FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

50 years of malware? Not really. 50 years of computer worms? That's a different story..., (Tue, Mar 16th)

March 16th 2021 at 07:15
If you have any interest in the history of malicious code, chances are you’ve heard or read somewhere that the first piece of malware ever created was a computer worm called Creeper and that spread itself through the ARPANET in 1971. Some sources even mention that it might have been on this very date, i.e. exactly 50 years ago[1].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th)

March 15th 2021 at 21:48
Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.4.4 Released, (Sun, Mar 14th)

March 14th 2021 at 21:41
Wireshark version 3.4.4 was released.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft DHCP Logs Shipped to ELK, (Fri, Mar 12th)

March 12th 2021 at 20:28
This parser takes the logs from a Windows 2012R2 server (C:\Windows\System32\dhcp) and parses them into usable metatada which can be monitored via a dashboard. The logs have been mapped using ECS in the same format as the packetbeat meta here [1].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Piktochart - Phishing with Infographics, (Thu, Mar 11th)

March 11th 2021 at 03:06
[This is a guest diary submitted by JB Bowers]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

March 10th 2021 at 14:08
With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold?
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft March 2021 Patch Tuesday, (Tue, Mar 9th)

March 9th 2021 at 18:51
This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA and CyberChef, (Mon, Mar 8th)

March 8th 2021 at 17:38
If you prefer a graphical user interface to match YARA rules, you can try CyberChef.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

PCAPs and Beacons, (Sun, Mar 7th)

March 7th 2021 at 20:55
I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Spotting the Red Team on VirusTotal!, (Sat, Mar 6th)

March 6th 2021 at 07:12
Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! In the SANS FOR610 training ("Reverse Engineering Malware"), we insist on the fact that you should avoid uploading a file to VT!  The best practice is to compute the file hash then search for it to see if someone else already uploaded the same sample. If you're the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don't be fooled: attackers have also access to VirusTotal and monitor activity around their malware! Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Spam Farm Spotted in the Wild, (Fri, Mar 5th)

March 5th 2021 at 06:16
If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That's why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That's what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)

March 4th 2021 at 07:21
VBS files are interesting to deliver malicious content to a victim's computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement - Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won't be detected as suspicious:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft Releases Exchange Emergency Patch to Fix Activity Exploited Vulnerability, (Wed, Mar 3rd)

March 3rd 2021 at 03:22
Microsoft today released an emergency patch for Microsoft Exchange Server. The patch fixes seven different vulnerabilities. Four of these vulnerabilities are currently being used in targeted attacks.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Adversary Simulation with Sim, (Tue, Mar 2nd)

March 2nd 2021 at 07:49
One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Fun with DNS over TLS (DoT), (Mon, Mar 1st)

March 1st 2021 at 13:37
Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/)  - very much as an unauthenticated API over HTTPS.  But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven't we heard about it so much?
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Maldocs: Protection Passwords, (Sun, Feb 28th)

February 28th 2021 at 23:27
In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Pretending to be an Outlook Version Update, (Fri, Feb 26th)

February 27th 2021 at 01:08
I received this phishing email yesterday that seemed very strange with this short and urgent message:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

So where did those Satori attacks come from?, (Thu, Feb 25th)

February 26th 2021 at 00:18
Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on %%port:26%%.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Forensicating Azure VMs, (Thu, Feb 25th)

February 25th 2021 at 00:17
With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm. It almost feels like some lessons learned in the past two decades about EDR have been thrown out again, just because ... "Cloud". 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd)

February 23rd 2021 at 10:29
Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list. Whatever your own thoughts on the issues of full or limited disclosure might be, the list can be an interesting source of information.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd)

February 22nd 2021 at 17:07
I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

DDE and oledump, (Sun, Feb 21st)

February 21st 2021 at 22:12
I was asked if the DDE YARA rules I created work with oledump.py on the sample that Xavier wrote about in his diary entry "Dynamic Data Exchange (DDE) is Back in the Wild?".
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Quickie: Extracting HTTP URLs With tshark, (Sat, Feb 20th)

February 20th 2021 at 20:34
After I posted diary entry "Quickie: tshark & Malware Analysis", someone asked me how to extract HTTP URLs from capture files with tshark.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th)

February 19th 2021 at 07:00
DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. FOr a while, DDE was partially replaced by Object Linking and Embedding (OLE) but it's still available in the latest versions of the Microsoft operating system for backward compatibility reasons[1]. If fashion is known to be in a state of perpetual renewal, we could say the same in the cybersecurity landscape. Yesterday, I spotted a malicious Word document that abused this DDE technology.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

The new "LinkedInSecureMessage" ?, (Wed, Feb 17th)

February 17th 2021 at 15:58
[This is a guest diary by JB Bowers - @cherokeejb_]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

More weirdness on TCP port 26, (Tue, Feb 16th)

February 16th 2021 at 18:19
A little over a year ago, I wrote a diary asking what was going on with traffic on TCP %%port:26%%. So, last week when I noticed another spike on port 26, I decided to take another look.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat, (Mon, Feb 15th)

February 15th 2021 at 14:07
[This is a guest diary by Yee Ching Tok (personal website here (https://poppopretn.com)). Feedback welcome either via comments or our contact page (https://isc.sans.edu/contact.html)]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Video: tshark & Malware Analysis, (Sun, Feb 14th)

February 14th 2021 at 18:08
In this video, I show the commands I used in diary entry "Quickie: tshark & Malware Analysis" to analyze shellcode from a pcapng file, and I also show some basic options and feature of tshark, the command-line version of Wireshark.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using Logstash to Parse IPtables Firewall Logs, (Sat, Feb 13th)

February 13th 2021 at 21:33
One of our reader submitted some DSL Modem Firewall logs (iptables format) and I wrote a simple logstash parser to analyze and illustrate the activity, in this case it is all scanning activity against this modem. An iptables parser exist for Filebeat[2], but for this example, I wanted to show how to create a simple logstash parser using Grok[3] to parse these logs and send them to Elastic.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th)

February 12th 2021 at 08:01
Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files[1]), others look really safe and make the victim confident to open it. I spotted a phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file: a Microsoft compiled HTML Help file[2]. The file is named "INV00620224400.chm" (sha256:af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab) and has a current VT score of 27/59[3].If you open this file, you will get a normal help file (.chm extension is handled by the c:\windows\hh.exe tool).
❌