FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Seriously, SHA3 where art thou?, (Tue, May 26th)

May 26th 2020 at 19:18
A couple weeks ago, Rob wrote a couple of nice diaries. In our private handlers slack channel I was joking after the first one about whether he was going to rewrite CyberChef in PowerShell. After the second I asked what about SHA3? So, he wrote another one (your welcome for the diary ideas, Rob). I was only half joking.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Zloader Maldoc Analysis With xlm-deobfuscator, (Sun, May 24th)

May 25th 2020 at 07:09
Reader Roland submitted a malicious Zloader Excel 4 macro spreadsheet (MD5 82c12e7fe6cabf5edc0bdaa760b4b8c8).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.4 Released, (Sun, May 24th)

May 24th 2020 at 18:07
Wireshark version 3.2.4 was released.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)

May 23rd 2020 at 06:16
Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Some Strings to Remember, (Fri, May 22nd)

May 22nd 2020 at 13:46
When you handle unknown files, be it for malware analysis or other reasons, it helps to know some strings / hexadecimal sequences to quickly recognize file types and file content.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)

May 21st 2020 at 06:04
Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using FAME[1] which means “FAME Automates Malware Evaluation”. This framework is very nice due to the architecture based on plugins that you can enable upon your needs. Here is an overview of my configuration:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMWare Security Advisory - VMSA-2020-0010 - https://www.vmware.com/security/advisories/VMSA-2020-0010.html, (Tue, May 19th)

May 19th 2020 at 22:17
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark Release - 2.6.17, 3.0.11 and 3.2.4 - https://www.wireshark.org/news/20200519.html, (Tue, May 19th)

May 19th 2020 at 22:15
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

What is up on Port 62234?, (Tue, May 19th)

May 19th 2020 at 14:56
Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today's data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cisco Advisories for FTD, ASA, Firepower 1000, (Tue, May 19th)

May 19th 2020 at 14:25
Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA). 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Automating nmap scans, (Mon, May 18th)

May 18th 2020 at 20:40
With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Antivirus & Multiple Detections, (Sun, May 17th)

May 17th 2020 at 21:08
"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)

May 16th 2020 at 20:54
This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SHA3 Hashes (on Windows) - Where Art Thou?, (Fri, May 15th)

May 15th 2020 at 19:51
No sooner had posted on doing file and string hashes in PowerShell, when I (again) got asked by Jim - "What about SHA3?  Shouldn't we be using Quantum Safe algorithms if we have them?"
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Hashes in PowerShell, (Fri, May 15th)

May 15th 2020 at 14:18
As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe, (Thu, May 14th)

May 14th 2020 at 14:36
Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)

May 14th 2020 at 13:50
I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day.  For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?"  Conversions of the same type crop up all the time in decoding constructs in packets.  Wireshark and Burp will both often anticipate what you want to do on this score, but not always.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

May 12th 2020 at 17:43
This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)

May 11th 2020 at 19:58
Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Nmap Basics - The Security Practitioner's Swiss Army Knife, (Sat, May 9th)

May 9th 2020 at 20:10
To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to go back to basics on nmap and demonstrate why nmap really is a security practitioner’s swiss army knife and should be in each of our testing toolkits.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMWare vRealize Critical vulnerabilities due to SaltStack - VMSA-2020-0009, (Sat, May 9th)

May 9th 2020 at 14:05
VMWare has announced two vulnerabiliities in their vRealize product related to their integration of the popular open source server management software SaltStack, for which vulnerabilities were disclosed by F-Secure late last week.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)

May 8th 2020 at 05:57
Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan's diary, it reminded me of an old article[2] that I wrote on my blog a long time ago. The idea was to use Nmap as a lightweight vulnerability scanner. Nmap has a scan type that tries to determine the service/version information running behind an open port (enabled with the '-sV' flag). Based on this information, the script looks for interesting CVE in a flat database. Unfortunately, the script was developed by a third-party developer and was never integrated into the official list of scripts. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Scanning with nmap?s NSE scripts, (Thu, May 7th)

May 7th 2020 at 09:06
If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning – it’s a port scanner, and that’s what it should be used for. Boy was I wrong.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Keeping an Eye on Malicious Files Life Time, (Wed, May 6th)

May 6th 2020 at 06:13
We know that today's malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But can we spot some malicious files coming on stage regularly or, suddenly, just popping up from nowhere?
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cloud Security Features Don't Replace the Need for Personnel Security Capabilities, (Tue, May 5th)

May 5th 2020 at 02:44
We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We'd certainly like to open this up to reader comments, insights, and feedback. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Sysmon and File Deletion, (Mon, May 4th)

May 4th 2020 at 22:17
A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


ZIP & AES, (Sun, May 3rd)

May 3rd 2020 at 11:10
A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Phishing PDF with Unusual Hostname, (Sat, May 2nd)

May 2nd 2020 at 20:44
Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Attack traffic on TCP port 9673, (Fri, May 1st)

May 1st 2020 at 00:42
I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is pretty constant, the botnets are attacking the same ports. What I find more interesting is anomalous behavior. Changes from what is normal on a given port. So, a little over a week ago, I saw a jump on a port I wasn't familiar with.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Collecting IOCs from IMAP Folder, (Thu, Apr 30th)

April 30th 2020 at 05:41
I've plenty of subscriptions to "cyber security" mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that's a fact: email remains a key communication channel. Some mailing lists posts contain interesting indicators of compromize. So, I searched for a nice way to extract them in an automated way (and to correlate them with other data). I did not find a solution ready to use that matched my requirements:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)

April 29th 2020 at 12:40
In recent weeks, you probably heard a lot about the "Covid19 Tracing Apps" that Google, Apple, and others. These news reports usually mention the privacy aspects of such an app, but of course, don't cover the protocols in sufficient depth to address how the privacy challenges are being solved.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)

April 28th 2020 at 06:44
While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)

April 27th 2020 at 06:44
An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Video: Malformed .docm File, (Sun, Apr 26th)

April 26th 2020 at 08:27
In diary entry "Obfuscated with a Simple 0x0A", Xavier discovers that a .docm file is a malformed ZIP file.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

MALWARE Bazaar, (Sat, Apr 25th)

April 25th 2020 at 15:30
When we publish diary entries covering malware, we almost always share the hash of the malware sample.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)

April 24th 2020 at 05:16
For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victim’s computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack depends on the reactivity of the other party to clean up the malicious content. If this happens, the macro won’t be able to fetch the data and the infection will fail. The other approach is to store the payload in the document metadata, the document itself or appended to it.
❌