News
Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)
I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by […]
Read morePhishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)
Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however. I recently came across an interesting phishing campaign in which the scammers used […]
Read moreISC Stormcast For Friday, December 6th 2019 https://isc.sans.edu/podcastdetail.html?id=6778, (Fri, Dec 6th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreE-mail from Agent Tesla, (Thu, Dec 5th)
Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this […]
Read moreISC Stormcast For Thursday, December 5th 2019 https://isc.sans.edu/podcastdetail.html?id=6776, (Thu, Dec 5th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreIssue #94 – Volume XXI – SANS Newsbites – December 3rd, 2019
Reposted from SANS NewsBites. Click here to read the original posting.
Read moreAnalysis of a strangely poetic malware, (Wed, Dec 4th)
Although given its name, one might expect this diary to be about the Elk Cloner[1], that is not the case. The malware we will take a look at is recent and much simpler, yet still interesting in its own way. Couple of days back, we received a request for analysis of a suspicious Word document […]
Read moreISC Stormcast For Wednesday, December 4th 2019 https://isc.sans.edu/podcastdetail.html?id=6774, (Wed, Dec 4th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreISC Stormcast For Tuesday, December 3rd 2019 https://isc.sans.edu/podcastdetail.html?id=6772, (Tue, Dec 3rd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreUrsnif infection with Dridex, (Tue, Dec 3rd)
Introduction I frequently see indicators of malicious spam (malspam) pushing Ursnif malware. Specifically, I often find Ursnif pushed by a long-running malspam campaign that uses password-protected zip attachments that contain word documents with macros designed to infected a vulnerable Windows host. The password has usually been 777 for the zip attachments. Word documents contained within […]
Read more
