Archive by Author

Emotet infection with IcedID banking Trojan, (Thu, Nov 15th)

Introduction Emotet malware is distributed through malicious spam (malspam), and its active nearly every day–at least every weekday.  Sometimes the criminals behind Emotet take a break, such as a one month-long hiatus from early October through early November, but the infrastructure pushing Emotet has been very active since Monday 2018-11-05. As Symantec and others have […]

Leave a comment Continue Reading →

Day in the life of a researcher: Finding a wave of Trickbot malspam, (Wed, Nov 14th)

Introduction Mass-distribution campaigns pushing commonly-seen malware are not often considered newsworthy.  But these campaigns occur on a near-daily basis, and I feel they should be documented as frequently as possible.  Frequent documentation ensures we have publicly-available records that reveal how these campaigns evolve.  Minor changes add up over time. Today’s diary illustrates a small part […]

Leave a comment Continue Reading →

November 2018 Microsoft Patch Tuesday, (Tue, Nov 13th)

This month, Microsoft patches two issues that have already been disclosed publically. One is related to BitLocker trusting SSDs with faulty encryption. If an SSD offers its own hardware-based encryption, BitLocker will not add its own software encryption on top of it, to save CPU cycles. But last month, it became known that SSD hardware […]

Leave a comment Continue Reading →

Using the Neutrino ip-blocklist API to test general badness of an IP, (Mon, Nov 12th)

There are a number of IP Reputation services available for public consumption.  A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September.  Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many […]

Leave a comment Continue Reading →

Community contribution: joining forces or multiply solutions?, (Sun, Nov 11th)

Today’s diary will be less technical than usual, and more “philosophical” let’s say (because, why not, we need those too :)) Last week I shared a thought on twitter, saying that sometimes I wish in our community we would stop “reinventing the wheel” by developing yet another FOSS tool that solves the same problem, instead […]

Leave a comment Continue Reading →

Video: CyberChef: BASE64/XOR Recipe, (Sat, Nov 10th)

I made a video for my diary entry “CyberChef: BASE64/XOR Recipe“:   Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →

New VMWare Advisory https://www.vmware.com/security/advisories/VMSA-2018-0027.html, (Fri, Nov 9th)

— Tom Webb @twsecblog (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →

Playing with T-POT, (Fri, Nov 9th)

I was looking for a honeypot install that had great reporting and was easy to deploy. I ran across T-Pot honeypot (https://github.com/dtag-dev-sec/tpotce).  It runs on Ubuntu 16.04 and docker. They have an auto install script that sets everything up very nicely. If this is your first time using docker or the Elastic stack, this is […]

Leave a comment Continue Reading →

Tunneling scanners (or really anything) over SSH, (Wed, Nov 7th)

I am sure that many penetration testers among our readers try to minimize their travel. While many years ago we had to be physically present for internal penetration tests, today it is very common that client organizations setup virtual machines for penetration testers, which are then used to perform internal penetration tests. In most cases […]

Leave a comment Continue Reading →

Malicious Powershell Script Dissection, (Tue, Nov 6th)

Here is another example of malicious Powershell script found while hunting. Such scripts remain a common attack vector and many of them can be easily detected just by looking for some specific strings. Here is an example of YARA rule that I’m using to hunt for malicious Powershell scripts: rule PowerShellSuspiciousStrings { strings: $ps1 = […]

Leave a comment Continue Reading →