News

The CIS Benchmark for Cisco Nexus (NX-OS) 1.0 went live last week, find it here: https://www.cisecurity.org/cis-benchmarks/, (Mon, Jan 18th)

Published January 18, 2021

=============== Rob VandenBrink (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Doc & RTF Malicious Document, (Mon, Jan 18th)

Published January 18, 2021

A reader pointed us to a malicious Word document. First, I run my strings.py command on it, with option -a to get statistics (see my diary entry “Strings 2021“). There aren’t any long strings in this file (the longest is 33 characters). So there isn’t a payload here that we can extract directly, like we […]

Read more

ISC Stormcast For Monday, January 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7332, (Mon, Jan 18th)

Published January 17, 2021

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)

Published January 17, 2021

Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. This version adds detection for process tampering, like process hollowing and process herpaderping. You use ProcessTampering in your configuration to activate it. Here is an example of process hollowing detection: Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) […]

Read more

Obfuscated DNS Queries, (Fri, Jan 15th)

Published January 16, 2021

This week I started seeing some URL with /dns-query?dns in my honeypot[1][2]. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve. But before proceeding, I have logs going back to May 2018 and reviewed […]

Read more

Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th)

Published January 14, 2021

Introduction As this week winds down, I wanted to highlight a threat that’s significantly diminished in recent years.  For today’s #ThrowbackFriday, I’m reviewing an example of Rig exploit kit (EK) generated yesterday on Thursday 2021-01-14. History of Rig EK EKs are a malware distribution method.  They’re channels to send malware to vulnerable Windows hosts.  An […]

Read more

ISC Stormcast For Friday, January 15th, 2021 https://isc.sans.edu/podcastdetail.html?id=7330, (Fri, Jan 15th)

Published January 14, 2021

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)

Published January 14, 2021

Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros. The image below shows what the file looks like when opened […]

Read more

ISC Stormcast For Thursday, January 14th, 2021 https://isc.sans.edu/podcastdetail.html?id=7328, (Thu, Jan 14th)

Published January 13, 2021

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

ISC Stormcast For Wednesday, January 13th, 2021 https://isc.sans.edu/podcastdetail.html?id=7326, (Wed, Jan 13th)

Published January 12, 2021

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more