Category: SANS Full Feed

Ehsaan Mavani talks about Alternate Data Streams (ADS) in diary entry “Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary]“. I’m taking this as an opportunity to remind you that Python tools on Windows and an NTFS disk, can access alternate data streams. Like my tool cut-bytes.py, here I use it to show…

Read More

[This is a Guest Diary by Matthew Paul, an ISC intern as part of the SANS.edu BACS program] Over the past few months, I’ve been working under a SANS Internet Storm Center (ISC) Sr. Handler as part of the SANS Degree Program ISC Internship.  The first objective of the internship is setting up a forward-facing…

Read More

[This is a guest diary by Christopher Crowley, https://montance.com] Here’s a good reason to include security awareness training for new hires! I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place,…

Read More

Over the weekend, Xavier posted about another image with a payload: “More Steganography!“. Xavier did a static analysis, and I want to explain how you can decode the payload if you opted for a dynamic analysis. During your dynamic analysis, you will notice the download of a JPEG image from hxxps://zynova[.]kesug[.]com/new_image.jpg. You can use my tool…

Read More

I spotted another interesting file that uses, once again, steganography. It seems to be a trend (see one of my previous diaries[1]). The file is an malicious Excel sheet called blcopy.xls. Office documents are rare these days because Microsoft improved the rules to allow automatic macro execution[2]. But it does not mean that Office documents…

Read More