44
  • ↗

Sysmon and File Deletion, (Mon, May 4th)

A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).
  • May 4th 2020 at 22:17
  • ↗


ZIP & AES, (Sun, May 3rd)

A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).
  • May 3rd 2020 at 11:10
  • ↗

Phishing PDF with Unusual Hostname, (Sat, May 2nd)

Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:
  • May 2nd 2020 at 20:44
  • ↗

Attack traffic on TCP port 9673, (Fri, May 1st)

I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with.
  • May 1st 2020 at 00:42
  • ↗

Collecting IOCs from IMAP Folder, (Thu, Apr 30th)

I've plenty of subscriptions to "cyber security" mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that's a fact: email remains a key communication channel. Some mailing lists posts contain interesting indicators of compromize. So, I searched for a nice way to extract them in an automated way (and to correlate them with other data). I did not find a solution ready to use that matched my requirements:
  • April 30th 2020 at 05:41
  • ↗

Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)

In recent weeks, you probably heard a lot about the "Covid19 Tracing Apps" that Google, Apple, and others. These news reports usually mention the privacy aspects of such an app, but of course, don't cover the protocols in sufficient depth to address how the privacy challenges are being solved.
  • April 29th 2020 at 12:40
  • ↗

Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)

While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.
  • April 28th 2020 at 06:44
  • ↗

Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)

An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!
  • April 27th 2020 at 06:44
  • ↗

Video: Malformed .docm File, (Sun, Apr 26th)

In diary entry "Obfuscated with a Simple 0x0A", Xavier discovers that a .docm file is a malformed ZIP file.
  • April 26th 2020 at 08:27
  • ↗

MALWARE Bazaar, (Sat, Apr 25th)

When we publish diary entries covering malware, we almost always share the hash of the malware sample.
  • April 25th 2020 at 15:30
  • ↗

Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)

For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victim’s computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack depends on the reactivity of the other party to clean up the malicious content. If this happens, the macro won’t be able to fetch the data and the infection will fail. The other approach is to store the payload in the document metadata, the document itself or appended to it.
  • April 24th 2020 at 05:16
  • ↗

SpectX: Log Parser for DFIR, (Tue, Apr 21st)

I hope this finds you all safe, healthy, and sheltered to the best of your ability.
  • April 21st 2020 at 02:29
  • ↗

KPOT AutoIt Script: Analysis, (Mon, Apr 20th)

In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
  • April 20th 2020 at 06:56
  • ↗

KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th)

In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
  • April 19th 2020 at 08:03
  • ↗

Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th)

This is a phishing document received today pretending to be an invoice (Word Document) from Apple Support but initial analysis shows it is a PDF document.
  • April 18th 2020 at 18:38
  • ↗


Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)

Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. The script is available on VT (SHA256: 1f7f0d75fe5dace66ec9b5935d28ba02765527f09f58345c2e33e17ab4c91bd7) and has a low score of 8/60[1].
  • April 17th 2020 at 10:35
  • ↗

Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th)

STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
  • April 16th 2020 at 21:31
  • ↗

No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)

Most of us know that macros in Office documents are one of the most common ways to get malware into an organization.  Unfortunately, all to many organizations depend on their AV products to detect these macros and the associated malware.  It's sad fact that macro's are easy to write, and it's not too tough to evade AV by being smart about how you write a malicious macro.
  • April 15th 2020 at 12:53
  • ↗

Microsoft April 2020 Patch Tuesday, (Tue, Apr 14th)

This month we got patches for 113 vulnerabilities total. According to Microsoft, three of them are being exploited (CVE-2020-1020, CVE-2020-0938 and CVE-2020-0968)  and two were previously disclosed (CVE-2020-1020 and CVE-2020-0935).
  • April 14th 2020 at 18:22
  • ↗

Look at the same phishing campaign 3 months apart, (Mon, Apr 13th)

While going through a batch of malicious e-mails, which were caught by my mail filters in March, I noticed a simple phishing e-mail, which carried an entire credential-stealing page in its attachment. This, although interesting in its own way, would not be that unusual[1,2]. While I was analyzing it, however, I found that a nearly identical e-mail message, which was obviously part of the same campaign, was uploaded to Any.Run[3] back in January. Since I had two samples from nearly 3 months apart, I thought it might be interesting to take a look at how much has changed in this phishing campaign over that time.
  • April 13th 2020 at 13:54
  • ↗
❌