Xavier – Page 12 – WindowsTechs.com

[SANS ISC] VBA Macro Trying to Alter the Application Menus

Posted on February 5, 2021 by Xavier

I published the following diary on isc.sans.edu: “VBA Macro Trying to Alter the Application Menus‘”: Who remembers the worm Melissa? It started to spread in March 1999! In information security, it looks like speaking about prehistory but I spotted a VBA macro that tried to use the same defensive technique

The post [SANS ISC] VBA Macro Trying to Alter the Application Menus appeared first on /dev/random.

Continue reading [SANS ISC] VBA Macro Trying to Alter the Application Menus→

[SANS ISC] New Example of XSL Script Processing aka “Mitre T1220”

Posted on February 2, 2021 by Xavier

I published the following diary on isc.sans.edu: “New Example of XSL Script Processing aka ‘Mitre T1220‘”: Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided

The post [SANS ISC] New Example of XSL Script Processing aka “Mitre T1220” appeared first on /dev/random.

Continue reading [SANS ISC] New Example of XSL Script Processing aka “Mitre T1220”→

[SANS ISC] Sensitive Data Shared with Cloud Services

Posted on January 29, 2021 by Xavier

I published the following diary on isc.sans.edu: “Sensitive Data Shared with Cloud Services“: Yesterday was the data protection day in Europe. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many

The post [SANS ISC] Sensitive Data Shared with Cloud Services appeared first on /dev/random.

Continue reading [SANS ISC] Sensitive Data Shared with Cloud Services→

Be Careful When Using Images Grabbed Online In Your Documents

Posted on January 22, 2021 by Xavier

It’s very tempting and, honestly, I’m doing it from time to time… I search for pictures on the Internet and use them in my documents! Why it could be dangerous in some cases? Let’s put aside copyright issues (yes, some pictures might not be free of use) but focus on

The post Be Careful When Using Images Grabbed Online In Your Documents appeared first on /dev/random.

Continue reading Be Careful When Using Images Grabbed Online In Your Documents→

[SANS ISC] Another File Extension to Block in your MTA: .jnlp

Posted on January 22, 2021 by Xavier

I published the following diary on isc.sans.edu: “Another File Extension to Block in your MTA: .jnlp“: When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure

The post [SANS ISC] Another File Extension to Block in your MTA: .jnlp appeared first on /dev/random.

Continue reading [SANS ISC] Another File Extension to Block in your MTA: .jnlp→

[SANS ISC] Powershell Dropping a REvil Ransomware

Posted on January 21, 2021 by Xavier

I published the following diary on isc.sans.edu: “Powershell Dropping a REvil Ransomware“: I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. The technique behind RunSpaces is helpful to create new threads on the existing Powershell

The post [SANS ISC] Powershell Dropping a REvil Ransomware appeared first on /dev/random.

Continue reading [SANS ISC] Powershell Dropping a REvil Ransomware→

What’s Hosted Behind ngrok.io?

Posted on January 7, 2021 by Xavier

A few weeks ago I wrote an ISC diary about a piece of malicious code that used ngrok.io to communicate with the C2 server. Just a quick reminder about this service: it provides a kind of reverse-proxy for servers or applications that people need to publish on the Internet. I

The post What’s Hosted Behind ngrok.io? appeared first on /dev/random.

Continue reading What’s Hosted Behind ngrok.io?→

[SANS ISC] Malicious Word Document Delivering an Octopus Backdoor

Posted on December 24, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.

The post [SANS ISC] Malicious Word Document Delivering an Octopus Backdoor appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Word Document Delivering an Octopus Backdoor→

[SANS ISC] Malware Victim Selection Through WiFi Identification

Posted on December 22, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malware Victim Selection Through WiFi Identification“: Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For

The post [SANS ISC] Malware Victim Selection Through WiFi Identification appeared first on /dev/random.

Continue reading [SANS ISC] Malware Victim Selection Through WiFi Identification→

pfSense Firewall Configuration Audit with pfAudit

Posted on December 14, 2020 by Xavier

pfSense is a very popular free and open source firewall solution. It does not only provide classic firewall services but has plenty of features like VPN server or can offer DNS, DHCP, proxy services… and many more. pfSense is also proposed by some companies as a commercial service with support.

The post pfSense Firewall Configuration Audit with pfAudit appeared first on /dev/random.

Continue reading pfSense Firewall Configuration Audit with pfAudit→