SANS ISC – Page 2 – WindowsTechs.com

[SANS ISC] Are Leaked Credentials Dumps Used by Attackers?

Posted on August 4, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Are Leaked Credentials Dumps Used by Attackers?“: Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned” help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account

The post [SANS ISC] Are Leaked Credentials Dumps Used by Attackers? appeared first on /dev/random.

Continue reading [SANS ISC] Are Leaked Credentials Dumps Used by Attackers?→

[SANS ISC] Do Attackers Pay More Attention to IPv6?

Posted on July 29, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Do Attackers Pay More Attention to IPv6?“: IPv6 has always been a hot topic! Available for years, many ISP’s deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all

The post [SANS ISC] Do Attackers Pay More Attention to IPv6? appeared first on /dev/random.

Continue reading [SANS ISC] Do Attackers Pay More Attention to IPv6?→

[SANS ISC] ShellCode Hidden with Steganography

Posted on July 28, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “ShellCode Hidden with Steganography“: When hunting, I’m often surprised by the interesting pieces of code that you may discover… Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.

The post [SANS ISC] ShellCode Hidden with Steganography appeared first on /dev/random.

Continue reading [SANS ISC] ShellCode Hidden with Steganography→

[SANS ISC] Suspicious IP Addresses Avoided by Malware Samples

Posted on July 26, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Suspicious IP Addresses Avoided by Malware Samples“: Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst’s job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware

The post [SANS ISC] Suspicious IP Addresses Avoided by Malware Samples appeared first on /dev/random.

Continue reading [SANS ISC] Suspicious IP Addresses Avoided by Malware Samples→

[SANS ISC] Deobfuscation of Malware Delivered Through a .bat File

Posted on July 20, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Deobfuscation of Malware Delivered Through a .bat File“: I found a phishing email that delivered a RAR archive (password protected). Inside the archive, there was a simple .bat file (SHA256: 57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70) with the following name: “SRI DISTRITAL – DPTO DE COBRO -SRI

The post [SANS ISC] Deobfuscation of Malware Delivered Through a .bat File appeared first on /dev/random.

Continue reading [SANS ISC] Deobfuscation of Malware Delivered Through a .bat File→

[SANS ISC] The Importance of Malware Triage

Posted on June 27, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “The Importance of Malware Triage“: When dealing with malware analysis, you like to get “fresh meat”. Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really

The post [SANS ISC] The Importance of Malware Triage appeared first on /dev/random.

Continue reading [SANS ISC] The Importance of Malware Triage→

[SANS ISC] Malicious Code Can Be Anywhere

Posted on June 20, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Malicious Code Can Be Anywhere“: My Python hunting rules reported some interesting/suspicious files. The files are named with a “.ma” extension. Some of them have very low VT scores. For example, the one with a SHA256 dc16115d165a8692e6f3186afd28694ddf2efe7fd3e673bd90690f2ae7d59136 has a score of 15/59.

The post [SANS ISC] Malicious Code Can Be Anywhere appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Code Can Be Anywhere→

[SANS ISC] Malware Delivered Through .inf File

Posted on June 19, 2023 by Xavier

Today, I published the following diary on isc.sans.edu: “Malware Delivered Through .inf File“: Microsoft has used “.inf” files for a while. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you

The post [SANS ISC] Malware Delivered Through .inf File appeared first on /dev/random.

Continue reading [SANS ISC] Malware Delivered Through .inf File→

[SANS ISC] Undetected PowerShell Backdoor Disguised as a Profile File

Posted on June 10, 2023 by Xavier

Yesterday, I published the following diary on isc.sans.edu: “Undetected PowerShell Backdoor Disguised as a Profile File“: PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday,

The post [SANS ISC] Undetected PowerShell Backdoor Disguised as a Profile File appeared first on /dev/random.

Continue reading [SANS ISC] Undetected PowerShell Backdoor Disguised as a Profile File→

Someone is roping Apache NiFi servers into a cryptomining botnet

Posted on May 31, 2023 by Zeljka Zorz

If you’re running an Apache NiFi instance exposed on the internet and you have not secured access to it, the underlying host may already be covertly cryptomining on someone else’s behalf. The attack Indicators of the ongoing campaign were f… Continue reading Someone is roping Apache NiFi servers into a cryptomining botnet→