SANS Internet Storm Center – Page 15

[SANS ISC] Anti-Debugging Technique based on Memory Protection

Posted on June 4, 2020 by Xavier

I published the following diary on isc.sans.edu: “Anti-Debugging Technique based on Memory Protection“: Many modern malware samples implement defensive techniques. First of all, we have to distinguish sandbox-evasion and anti-debugging techniques. Today, sandboxes are an easy and quick way to categorize samples based on their behavior. Malware developers have plenty

[The post [SANS ISC] Anti-Debugging Technique based on Memory Protection has been first published on /dev/random]

Continue reading [SANS ISC] Anti-Debugging Technique based on Memory Protection→

[SANS ISC] Flashback on CVE-2019-19781

Posted on May 28, 2020 by Xavier

I published the following diary on isc.sans.edu: “Flashback on CVE-2019-19781“: First of all, did you know that the Flame malware turned 8 years today! Happy Birthday! This famous malware discovered was announced on May 28th, 2012. The malware was used for targeted cyber espionage activities in the Middle East area.

[The post [SANS ISC] Flashback on CVE-2019-19781 has been first published on /dev/random]

Continue reading [SANS ISC] Flashback on CVE-2019-19781→

[SANS ISC] AgentTesla Delivered via a Malicious PowerPoint Add-In

Posted on May 23, 2020 by Xavier

I published the following diary on isc.sans.edu: “AgentTesla Delivered via a Malicious PowerPoint Add-In“: Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of

[The post [SANS ISC] AgentTesla Delivered via a Malicious PowerPoint Add-In has been first published on /dev/random]

Continue reading [SANS ISC] AgentTesla Delivered via a Malicious PowerPoint Add-In→

[SANS ISC] Malware Triage with FLOSS: API Calls Based Behavior

Posted on May 21, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malware Triage with FLOSS: API Calls Based Behavior“: Malware triage is a key component of your hunting process. When you collect suspicious files from multiple sources, you need a tool to automatically process them to extract useful information. To achieve this task, I’m using

[The post [SANS ISC] Malware Triage with FLOSS: API Calls Based Behavior has been first published on /dev/random]

Continue reading [SANS ISC] Malware Triage with FLOSS: API Calls Based Behavior→

[SANS ISC] Using Nmap As a Lightweight Vulnerability Scanner

Posted on May 8, 2020 by Xavier

I published the following diary on isc.sans.edu: “Using Nmap As a Lightweight Vulnerability Scanner“: Yesterday, Bojan wrote a nice diary about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports.

[The post [SANS ISC] Using Nmap As a Lightweight Vulnerability Scanner has been first published on /dev/random]

Continue reading [SANS ISC] Using Nmap As a Lightweight Vulnerability Scanner→

[SANS ISC] Keeping an Eye on Malicious Files Life Time

Posted on May 6, 2020 by Xavier

I published the following diary on isc.sans.edu: “Keeping an Eye on Malicious Files Life Time“: We know that today’s malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based on lists of hashes not very useful these days. But

[The post [SANS ISC] Keeping an Eye on Malicious Files Life Time has been first published on /dev/random]

Continue reading [SANS ISC] Keeping an Eye on Malicious Files Life Time→

[SANS ISC] Collecting IOCs from IMAP Folder

Posted on April 30, 2020 by Xavier

I published the following diary on isc.sans.edu: “Collecting IOCs from IMAP Folder“: I’ve plenty of subscriptions to “cyber security” mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that’s a fact: email remains a key communication channel. Some mailing lists posts contain

[The post [SANS ISC] Collecting IOCs from IMAP Folder has been first published on /dev/random]

Continue reading [SANS ISC] Collecting IOCs from IMAP Folder→

[SANS ISC] Powershell Payload Stored in a PSCredential Object

Posted on April 27, 2020 by Xavier

I published the following diary on isc.sans.edu: “Powershell Payload Stored in a PSCredential Object“: An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object! The PSCredential class can be used to manage credentials in a centralized way. Just have a look at this example. First, let’s encrypt

[The post [SANS ISC] Powershell Payload Stored in a PSCredential Object has been first published on /dev/random]

Continue reading [SANS ISC] Powershell Payload Stored in a PSCredential Object→

[SANS ISC] Malicious Excel With a Strong Obfuscation and Sandbox Evasion

Posted on April 24, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Excel With a Strong Obfuscation and Sandbox Evasion“: For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4. But VBA macros remain a classic way to drop the next stage of the attack on the

[The post [SANS ISC] Malicious Excel With a Strong Obfuscation and Sandbox Evasion has been first published on /dev/random]

Continue reading [SANS ISC] Malicious Excel With a Strong Obfuscation and Sandbox Evasion→

[SANS ISC] Weaponized RTF Document Generator & Mailer in PowerShell

Posted on April 17, 2020 by Xavier

I published the following diary on isc.sans.edu: “Weaponized RTF Document Generator & Mailer in PowerShell“: Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook

[The post [SANS ISC] Weaponized RTF Document Generator & Mailer in PowerShell has been first published on /dev/random]

Continue reading [SANS ISC] Weaponized RTF Document Generator & Mailer in PowerShell→