Author Archives: Xavier

[SANS ISC] Suspicious Endpoint Containment with OSSEC

Posted on by

I published the following diary on isc.sans.edu: “Suspicious Endpoint Containment with OSSEC“: When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections.  To place the device into a restricted environment is definitively better than powering off the system

The post [SANS ISC] Suspicious Endpoint Containment with OSSEC appeared first on /dev/random.

Continue reading [SANS ISC] Suspicious Endpoint Containment with OSSEC

[SANS ISC] Sandbox Evasion Using NTP

Posted on by

I published the following diary on isc.sans.edu: “Sandbox Evasion Using NTP“: I’m still hunting for interesting (read: “malicious”) Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread

The post [SANS ISC] Sandbox Evasion Using NTP appeared first on /dev/random.

Continue reading [SANS ISC] Sandbox Evasion Using NTP

[SANS ISC] Python and Risky Windows API Calls

Posted on by

I published the following diary on isc.sans.edu: “Python and Risky Windows API Calls“: The Windows API is full of calls that are usually good indicators to guess the behavior of a script. In a previous diary, I wrote about some examples of “API call groups” that are clearly used together

The post [SANS ISC] Python and Risky Windows API Calls appeared first on /dev/random.

Continue reading [SANS ISC] Python and Risky Windows API Calls

[SANS ISC] Example of Malicious DLL Injected in PowerShell

Posted on by

I published the following diary on isc.sans.edu: “Example of Malicious DLL Injected in PowerShell“: For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop

The post [SANS ISC] Example of Malicious DLL Injected in PowerShell appeared first on /dev/random.

Continue reading [SANS ISC] Example of Malicious DLL Injected in PowerShell

[SANS ISC] Malicious Excel Sheet with a NULL VT Score

Posted on by

I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to

The post [SANS ISC] Malicious Excel Sheet with a NULL VT Score appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Excel Sheet with a NULL VT Score

[SANS ISC] Keep An Eye on LOLBins

Posted on by

I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications,

The post [SANS ISC] Keep An Eye on LOLBins appeared first on /dev/random.

Continue reading [SANS ISC] Keep An Eye on LOLBins

Monitoring MISP with Nagios

Posted on by

Yesterday, a very interesting article was published on the MISP blog by my friend Koen about a solution to monitor a MISP instance with Cacti. Monitoring your threat intelligence platform is always a good idea because many other tools depend on it. You can feed other tools with MISP data

The post Monitoring MISP with Nagios appeared first on /dev/random.

Continue reading Monitoring MISP with Nagios

[SANS ISC] Tracking A Malware Campaign Through VT

Posted on by

I published the following diary on isc.sans.edu: “Tracking A Malware Campaign Through VT“: During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded

The post [SANS ISC] Tracking A Malware Campaign Through VT appeared first on /dev/random.

Continue reading [SANS ISC] Tracking A Malware Campaign Through VT

[SANS ISC] Example of Word Document Delivering Qakbot

Posted on by

I published the following diary on isc.sans.edu: “Example of Word Document Delivering Qakbot“: Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I’ll cover today has been reported by one of our

The post [SANS ISC] Example of Word Document Delivering Qakbot appeared first on /dev/random.

Continue reading [SANS ISC] Example of Word Document Delivering Qakbot

[SANS ISC] Using API’s to Track Attackers

Posted on by

I published the following diary on isc.sans.edu: “Using API’s to Track Attackers“: For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc are attacker’s best friends but Python is also a good candidate to perform malicious activities on

The post [SANS ISC] Using API’s to Track Attackers appeared first on /dev/random.

Continue reading [SANS ISC] Using API’s to Track Attackers