News
The CIS Benchmark for Cisco Nexus (NX-OS) 1.0 went live last week, find it here: https://www.cisecurity.org/cis-benchmarks/, (Mon, Jan 18th)
=============== Rob VandenBrink (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreDoc & RTF Malicious Document, (Mon, Jan 18th)
A reader pointed us to a malicious Word document. First, I run my strings.py command on it, with option -a to get statistics (see my diary entry “Strings 2021“). There aren’t any long strings in this file (the longest is 33 characters). So there isn’t a payload here that we can extract directly, like we […]
Read moreISC Stormcast For Monday, January 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7332, (Mon, Jan 18th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreNew Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)
Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity. This version adds detection for process tampering, like process hollowing and process herpaderping. You use ProcessTampering in your configuration to activate it. Here is an example of process hollowing detection: Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) […]
Read moreObfuscated DNS Queries, (Fri, Jan 15th)
This week I started seeing some URL with /dns-query?dns in my honeypot[1][2]. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve. But before proceeding, I have logs going back to May 2018 and reviewed […]
Read moreThrowback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th)
Introduction As this week winds down, I wanted to highlight a threat that’s significantly diminished in recent years. For today’s #ThrowbackFriday, I’m reviewing an example of Rig exploit kit (EK) generated yesterday on Thursday 2021-01-14. History of Rig EK EKs are a malware distribution method. They’re channels to send malware to vulnerable Windows hosts. An […]
Read moreISC Stormcast For Friday, January 15th, 2021 https://isc.sans.edu/podcastdetail.html?id=7330, (Fri, Jan 15th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreDynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)
Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros. The image below shows what the file looks like when opened […]
Read moreISC Stormcast For Thursday, January 14th, 2021 https://isc.sans.edu/podcastdetail.html?id=7328, (Thu, Jan 14th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreISC Stormcast For Wednesday, January 13th, 2021 https://isc.sans.edu/podcastdetail.html?id=7326, (Wed, Jan 13th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read more