News

Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)

Published December 7, 2019

I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by […]

Read more

Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)

Published December 5, 2019

Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however. I recently came across an interesting phishing campaign in which the scammers used […]

Read more

ISC Stormcast For Friday, December 6th 2019 https://isc.sans.edu/podcastdetail.html?id=6778, (Fri, Dec 6th)

Published December 5, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

E-mail from Agent Tesla, (Thu, Dec 5th)

Published December 4, 2019

Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this […]

Read more

ISC Stormcast For Thursday, December 5th 2019 https://isc.sans.edu/podcastdetail.html?id=6776, (Thu, Dec 5th)

Published December 4, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Issue #94 – Volume XXI – SANS Newsbites – December 3rd, 2019

Published December 4, 2019

Reposted from SANS NewsBites. Click here to read the original posting.

Read more

Analysis of a strangely poetic malware, (Wed, Dec 4th)

Published December 3, 2019

Although given its name, one might expect this diary to be about the Elk Cloner[1], that is not the case. The malware we will take a look at is recent and much simpler, yet still interesting in its own way. Couple of days back, we received a request for analysis of a suspicious Word document […]

Read more

ISC Stormcast For Wednesday, December 4th 2019 https://isc.sans.edu/podcastdetail.html?id=6774, (Wed, Dec 4th)

Published December 3, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

ISC Stormcast For Tuesday, December 3rd 2019 https://isc.sans.edu/podcastdetail.html?id=6772, (Tue, Dec 3rd)

Published December 2, 2019

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Ursnif infection with Dridex, (Tue, Dec 3rd)

Published December 2, 2019

Introduction I frequently see indicators of malicious spam (malspam) pushing Ursnif malware.  Specifically, I often find Ursnif pushed by a long-running malspam campaign that uses password-protected zip attachments that contain word documents with macros designed to infected a vulnerable Windows host.  The password has usually been 777 for the zip attachments.  Word documents contained within […]

Read more