FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Hashes in PowerShell, (Fri, May 15th)

May 15th 2020 at 14:18
As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe, (Thu, May 14th)

May 14th 2020 at 14:36
Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)

May 14th 2020 at 13:50
I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day.  For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?"  Conversions of the same type crop up all the time in decoding constructs in packets.  Wireshark and Burp will both often anticipate what you want to do on this score, but not always.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

May 12th 2020 at 17:43
This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)

May 11th 2020 at 19:58
Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Nmap Basics - The Security Practitioner's Swiss Army Knife, (Sat, May 9th)

May 9th 2020 at 20:10
To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to go back to basics on nmap and demonstrate why nmap really is a security practitioner’s swiss army knife and should be in each of our testing toolkits.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMWare vRealize Critical vulnerabilities due to SaltStack - VMSA-2020-0009, (Sat, May 9th)

May 9th 2020 at 14:05
VMWare has announced two vulnerabiliities in their vRealize product related to their integration of the popular open source server management software SaltStack, for which vulnerabilities were disclosed by F-Secure late last week.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)

May 8th 2020 at 05:57
Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan's diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the '-sV' flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Scanning with nmap?s NSE scripts, (Thu, May 7th)

May 7th 2020 at 09:06
If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Keeping an Eye on Malicious Files Life Time, (Wed, May 6th)

May 6th 2020 at 06:13
We know that today's malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But can we spot some malicious files coming on stage regularly or, suddenly, just popping up from nowhere?
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cloud Security Features Don't Replace the Need for Personnel Security Capabilities, (Tue, May 5th)

May 5th 2020 at 02:44
We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We'd certainly like to open this up to reader comments, insights, and feedback. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Sysmon and File Deletion, (Mon, May 4th)

May 4th 2020 at 22:17
A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


ZIP & AES, (Sun, May 3rd)

May 3rd 2020 at 11:10
A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Phishing PDF with Unusual Hostname, (Sat, May 2nd)

May 2nd 2020 at 20:44
Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Attack traffic on TCP port 9673, (Fri, May 1st)

May 1st 2020 at 00:42
I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Collecting IOCs from IMAP Folder, (Thu, Apr 30th)

April 30th 2020 at 05:41
I've plenty of subscriptions to "cyber security" mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that's a fact: email remains a key communication channel. Some mailing lists posts contain interesting indicators of compromize. So, I searched for a nice way to extract them in an automated way (and to correlate them with other data). I did not find a solution ready to use that matched my requirements:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)

April 29th 2020 at 12:40
In recent weeks, you probably heard a lot about the "Covid19 Tracing Apps" that Google, Apple, and others. These news reports usually mention the privacy aspects of such an app, but of course, don't cover the protocols in sufficient depth to address how the privacy challenges are being solved.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)

April 28th 2020 at 06:44
While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)

April 27th 2020 at 06:44
An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Video: Malformed .docm File, (Sun, Apr 26th)

April 26th 2020 at 08:27
In diary entry "Obfuscated with a Simple 0x0A", Xavier discovers that a .docm file is a malformed ZIP file.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

MALWARE Bazaar, (Sat, Apr 25th)

April 25th 2020 at 15:30
When we publish diary entries covering malware, we almost always share the hash of the malware sample.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)

April 24th 2020 at 05:16
For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victim’s computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack depends on the reactivity of the other party to clean up the malicious content. If this happens, the macro won’t be able to fetch the data and the infection will fail. The other approach is to store the payload in the document metadata, the document itself or appended to it.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SpectX: Log Parser for DFIR, (Tue, Apr 21st)

April 21st 2020 at 02:29
I hope this finds you all safe, healthy, and sheltered to the best of your ability.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

KPOT AutoIt Script: Analysis, (Mon, Apr 20th)

April 20th 2020 at 06:56
In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th)

April 19th 2020 at 08:03
In diary entry "KPOT Deployed via AutoIt Script" I obtained 3 files:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th)

April 18th 2020 at 18:38
This is a phishing document received today pretending to be an invoice (Word Document) from Apple Support but initial analysis shows it is a PDF document.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)

April 17th 2020 at 10:35
Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. The script is available on VT (SHA256: 1f7f0d75fe5dace66ec9b5935d28ba02765527f09f58345c2e33e17ab4c91bd7) and has a low score of 8/60[1].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th)

April 16th 2020 at 21:31
STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)

April 15th 2020 at 12:53
Most of us know that macros in Office documents are one of the most common ways to get malware into an organization.  Unfortunately, all to many organizations depend on their AV products to detect these macros and the associated malware.  It's sad fact that macro's are easy to write, and it's not too tough to evade AV by being smart about how you write a malicious macro.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft April 2020 Patch Tuesday, (Tue, Apr 14th)

April 14th 2020 at 18:22
This month we got patches for 113 vulnerabilities total. According to Microsoft, three of them are being exploited (CVE-2020-1020, CVE-2020-0938 and CVE-2020-0968)  and two were previously disclosed (CVE-2020-1020 and CVE-2020-0935).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Look at the same phishing campaign 3 months apart, (Mon, Apr 13th)

April 13th 2020 at 13:54
While going through a batch of malicious e-mails, which were caught by my mail filters in March, I noticed a simple phishing e-mail, which carried an entire credential-stealing page in its attachment. This, although interesting in its own way, would not be that unusual[1,2]. While I was analyzing it, however, I found that a nearly identical e-mail message, which was obviously part of the same campaign, was uploaded to Any.Run[3] back in January. Since I had two samples from nearly 3 months apart, I thought it might be interesting to take a look at how much has changed in this phishing campaign over that time.
❌