[SANS ISC] PowerShell Backdoor Launched from a ShellCode

I published the following diary on isc.sans.edu: “PowerShell Backdoor Launched from a ShellCode“: When you need to perform malicious actions on a victim’s computer, the Internet is full of resources that can be reused, forked, slightly changed to meet your requirements. After all, why reinvent the wheel if some pieces

The post [SANS ISC] PowerShell Backdoor Launched from a ShellCode appeared first on /dev/random.

Continue reading [SANS ISC] PowerShell Backdoor Launched from a ShellCode

[SANS ISC] Party in Ibiza with PowerShell

I published the following diary on isc.sans.edu: “Party in Ibiza with PowerShell“: Today, I would like to talk about PowerShell ISE or “Integration Scripting Environment”. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature:

The post [SANS ISC] Party in Ibiza with PowerShell appeared first on /dev/random.

Continue reading [SANS ISC] Party in Ibiza with PowerShell

[SANS ISC] Malicious Word Document with Dynamic Content

I published the following diary on isc.sans.edu: “Malicious Word Document with Dynamic Content“: Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze

The post [SANS ISC] Malicious Word Document with Dynamic Content appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Word Document with Dynamic Content

[SANS ISC] A Mix of Python & VBA in a Malicious Word Document

I published the following diary on isc.sans.edu: “A Mix of Python & VBA in a Malicious Word Document“: A few days ago, Didier wrote an interesting diary about embedded objects into an Office document. I had a discussion about an interesting OLE file that I found. Because it used the same

The post [SANS ISC] A Mix of Python & VBA in a Malicious Word Document appeared first on /dev/random.

Continue reading [SANS ISC] A Mix of Python & VBA in a Malicious Word Document

[SANS ISC] Suspicious Endpoint Containment with OSSEC

I published the following diary on isc.sans.edu: “Suspicious Endpoint Containment with OSSEC“: When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections.  To place the device into a restricted environment is definitively better than powering off the system

The post [SANS ISC] Suspicious Endpoint Containment with OSSEC appeared first on /dev/random.

Continue reading [SANS ISC] Suspicious Endpoint Containment with OSSEC

[SANS ISC] Sandbox Evasion Using NTP

I published the following diary on isc.sans.edu: “Sandbox Evasion Using NTP“: I’m still hunting for interesting (read: “malicious”) Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread

The post [SANS ISC] Sandbox Evasion Using NTP appeared first on /dev/random.

Continue reading [SANS ISC] Sandbox Evasion Using NTP

[SANS ISC] Python and Risky Windows API Calls

I published the following diary on isc.sans.edu: “Python and Risky Windows API Calls“: The Windows API is full of calls that are usually good indicators to guess the behavior of a script. In a previous diary, I wrote about some examples of “API call groups” that are clearly used together

The post [SANS ISC] Python and Risky Windows API Calls appeared first on /dev/random.

Continue reading [SANS ISC] Python and Risky Windows API Calls

[SANS ISC] Example of Malicious DLL Injected in PowerShell

I published the following diary on isc.sans.edu: “Example of Malicious DLL Injected in PowerShell“: For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop

The post [SANS ISC] Example of Malicious DLL Injected in PowerShell appeared first on /dev/random.

Continue reading [SANS ISC] Example of Malicious DLL Injected in PowerShell

[SANS ISC] Malicious Excel Sheet with a NULL VT Score

I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to

The post [SANS ISC] Malicious Excel Sheet with a NULL VT Score appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Excel Sheet with a NULL VT Score

[SANS ISC] Keep An Eye on LOLBins

I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications,

The post [SANS ISC] Keep An Eye on LOLBins appeared first on /dev/random.

Continue reading [SANS ISC] Keep An Eye on LOLBins