FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Anti-Debugging JavaScript Techniques, (Thu, Jun 11th)

June 11th 2020 at 06:28
For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the side of the table you’re sitting ;-).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft June 2020 Patch Tuesday, (Tue, Jun 9th)

June 9th 2020 at 18:02
This month we got patches for 130 vulnerabilities. Of these, 12 are critical and none of them was previously disclosed or is being exploited according to Microsoft. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Translating BASE64 Obfuscated Scripts, (Mon, Jun 8th)

June 8th 2020 at 20:03
I often get requests for help with deobfuscating scripts. I have several tools that can help.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cyber Security for Protests, (Fri, Jun 5th)

June 6th 2020 at 14:42
Modern-day protests are as much about social media and voicing your opinions online, as they are about showing up "in person". When attending a protest, it is important to keep some basic rules in mind to stay secure. Of course, it is always best to leave expensive electronics at home, but live streaming, posting to social media, and recording events at the protest is very much a part of modern protests. The other option is to only take a relatively cheap "burner phone" with you that does not have any of your personal data associated with it. But even a cheap, but reasonably functional phone will be too expensive for most.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Not so FastCGI!, (Fri, Jun 5th)

June 5th 2020 at 08:27
This past month, we've seen some new and different scans targeting tcp ports between 8000 and 10,000. The first occurrence was on 30 April 2020 and originated from ip address %%ip:23.95.67.187%% and containing payload:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Suspending Suspicious Domain Feed / Update to Researcher IP Feed, (Thu, Jun 4th)

June 4th 2020 at 11:57
Yesterday, Peter from DNSFilter send us a message noting that many of the domains in our "Suspicious Domain" feed no longer resolved, and some of the feeds we used as input were no longer maintained. After investigating, I have to agree with him. The remaining feeds don't make a valuable service at this point. The idea of the "Suspicious Domain" list was to aggregate different lists, but with essentially only 1 or 2 lists left, that doesn't make sense and I decided to no longer maintain the feed until we find new inputs. The respective files will still be offered by they are empty to not break any existing scripts that use them (they are quite popular).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Anti-Debugging Technique based on Memory Protection, (Thu, Jun 4th)

June 4th 2020 at 07:27
Many modern malware samples implement defensive techniques. First of all, we have to distinguish sandbox-evasion and anti-debugging techniques. Today, sandboxes are an easy and quick way to categorize samples based on their behavior. Malware developers have plenty of tests to perform to detect the environment running their code. There are plenty of them, some examples: testing the disk size, the desktop icons, the uptime, processes, network interfaces MAC addresses, hostnames, etc.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Stackstrings, type 2, (Mon, Jun 1st)

June 2nd 2020 at 20:13
Update 1: Added disassembler output.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

XLMMacroDeobfuscator: An Update, (Mon, Jun 1st)

June 1st 2020 at 19:34
XLMMacroDeobfuscator is an open-source tool to deobfuscate Excel 4 macros. I wrote diary entries about it here and here.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Windows 10 Built-in Packet Sniffer - PktMon, (Sun, May 31st)

May 31st 2020 at 19:59
Microsoft released with the October 2018 Update a built-in packet sniffer for Windows 10 located in C:\Windows\system32\PktMon.exe. At ISC we like packets and this is one of the multiple ways to capture packets and send us a copy for analysis. Rob previously published another way of capturing packets in Windows here. If Windows 10 was compromised, this application would be a prime target by malicious actors and it need to be monitored, protected or removed in an enterprise.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA v4.0.1, (Sat, May 30th)

May 30th 2020 at 08:07
A couple of weeks ago, YARA 4.0.0. was released with support for BASE64 strings.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

The Impact of Researchers on Our Data, (Fri, May 29th)

May 29th 2020 at 17:07
Researchers have been using various tools to perform internet-wide scans for many years. Some will publish data continuously to either notify users of infected or misconfigured systems. Others will use the data to feed internal proprietary systems, or publish occasional research papers.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Flashback on CVE-2019-19781, (Thu, May 28th)

May 28th 2020 at 10:13
First of all, did you know that the Flame[1] malware turned 8 years today! Happy Birthday! This famous malware discovered was announced on May 28th, 2012. The malware was used for targeted cyber espionage activities in the Middle East area. If this malware was probably developed by a nation-state organization. It infected a limited amount of hosts (~1000 computers[3]) making it a targeted attack.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Frankenstein's phishing using Google Cloud Storage, (Wed, May 27th)

May 27th 2020 at 08:39
Phishing e-mail messages and/or web pages are often unusual in one way or another from the technical standpoint – some are surprisingly sophisticated, while others are incredibly simple, and sometimes they are a very strange mix of the two. The latter was the case with an e-mail, which our company e-mail gateway caught last week – some aspects of it appeared to be professionally done, but others screamed that the author was a “beginner” at best.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Seriously, SHA3 where art thou?, (Tue, May 26th)

May 26th 2020 at 19:18
A couple weeks ago, Rob wrote a couple of nice diaries. In our private handlers slack channel I was joking after the first one about whether he was going to rewrite CyberChef in PowerShell. After the second I asked what about SHA3? So, he wrote another one (your welcome for the diary ideas, Rob). I was only half joking.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Zloader Maldoc Analysis With xlm-deobfuscator, (Sun, May 24th)

May 25th 2020 at 07:09
Reader Roland submitted a malicious Zloader Excel 4 macro spreadsheet (MD5 82c12e7fe6cabf5edc0bdaa760b4b8c8).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.4 Released, (Sun, May 24th)

May 24th 2020 at 18:07
Wireshark version 3.2.4 was released.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)

May 23rd 2020 at 06:16
Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this kind of macro. Really? Not in the same way as Word and Excel do!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Some Strings to Remember, (Fri, May 22nd)

May 22nd 2020 at 13:46
When you handle unknown files, be it for malware analysis or other reasons, it helps to know some strings / hexadecimal sequences to quickly recognize file types and file content.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)

May 21st 2020 at 06:04
Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using FAME[1] which means “FAME Automates Malware Evaluation”. This framework is very nice due to the architecture based on plugins that you can enable upon your needs. Here is an overview of my configuration:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMWare Security Advisory - VMSA-2020-0010 - https://www.vmware.com/security/advisories/VMSA-2020-0010.html, (Tue, May 19th)

May 19th 2020 at 22:17
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark Release - 2.6.17, 3.0.11 and 3.2.4 - https://www.wireshark.org/news/20200519.html, (Tue, May 19th)

May 19th 2020 at 22:15
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

What is up on Port 62234?, (Tue, May 19th)

May 19th 2020 at 14:56
Here at the ISC we provide access to a number of bits of data which can be used to dig into problems or even as an early warning system of unusual activity.  Well today's data has revealed a confounding one.  Port 62234, which traditionally has zero on near zero sources attempting to access it suddenly has hundreds of sources.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cisco Advisories for FTD, ASA, Firepower 1000, (Tue, May 19th)

May 19th 2020 at 14:25
Cisco has released a number of advisories for Firepower and Adaptive Security Appliance (ASA). 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Automating nmap scans, (Mon, May 18th)

May 18th 2020 at 20:40
With last week’s diary  I left you with using a relatively basic nmap command to perform a relatively thorough scan of an IP range.  That command was:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Antivirus & Multiple Detections, (Sun, May 17th)

May 17th 2020 at 21:08
"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)

May 16th 2020 at 20:54
This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SHA3 Hashes (on Windows) - Where Art Thou?, (Fri, May 15th)

May 15th 2020 at 19:51
No sooner had posted on doing file and string hashes in PowerShell, when I (again) got asked by Jim - "What about SHA3?  Shouldn't we be using Quantum Safe algorithms if we have them?"
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Hashes in PowerShell, (Fri, May 15th)

May 15th 2020 at 14:18
As a follow up to yesterday's how-to, I thought hashing might a thing to cover.  We use hashes all the time, but it's annoying that md5sum, sha1sum and sha256sum aren't part of the windows command set - or are they?  Yup, it turns out that they most definitely are part of PowerShell:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Patch Tuesday Revisited - CVE-2020-1048 isn't as "Medium" as MS Would Have You Believe, (Thu, May 14th)

May 14th 2020 at 14:36
Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft's ratings for that one.  Microsoft rated this as:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)

May 14th 2020 at 13:50
I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day.  For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?"  Conversions of the same type crop up all the time in decoding constructs in packets.  Wireshark and Burp will both often anticipate what you want to do on this score, but not always.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

May 12th 2020 at 17:43
This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)

May 11th 2020 at 19:58
Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.
❌