FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Miscellaneous Updates to our "Threatfeed" API, (Mon, Dec 30th)

December 30th 2019 at 01:22
Much of the data offered by us is available via our API [1]. A popular feature of our API is our "threat feeds." We use them to distribute lists of IP addresses and hostnames that you may want to block. In particular, our feeds of mining pool IPs and hosts used by Shodan are popular. This weekend, I added a feed for Onyphe [2]. Onyphe is comparable to Shodan, and I do see a lot of scans from them lately, which is why I added the feed. While I was messing with the API, I also added the ability to retrieve hostnames in addition to IP addresses.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

ELK Dashboard for Pihole Logs, (Sun, Dec 29th)

December 29th 2019 at 19:48
In my last Pihole Diary, I shared a Pihole parser to collect its logs and stored them into Elastic. In this diary, I'm sharing a dashboard to visualize the Pihole DNS data. Here are some of the output from the dashboard.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Corrupt Office Documents, (Sat, Dec 28th)

December 28th 2019 at 17:38
My tool to analyze CFBF files, oledump.py, is not only used to analyze malicious Office documents.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Enumerating office365 users, (Fri, Dec 27th)

December 27th 2019 at 19:19
I found a pretty strange request in a University Firewall being sent over and over:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

December 26th 2019 at 07:53
First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and itsΒ most interesting feature is the use of a classic technique to bypass UAC[2].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Merry christmas!, (Wed, Dec 25th)

December 25th 2019 at 22:18
We wish you and your families a merry christmas!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th)

December 25th 2019 at 22:15
The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New oledump.py plugin: plugin_version_vba, (Mon, Dec 23rd)

December 23rd 2019 at 17:43
In diary entry "VBA Office Document: Which Version?", I explain how to identify the Office version that was used to create a document with VBA macros.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd)

December 22nd 2019 at 11:01
I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.0 Released, (Sat, Dec 21st)

December 21st 2019 at 09:57
Wireshark version 3.2.0 was released, with many improvements.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

More DNS over HTTPS: Become One With the Packet. Be the Query. See the Query, (Thu, Dec 19th)

December 19th 2019 at 16:38
Two days ago, I wrote about how to profile traffic to recognize DNS over HTTPS. This is kind of a problem for DNS over HTTPS. If you can see it, you may be able to block it. On Twitter, a few chimed in to provide feedback about recognizing DNS over HTTPS. I checked a couple of other clients, and well, didn't have a ton of time so this is still very preliminary:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Is it Possible to Identify DNS over HTTPs Without Decrypting TLS?, (Tue, Dec 17th)

December 17th 2019 at 03:47
Whenever I talk about DNS over HTTPS (DoH), the question comes up if it is possible to fingerprint DoH traffic without decrypting it. The idea is that something about DoH packets is different enough to identify them.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Malicious .DWG Files?, (Mon, Dec 16th)

December 16th 2019 at 01:21
This weekend, I took a look at AutoCAD drawing files (.dwg) with embedded VBA macros.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VirusTotal Email Submissions, (Sun, Dec 15th)

December 15th 2019 at 12:13
I think it's a good idea to highlight VirusTotal's Email Submission feature, as I recently had to point this out to a couple of people.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

(Lazy) Sunday Maldoc Analysis: A Bit More ..., (Sat, Dec 14th)

December 14th 2019 at 20:08
At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th)

December 13th 2019 at 07:26
Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals…
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)

December 12th 2019 at 07:47
In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topicΒ that was always debated is the reuse of existing code. Indeed, for a developer, it's tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, it's a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... but it's not today's topic. Malware developers are also developers and have the same behavior. Code reuse has been already discussed several times[1]. For example, tools exist to detect cloned or reused code in the IDA disassembler[2][3].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft December 2019 Patch Tuesday, (Tue, Dec 10th)

December 10th 2019 at 21:51
This month we got patches for 36Β vulnerabilities total. From those, sevenΒ are rated critical and oneΒ is already being exploited according to Microsoft.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

(Lazy) Sunday Maldoc Analysis, (Mon, Dec 9th)

December 9th 2019 at 00:08
I received another malicious Word document: with VBA macros and string obfuscation, launching a PowerShell downloader. As classic as they come.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.0.7 Released, (Sun, Dec 8th)

December 8th 2019 at 09:18
Wireshark version 3.0.7 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)

December 7th 2019 at 20:45
I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by gravity.list or regex.list (custom wildcard lists) and create the necessary dashboards to report on the DNS traffic. This is an example of the output in Discover. In this example, I have filtered out the dns_type: forwarded.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)

December 6th 2019 at 06:59
Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

E-mail from Agent Tesla, (Thu, Dec 5th)

December 5th 2019 at 07:18
Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this malware arrives at the target (i.e. data exfiltration using SMTP), I thought that a closer look at what comes before the infection might nicely complete the picture of how the malware operates.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Analysis of a strangely poetic malware, (Wed, Dec 4th)

December 4th 2019 at 07:50
Although given its name, one might expect this diary to be about the Elk Cloner[1], that is not the case. The malware we will take a look at is recent and much simpler, yet still interesting in its own way.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Next up, what's up with TCP port 26?, (Mon, Dec 2nd)

December 2nd 2019 at 19:37
Whenever I sign up for another shift, if I don't already have a diary topic in mind, I take a look at the top 10 ports in the dashboard when I login to isc.sans.edu. For the last few weeks, I've noticed %%port:26%% showing up, so I decided to see if I could figure out what was going on there.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

ISC Snapshot: Search with SauronEye, (Fri, Nov 29th)

November 29th 2019 at 03:11
SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Finding an Agent Tesla malware sample, (Wed, Nov 27th)

November 27th 2019 at 00:29
I was browsing through the Any Run sandbox looking through the public submissions of malware with pcaps of infection traffic from Tuesday 2019-11-26.Β  I found this one, and it's tagged agenttesla.Β  Agent Tesla is an information stealer.Β  Based on the file name, this Agent Tesla malware sample may have been disguised as an installer for Discord.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Lessons learned from playing a willing phish, (Tue, Nov 26th)

November 26th 2019 at 11:07
Replying to phishing e-mails can lead to some interesting experiences (besides falling for the scams they offer, that is). Since it doesn’t require a deep technical know-how or any special expertise, it is something I recommend everyone to try out at least once, as it can lead to some funny moments and show us that the phishing trade doesn’t always operate in the way we might expect it to.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

My Little DoH Setup, (Mon, Nov 25th)

November 25th 2019 at 08:34
"DoH"[1], this 3-letters acronym is a buzzword on the Internet in 2019! It has been implemented in Firefox, Microsoft announced that Windows will support it soon. They are pro & con about encryptingΒ DNS requests inΒ Β HTTPS but it's not the goal of this diary to restart the debate. In a previous diary, he explained how to prevent DoH to be used by Firefox[2] but, this time, I'll play on the other side and explain to you how to implement it in a way to keep control of your DNS traffic (read: how to keep an eye on DNS request performed by users and systems). For a while, I hadΒ the idea to test a DoH configuration but I had some requirements:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Local Malware Analysis with Malice, (Sat, Nov 23rd)

November 23rd 2019 at 21:53
This project (Malice) provides the ability to have your own locally managed multi-engine malware scanning system. The framework allows the owner to analyze files for known malware. It can be used both as a command tool to analyze samples and review the results via a Kibana web interface. The Command-Line Interface (CLI) is used to scan a file or directory or can be setup to watch and scan new files when copied into a write only directory.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Abusing Web Filters Misconfiguration for Reconnaissance, (Fri, Nov 22nd)

November 22nd 2019 at 06:34
Yesterday, an interesting incidentΒ was detected while working at a customer SOC. They use a β€œnext-generation” firewall that implements a web filter based on categories. This is common in many organizations today: Users'Β web traffic is allowed/deniedΒ based on an URL categorization databaseΒ (like β€œadult content”, β€œhacking”, β€œgambling”, …). How was it detected?Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Gathering information to determine unusual network traffic, (Thu, Nov 21st)

November 21st 2019 at 21:45
When working with threat intelligence, it's vital to collect indicators of compromise to be able to determine possible attack patterns. What could be catalogued as unusual network traffic? This is all traffic that is not being seen normally in the network, meaning that after building a frequence table all IP addresses shown less than 1% are suspicious and should be investigated.
❌