FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Finding an Agent Tesla malware sample, (Wed, Nov 27th)

November 27th 2019 at 00:29
I was browsing through the Any Run sandbox looking through the public submissions of malware with pcaps of infection traffic from Tuesday 2019-11-26.  I found this one, and it's tagged agenttesla.  Agent Tesla is an information stealer.  Based on the file name, this Agent Tesla malware sample may have been disguised as an installer for Discord.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Lessons learned from playing a willing phish, (Tue, Nov 26th)

November 26th 2019 at 11:07
Replying to phishing e-mails can lead to some interesting experiences (besides falling for the scams they offer, that is). Since it doesn’t require a deep technical know-how or any special expertise, it is something I recommend everyone to try out at least once, as it can lead to some funny moments and show us that the phishing trade doesn’t always operate in the way we might expect it to.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

My Little DoH Setup, (Mon, Nov 25th)

November 25th 2019 at 08:34
"DoH"[1], this 3-letters acronym is a buzzword on the Internet in 2019! It has been implemented in Firefox, Microsoft announced that Windows will support it soon. They are pro & con about encrypting DNS requests in  HTTPS but it's not the goal of this diary to restart the debate. In a previous diary, he explained how to prevent DoH to be used by Firefox[2] but, this time, I'll play on the other side and explain to you how to implement it in a way to keep control of your DNS traffic (read: how to keep an eye on DNS request performed by users and systems). For a while, I had the idea to test a DoH configuration but I had some requirements:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Local Malware Analysis with Malice, (Sat, Nov 23rd)

November 23rd 2019 at 21:53
This project (Malice) provides the ability to have your own locally managed multi-engine malware scanning system. The framework allows the owner to analyze files for known malware. It can be used both as a command tool to analyze samples and review the results via a Kibana web interface. The Command-Line Interface (CLI) is used to scan a file or directory or can be setup to watch and scan new files when copied into a write only directory.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Abusing Web Filters Misconfiguration for Reconnaissance, (Fri, Nov 22nd)

November 22nd 2019 at 06:34
Yesterday, an interesting incident was detected while working at a customer SOC. They use a “next-generation” firewall that implements a web filter based on categories. This is common in many organizations today: Users' web traffic is allowed/denied based on an URL categorization database (like “adult content”, “hacking”, “gambling”, …). How was it detected? 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Gathering information to determine unusual network traffic, (Thu, Nov 21st)

November 21st 2019 at 21:45
When working with threat intelligence, it's vital to collect indicators of compromise to be able to determine possible attack patterns. What could be catalogued as unusual network traffic? This is all traffic that is not being seen normally in the network, meaning that after building a frequence table all IP addresses shown less than 1% are suspicious and should be investigated.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cheap Chinese JAWS of DVR Exploitability on Port 60001, (Tue, Nov 19th)

November 19th 2019 at 17:58
Looking at some local IP addresses in our database during class this week, I came across a host scanning exclusively for %%port:60001%%. Interestingly, we did see a marked increase in scans for this port in recent weeks. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SMS and 2FA: Another Reason to Move away from It., (Mon, Nov 18th)

November 18th 2019 at 04:55
Developing applications around SMS has become very popular, with several companies offering simple to use APIs and attractive pricing to send and receive SMS. One security-related application of these SMS APIs (for the right or wrong reasons) has been simple two-factor authentication. This time, I don't want to talk so much about the security reasons not to use SMS to authenticate to critical systems, but some of the technical changes that are happening with SMS in the US and Canada.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Some packet-fu with Zeek (previously known as bro), (Mon, Nov 11th)

November 14th 2019 at 19:42
During an incident response process, one of the fundamental variables to consider is speed. If a net capture is being made where we can presumably find evidence that who and how is causing an incident, any second counts in order to anticipate the attacker in the cyber kill chain sequence.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

November 2019 Microsoft Patch Tuesday, (Tue, Nov 12th)

November 12th 2019 at 18:23
Microsoft today patched a total of 74 vulnerabilities. This patch Tuesday release also includes two advisories. 15 of the vulnerabilities are rated critical.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Are We Going Back to TheMoon (and How is Liquor Involved)?, (Mon, Nov 11th)

November 11th 2019 at 19:24
Earlier today, we received an email from an analyst for a large corporation. He asked:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?, (Sun, Nov 10th)

November 10th 2019 at 10:53
After a news of "mass exploitation" of a specific vulnerability hits mainstream media, even organizations that don’t have a formal (or any) patch management process in place usually start to smell the ashes and try to quickly apply the relevant patches. Since media coverage of the recent BlueKeep campaign was quite extensive, I wondered whether the number of vulnerable machines would start diminishing significantly as a result.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Fake Netflix Update Request by Text, (Sat, Nov 9th)

November 9th 2019 at 16:36
In the past week, I have received texts asking to update my Netflix account information. It is obvious the URL listed in the text isn't Netflix. The text looks like this:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft Apps Diverted from Their Main Use, (Fri, Nov 8th)

November 8th 2019 at 07:02
This week, the CERT.eu[1] organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the "cat’n’mouse" game that Blue and Red teams are playing continuously. When the Blue team has detected an attack technique, they write a rule or implement a new control to detect or block it. Then, the Red team has to find an alternative attack path, and so one… A classic example is the detection of malicious via parent/child process relations. It’s quite common to implement the following simple rule (in Sigma[2] format):
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Getting the best value out of security assessments, (Thu, Nov 7th)

November 7th 2019 at 10:16
Since my day job is all about hacking, I get a lot of questions (and there appears to be a lot of confusion) about what a vulnerability scan, penetration test or red team assessment is.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th)

November 5th 2019 at 02:06
I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild.  As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices.  So the next thing I did was check my Bluekeep scan results and was presented with this graph.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

rConfig Install Directory Remote Code Execution Vulnerability Exploited, (Mon, Nov 4th)

November 4th 2019 at 04:27
Last week, Askar from Shells.Systems published two remote code execution (RCE) vulnerabilities in rConfig [1]. The blog post included details about these vulnerabilities and proof of concept code. Both vulnerabilities are trivially exploited by adding shell commands to specific URLs, and one of the vulnerabilities does not require authentication.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

You Too? "Unusual Activity with Double Base64 Encoding", (Sun, Nov 3rd)

November 3rd 2019 at 22:09
Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Remark on EML Attachments, (Sat, Nov 2nd)

November 2nd 2019 at 11:33
Jan Kopriva's interesting diary entry "EML attachments in O365 - a recipe for phishing" reminded me of another use of EML files for malicious purposes.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Tip: Password Managers and 2FA, (Fri, Nov 1st)

November 1st 2019 at 18:24
I guess many of you use a password manager.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st)

October 31st 2019 at 10:12
I’ve recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Keep an Eye on Remote Access to Mailboxes, (Wed, Oct 30th)

October 30th 2019 at 09:13
BEC or "Business Email Compromize" is a trending thread for a while. The idea is simple: a corporate mailbox (usually from a C-level member) is compromized to send legitimate emails to other employees or partners. That's the very first step of a fraud that could have huge impacts.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Generating PCAP Files from YAML, (Tue, Oct 29th)

October 29th 2019 at 07:00
The PCAP[1] file format is everywhere. Many applications generate PCAP files based on information collected on the network. Then, they can be used as evidence, as another data source for investigations and much more. There exist plenty of tools[2] to work with PCAP files. Common operations are to anonymize captured traffic and replay it against another tool for testing purposes (demos, lab, PoC).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using scdbg to Find Shellcode, (Sun, Oct 27th)

October 28th 2019 at 07:02
I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Unusual Activity with Double Base64 Encoding, (Sun, Oct 27th)

October 27th 2019 at 12:59
This week I found this traffic in my honeypot, my first impression, it didn't look that unusual since Base64 encoding is used quite a bit to encode traffic to a web server. Using CyberChef, I decoded the Base64 portion to see what it was all about only to find out it was further encoded in Base64. Decoding the second Base64 revealed two IP address in it.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.0.6 Released, (Sun, Oct 27th)

October 27th 2019 at 09:19
Wireshark version 3.0.6 was released.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMware Patch Alert!, (Fri, Oct 25th)

October 25th 2019 at 16:16
Update Alert!  Patches are out for VMware VCSA (information disclosure in backups and restore) https://www.vmware.com/security/advisories/VMSA-2019-0018.html
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

More on DNS Archeology (with PowerShell), (Fri, Oct 25th)

October 25th 2019 at 15:13
I while back I posted a "part 1" story on DNS and DHCP recon ( https://isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ) and recent events have given me some more to share on the topic.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Your Supply Chain Doesn't End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th)

October 24th 2019 at 05:53
Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Testing TLSv1.3 and supported ciphers, (Tue, Oct 22nd)

October 22nd 2019 at 19:36
Few months ago I posted a series (well, actually 2) diaries about testing SSL/TLS configuration – if you missed them, the diaries are available here and here.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

What's up with TCP 853 (DNS over TLS)?, (Mon, Oct 21st)

October 21st 2019 at 18:20
I was looking at some of our data lat last week and noticed an increase probes on tcp %%port:853%%. For those of you who aren't aware, tcp port 853 is assigned to DNS over TLS as defined in RFC 7858. DNS over TLS (or DoT) was defined in 2016 as a way of hiding the contents of DNS requests from prying eyes on the network since DNS normally occurs in the clear over %%port:53%%. Of course, over the last few months all of the discussion has actually been about an alternative to DoT, DNS over HTTPS (or DoH) defined in RFC 8484, since the major web browser vendors (Google and Mozilla) have announced that they are or will be supporting DoH within the browser in the near future. For the moment, I'll stay out of the debate about the merits of DoT vs. DoH. But, back to this story, since I noticed the increase on port 853, let's discuss DoT. Because DoT requires setting up a TLS connection, it was defined as a TCP protocol (where DNS was primarily UDP). There was a subsequent RFC 8094 which defined DNS over DTLS which moved this back to UDP, but obviously required more traffic to set up the initual TLS encryption, though once established could then potentially be pretty efficient. I had actually setup DoT on my home (bind9) DNS server just a few weeks ago using stunnel as described in the docs from isc.org, to do some testing, so seeing this increase got my attention (though I hadn't actually opened 853 to the internet, just to my internal network). I haven't setup a netcat listener or honeypot to capture the traffic, but you can see that while there were a couple of brief spikes in the number of targets late last year and then a ramping up starting around the beginning of September, the big jump including new scanners has just ramped up since the beginning of Oct. This first graph is 365 days.
❌