Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th)

In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights".


 Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)

The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before (Forensicating Azure VMs) how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.


Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.


Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th)


Video: Finding Metasploit & Cobalt Strike URLs, (Sun, Mar 21st)

I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation.


Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th)

Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.


Security Detection & Response Alert Output Usability Survey: https://www.surveymonkey.com/r/TAOvsVAO, (Tue, Mar 2nd)


Video: tshark & Malware Analysis, (Sun, Feb 14th)

In this video, I show the commands I used in diary entry "Quickie: tshark & Malware Analysis" to analyze shellcode from a pcapng file, and I also show some basic options and feature of tshark, the command-line version of Wireshark.


Quickie: tshark & Malware Analysis, (Mon, Feb 8th)

The following screenshot drew my attention when I read Brad's diary entry "Excel spreadsheets push SystemBC malware":


Abusing Google Chrome extension syncing for data exfiltration and C&C, (Thu, Feb 4th)

I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. Some of the methods observed in analyzed code were pretty scary – from a defender’s point of view, as you will see further below in this diary.


Video: Doc & RTF Malicious Document, (Sun, Jan 24th)

I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files.


Security Detection & Response Alert Output Usability Survey https://www.surveymonkey.com/r/TAOvsVAO, (Tue, Jan 19th)


Doc & RTF Malicious Document, (Mon, Jan 18th)

A reader pointed us to a malicious Word document.


Quickie: String Analysis & Maldocs, (Fri, Dec 25th)

Yesterday, Xavier showed how to start analyzing a malicious Word document with my oledump.py tool.


"Amazon" invoice that asks to call 1-866-335-0659 "to cancel" an order that you never made is (obviously) a #scam, (Thu, Dec 17th)


Managing Remote Access for Partners & Contractors, (Tue, Sep 29th)

Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced[1]. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some review.


A Mix of Python & VBA in a Malicious Word Document, (Fri, Sep 18th)

A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let's have a look at the document.

Python Developers: Prepare!!!, (Thu, Jul 30th)

I know... tried it several times... growing up is hard. So instead, you decided to become a "Red Teamer" (aka Pentesters...). You got the hoodie, and you acquired a taste for highly caffeinated energy drinks. Now the only thing left: Learning to write a script. So like all the other "kids," you learn Python and start writing and publishing tools (Yes... all the world needed was DNS covert channel tool #32773... you realize you could have written that as a bash oneliner?).


Simple Blocklisting with MISP & pfSense , (Thu, Jul 23rd)

Here is an example of a simple but effective blocklist system that I'm using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blocklists, there is a well-known one called pfBlocklist. Personally, I prefer to avoid installing extra packages on my firewalls because it increases the risk to face potential problems while upgrading (pfSense recommends to disable them before any upgrade). Some packages might also be developed by 3rd parties that have a light security mindset and, therefore, introduce bugs in a core element of the infrastructure.


tcp-honeypot.py Logstash Parser & Dashboard Update, (Sun, Jun 28th)

This is an update for logstash and dashboard published in January for Didier's tcp-honeypot.py honeypot script. The parser has been updated to follow the Elastic Common Schema (ECE) format, parsing more information from the honeypot logs that include revised and additional dashboards.


Antivirus & Multiple Detections, (Sun, May 17th)

"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".


Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)

This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:


ZIP & AES, (Sun, May 3rd)

A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).


Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)

Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. The script is available on VT (SHA256: 1f7f0d75fe5dace66ec9b5935d28ba02765527f09f58345c2e33e17ab4c91bd7) and has a low score of 8/60[1].


Honeypot - Scanning and Targeting Devices & Services, (Sat, Mar 21st)

I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD) by scanners  this past week on any web supported ports (i.e. 80, 81, 8000, etc). This first graph shows overall activity for the past 7 days.


Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript , (Fri, Feb 7th)

I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper: it extracts from its code a DLL that will be loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].


Video: Stego & Cryptominers, (Sun, Feb 2nd)

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).


Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)

In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, it's tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, it's a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... but it's not today's topic. Malware developers are also developers and have the same behavior. Code reuse has been already discussed several times[1]. For example, tools exist to detect cloned or reused code in the IDA disassembler[2][3].


Maldoc, PowerShell & BITS, (Mon, Sep 30th)

The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.