AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)

Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!

Some Strings to Remember, (Fri, May 22nd)

When you handle unknown files, be it for malware analysis or other reasons, it helps to know some strings / hexadecimal sequences to quickly recognize file types and file content.

ISC Stormcast For Friday, May 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=7008, (Fri, May 22nd)

Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)

Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using FAME[1] which means “FAME Automates Malware Evaluation”. This framework is very nice due to the architecture based on plugins that you can enable upon your needs. Here is an overview of my configuration:

ISC Stormcast For Thursday, May 21st 2020 https://isc.sans.edu/podcastdetail.html?id=7006, (Thu, May 21st)

ISC Stormcast For Wednesday, May 20th 2020 https://isc.sans.edu/podcastdetail.html?id=7004, (Wed, May 20th)

Microsoft Word document with malicious macro pushes IcedID (Bokbot), (Wed, May 20th)

Introduction

VMWare Security Advisory - VMSA-2020-0010 - https://www.vmware.com/security/advisories/VMSA-2020-0010.html, (Tue, May 19th)

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Wireshark Release - 2.6.17, 3.0.11 and 3.2.4 - https://www.wireshark.org/news/20200519.html, (Tue, May 19th)

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

What is up on Port 62234?, (Tue, May 19th)

Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today's data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.

Cisco Advisories for FTD, ASA, Firepower 1000, (Tue, May 19th)

Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA). 

ISC Stormcast For Tuesday, May 19th 2020 https://isc.sans.edu/podcastdetail.html?id=7002, (Tue, May 19th)

Automating nmap scans, (Mon, May 18th)

With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:

ISC Stormcast For Monday, May 18th 2020 https://isc.sans.edu/podcastdetail.html?id=7000, (Mon, May 18th)


Antivirus & Multiple Detections, (Sun, May 17th)

"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".


Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)

This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:

SHA3 Hashes (on Windows) - Where Art Thou?, (Fri, May 15th)

No sooner had posted on doing file and string hashes in PowerShell, when I (again) got asked by Jim - "What about SHA3?  Shouldn't we be using Quantum Safe algorithms if we have them?"

Hashes in PowerShell, (Fri, May 15th)

As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:

ISC Stormcast For Friday, May 15th 2020 https://isc.sans.edu/podcastdetail.html?id=6998, (Fri, May 15th)

Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe, (Thu, May 14th)

Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:

Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)

I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day.  For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?"  Conversions of the same type crop up all the time in decoding constructs in packets.  Wireshark and Burp will both often anticipate what you want to do on this score, but not always.

ISC Stormcast For Thursday, May 14th 2020 https://isc.sans.edu/podcastdetail.html?id=6996, (Thu, May 14th)

ISC Stormcast For Wednesday, May 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6994, (Wed, May 13th)

Malspam with links to zip archives pushes Dridex malware, (Wed, May 13th)

Introduction

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.

ISC Stormcast For Tuesday, May 12th 2020 https://isc.sans.edu/podcastdetail.html?id=6992, (Tue, May 12th)

Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)

Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.

ISC Stormcast For Monday, May 11th 2020 https://isc.sans.edu/podcastdetail.html?id=6990, (Mon, May 11th)

YARA v4.0.0: BASE64 Strings, (Sun, May 10th)

YARA version 4.0.0 was released.

Nmap Basics - The Security Practitioner's Swiss Army Knife, (Sat, May 9th)

To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to go back to basics on nmap and demonstrate why nmap really is a security practitioner’s swiss army knife and should be in each of our testing toolkits.

VMWare vRealize Critical vulnerabilities due to SaltStack - VMSA-2020-0009, (Sat, May 9th)

VMWare has announced two vulnerabiliities in their vRealize product related to their integration of the popular open source server management software SaltStack, for which vulnerabilities were disclosed by F-Secure late last week.

Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)

Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan's diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the '-sV' flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 

ISC Stormcast For Friday, May 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6988, (Fri, May 8th)

Scanning with nmap?s NSE scripts, (Thu, May 7th)

If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.

ISC Stormcast For Thursday, May 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6986, (Thu, May 7th)

Keeping an Eye on Malicious Files Life Time, (Wed, May 6th)

We know that today's malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But can we spot some malicious files coming on stage regularly or, suddenly, just popping up from nowhere?

ISC Stormcast For Wednesday, May 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6984, (Wed, May 6th)

Cloud Security Features Don't Replace the Need for Personnel Security Capabilities, (Tue, May 5th)

We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We'd certainly like to open this up to reader comments, insights, and feedback. 

ISC Stormcast For Tuesday, May 5th 2020 https://isc.sans.edu/podcastdetail.html?id=6982, (Tue, May 5th)

Sysmon and File Deletion, (Mon, May 4th)

A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).

ISC Stormcast For Monday, May 4th 2020 https://isc.sans.edu/podcastdetail.html?id=6980, (Mon, May 4th)


ZIP & AES, (Sun, May 3rd)

A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).

Phishing PDF with Unusual Hostname, (Sat, May 2nd)

Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:

ISC Stormcast For Friday, May 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6978, (Fri, May 1st)

Attack traffic on TCP port 9673, (Fri, May 1st)

I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with.

Collecting IOCs from IMAP Folder, (Thu, Apr 30th)

I've plenty of subscriptions to "cyber security" mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that's a fact: email remains a key communication channel. Some mailing lists posts contain interesting indicators of compromize. So, I searched for a nice way to extract them in an automated way (and to correlate them with other data). I did not find a solution ready to use that matched my requirements:

ISC Stormcast For Thursday, April 30th 2020 https://isc.sans.edu/podcastdetail.html?id=6976, (Thu, Apr 30th)

Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)

In recent weeks, you probably heard a lot about the "Covid19 Tracing Apps" that Google, Apple, and others. These news reports usually mention the privacy aspects of such an app, but of course, don't cover the protocols in sufficient depth to address how the privacy challenges are being solved.

ISC Stormcast For Wednesday, April 29th 2020 https://isc.sans.edu/podcastdetail.html?id=6974, (Wed, Apr 29th)

Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)

While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.

ISC Stormcast For Tuesday, April 28th 2020 https://isc.sans.edu/podcastdetail.html?id=6972, (Tue, Apr 28th)

Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)

An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!

ISC Stormcast For Monday, April 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6970, (Mon, Apr 27th)

Video: Malformed .docm File, (Sun, Apr 26th)

In diary entry "Obfuscated with a Simple 0x0A", Xavier discovers that a .docm file is a malformed ZIP file.

MALWARE Bazaar, (Sat, Apr 25th)

When we publish diary entries covering malware, we almost always share the hash of the malware sample.

Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)

For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victim’s computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack depends on the reactivity of the other party to clean up the malicious content. If this happens, the macro won’t be able to fetch the data and the infection will fail. The other approach is to store the payload in the document metadata, the document itself or appended to it.

ISC Stormcast For Friday, April 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6968, (Fri, Apr 24th)

ISC Stormcast For Thursday, April 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6966, (Thu, Apr 23rd)

ISC Stormcast For Wednesday, April 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=6964, (Wed, Apr 22nd)

ISC Stormcast For Tuesday, April 21st 2020 https://isc.sans.edu/podcastdetail.html?id=6962, (Tue, Apr 21st)