Xavier – Page 13 – WindowsTechs.com

[SANS ISC] Python Backdoor Talking to a C2 Through Ngrok

Posted on December 10, 2020 by Xavier

I published the following diary on isc.sans.edu: “Python Backdoor Talking to a C2 Through Ngrok“: I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most

The post [SANS ISC] Python Backdoor Talking to a C2 Through Ngrok appeared first on /dev/random.

Continue reading [SANS ISC] Python Backdoor Talking to a C2 Through Ngrok→

[SANS ISC] Live Patching Windows API Calls Using PowerShell

Posted on November 25, 2020 by Xavier

I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function

The post [SANS ISC] Live Patching Windows API Calls Using PowerShell appeared first on /dev/random.

Continue reading [SANS ISC] Live Patching Windows API Calls Using PowerShell→

[SANS ISC] Malicious Python Code and LittleSnitch Detection

Posted on November 20, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Python Code and LittleSnitch Detection“: We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications

The post [SANS ISC] Malicious Python Code and LittleSnitch Detection appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Python Code and LittleSnitch Detection→

[SANS ISC] PowerShell Dropper Delivering Formbook

Posted on November 19, 2020 by Xavier

I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not a picture but a huge text file with Base64-encoded data. The VT score is therefore

The post [SANS ISC] PowerShell Dropper Delivering Formbook appeared first on /dev/random.

Continue reading [SANS ISC] PowerShell Dropper Delivering Formbook→

[SANS ISC] PowerShell Dropper Delivering Formbook

Posted on November 19, 2020 by Xavier

The post [SANS ISC] PowerShell Dropper Delivering Formbook appeared first on /dev/random.

Continue reading [SANS ISC] PowerShell Dropper Delivering Formbook→

[SANS ISC] When Security Controls Lead to Security Issues

Posted on November 18, 2020 by Xavier

I published the following diary on isc.sans.edu: “When Security Controls Lead to Security Issues“: The job of security professionals is to protect customers’ assets and, even more, today, customers’ data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the

The post [SANS ISC] When Security Controls Lead to Security Issues appeared first on /dev/random.

Continue reading [SANS ISC] When Security Controls Lead to Security Issues→

[SANS ISC] When Security Controls Lead to Security Issues

Posted on November 18, 2020 by Xavier

The post [SANS ISC] When Security Controls Lead to Security Issues appeared first on /dev/random.

Continue reading [SANS ISC] When Security Controls Lead to Security Issues→

[SANS ISC] Old Worm But New Obfuscation Technique

Posted on November 13, 2020 by Xavier

I published the following diary on isc.sans.edu: “Old Worm But New Obfuscation Technique“: Yesterday I found an interesting JavaSvript script delivered through a regular phishing campaign (SHA256:70c0b9d1c88f082bad6ae01fef653da6266d0693b24e08dcb04156a629dd6f81) and has a VT score of 17/61. The script obfuscation is simple but effective: the malicious code is decoded and passed to an eval()

The post [SANS ISC] Old Worm But New Obfuscation Technique appeared first on /dev/random.

Continue reading [SANS ISC] Old Worm But New Obfuscation Technique→

[SANS ISC] How Attackers Brush Up Their Malicious Scripts

Posted on November 9, 2020 by Xavier

I published the following diary on isc.sans.edu: “How Attackers Brush Up Their Malicious Scripts“: On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very

The post [SANS ISC] How Attackers Brush Up Their Malicious Scripts appeared first on /dev/random.

Continue reading [SANS ISC] How Attackers Brush Up Their Malicious Scripts→

[SANS ISC] Did You Spot “Invoke-Expression”?

Posted on November 5, 2020 by Xavier

I published the following diary on isc.sans.edu: “Did You Spot “Invoke-Expression”?“:

When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet. In… Continue reading [SANS ISC] Did You Spot “Invoke-Expression”?→