Tag: SANS Internet Storm Center, InfoCON: green

23:59, Time to Exfiltrate!, (Tue, Sep 17th)

Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it&#x27s used to host malicious files that will be…

Managing PE Files With Overlays, (Mon, Sep 16th)

There is a common technique used by attackers: They append some data at the end of files (this is called an overlay). This can be used for two main reasons: To hide the appended data from the operating system (steganography).…

YARA-X’s Dump Command, (Sun, Sep 15th)

YARA-X is not just a rewrite of YARA in Rust, it comes with new features too. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA-X’s Dump Command, (Sun, Sep 15th)

YARA 4.5.2 Release, (Sat, Sep 14th)

YARA 4.5.2 was released with 3 small changes and 4 bugfixes. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA 4.5.2 Release, (Sat, Sep 14th)

Python Libraries Used for Malicious Purposes, (Wed, Sep 11th)

Since I&#x27m interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don&#x27t want to reinvent…

Microsoft September 2024 Patch Tuesday, (Tue, Sep 10th)

Today, Microsoft released its scheduled September set of patches. This update addresses 79 different vulnerabilities. Seven of these vulnerabilities are rated critical. Four vulnerabilities are already being exploited and have been made public. This article has been indexed from…


Python & Notepad++, (Sat, Sep 7th)

PythonScript is a Notepad++ plugin that provides a Python interpreter to edit Notepad++ documents. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: 
Python & Notepad++, (Sat, Sep 7th)

Password Cracking & Energy: More Dedails, (Sun, Sep 8th)

Here are more details on the power consumption of my desktop computer when I crack passwords (cfr diary entry “Quickie: Password Cracking & Energy”). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Python & Notepad++, (Sat, Sep 7th)

PythonScript is a Notepad++ plugin that provides a Python interpreter to edit Notepad++ documents. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Python & Notepad++, (Sat, Sep 7th)

Attack Surface [Guest Diary], (Wed, Sep 4th)

[This is a Guest Diary by Joshua Tyrrell, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Attack Surface [Guest Diary], (Wed, Sep…

Scans for Moodle Learning Platform Following Recent Update, (Wed, Sep 4th)

On August 10th, the popular learning platform “Moodle” released an update fixing %%cve:2024-43425%%. RedTeam Pentesting found the vulnerability and published a detailed blog post late last week. The blog post demonstrates in detail how a user with the “trainer” role could…

Protected OOXML Text Documents, (Mon, Sep 2nd)

Just like “Protected OOXML Spreadsheets”, Word documents can also be protected: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Protected OOXML Text Documents, (Mon, Sep 2nd)

Wireshark 4.4.0 is now available, (Sat, Aug 31st)

This is the first 4.4 release. Many new features have been added, details are here. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4.0 is now available, (Sat, Aug 31st)

Simulating Traffic With Scapy, (Fri, Aug 30th)

It can be helpful to simulate different kinds of system activity. I had an instance where I wanted to generate logs to test a log forwarding agent. This agent was processing DNS logs. There are a variety of ways that…

Live Patching DLLs with Python, (Thu, Aug 29th)

In my previous diary[1], I explained why Python became popular for attackers. One of the given reason was that, from Python scripts, it&#x27s possible to call any Windows API and, therefore, perform low-level activities on the system. In another script,…

Microsoft August 2024 Patch Tuesday, (Tue, Aug 13th)

This month we got patches for 186 vulnerabilities. Of these, 9 are critical, and 9 are zero-days (3 previously disclosed, and 6 are already being exploited). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the…

CrowdStrike Outage Themed Maldoc, (Mon, Jul 29th)

I found a malicious Word document with VBA code using the CrowdStrike outage for social engineering purposes. It's an .ASD file (AutoRecover file). My tool oledump.py can analyze it: This article has been indexed from SANS Internet Storm Center, InfoCON:…

Quickie: Password Cracking & Energy, (Sun, Jul 28th)

When Johannes talked about my diary entry “Protected OOXML Spreadsheets” on his StormCast podcast, he mentioned that I privately shared data on the power consumption of my desktop with a NVIDIA GeForce RTX 3080 GPU when running Hashcat. This article…

Create Your Own BSOD: NotMyFault, (Sat, Jul 27th)

With all the Blue Screen Of Death screenshots we saw lately, I got the idea to write about Sysinternals' tool NotMyFault. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Create Your Own…

XWorm Hidden With Process Hollowing, (Thu, Jul 25th)

XWorm is not a brand-new malware family[1]. It's a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique[2]. The sample…

“Mouse Logger” Malicious Python Script, (Wed, Jul 24th)

Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and…

CrowdStrike: The Monday After, (Mon, Jul 22nd)

Last Friday, after Crowdstrike released a bad sensor configuration update that caused widespread crashes of Windows systems. The most visible effects of these crashes appear to have been mitigated. I am sure many IT workers had to spend the weekend…