Archive by Author

Commando VM: The Complete Mandiant Offensive VM, (Tue, Jul 16th)

The good folks at Mandiant have created the Commando VM, a fully customized, Windows-based security distribution for penetration testing and red teaming. From the project’s About Commando VM content: “Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for […]

Leave a comment Continue Reading → and Malicious ISOFiles, (Mon, Jul 15th)

Inspired by my diary entry “Malicious .iso Attachments“, @Evild3ad79 created a tool,, to help with the analysis of ISO files. Without any arguments or options, the tool displays its usage: When you just provide it an ISO file, it does nothing: You have to provide a command, like displaying metadata (-M): Or listing the […]

Leave a comment Continue Reading →

Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing, (Sat, Jul 13th)

This type of scanning looking for vulnerable BIND server is nothing new and has been ongoing for pretty much the past 20 years. Checking what might be exploitable, the last BIND advisory was released less than a month ago [1] and is remotely exploitable. This is an example of observable BIND Version scanning that could seen […]

Leave a comment Continue Reading →

Russian Dolls Malicious Script Delivering Ursnif, (Thu, Jul 11th)

As a result of my hunting jobs, I found an interesting piece of obfuscated script. This one looks really like Russian dolls because multiple levels of obfuscation are implemented. It is invoked via WMIC, the command client that performs Windows Management Instrumentation (WMI) operations from a command prompt. If WMI is known to be a management […]

Leave a comment Continue Reading →

Remembering Mike Assante, (Thu, Jul 11th)

In 2016 and 2017 I had the honor to present at RSA next to Mike Assante. I know him as one of the few people in our industry that not only understood the technical details of how attacks work and how attackers can be defeated, but are also able to communicate these difficult technical details […]

Leave a comment Continue Reading →

Recent AZORult activity, (Thu, Jul 11th)

I found a tweet from @ps66uk from on Monday morning 2019-07-10 about an open directory used in malspam to push an information stealer called AZORult. The open directory is hosted on sfoodfeedf[.]org at www.sfoodfeedf[.]org/wp-includes/Requests/Cookie/ Shown above:  The open directory at sfoodfeedf[.]org. @ps66uk already mentioned a file named purchase order.iso which is an ISO file containing […]

Leave a comment Continue Reading →

Samba Project tells us "What's New" – SMBv1 Disabled by Default (finally), (Wed, Jul 10th)

Samba 4.11 (preview release) came out 2 days ago (4.11p0).  Not huge news you say, except for one detail – the default settings on this version now have SMBv1 disabled.  Better yet, they’ve started to set the stage for removing it completely. Yes, 2 years after WannaCry, Petya, NotPetya Eternal-everything and all the rest, they’ve […]

Leave a comment Continue Reading →

Dumping File Contents in Hex (in PowerShell), (Wed, Jul 10th)

I got to thinking about file dumps in hexadecimal this week.  This is something I do at least a few times a week – usually to look at file headers or non-printable characters for one reason or another. File headers will usually let you know what type of file you’re looking at (no matter what […]

Leave a comment Continue Reading →

VMWare Security Advisory on DoS Vulnerability in ESXi, (Tue, Jul 9th)

VMWare has released patches for ESXi that address a denial of service vulnerablility in hostd. ESXi 6.0 is unaffected, 6.5 has a patch, and 6.7 has a patch pending. This addresses a vulnerability described in CVE-2019-5528 and is rated important (CVSSv3 = 5.3). A workaround has also been published. If you run ESXi, you should take […]

Leave a comment Continue Reading →

MSFT July 2019 Patch Tuesday, (Tue, Jul 9th)

July 2019 Security Updates Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Denial of Service Vulnerability %%cve:2019-1083%% No No Less Likely Less Likely Important     .NET Framework Remote Code Execution Vulnerability %%cve:2019-1113%% No No More Likely More Likely Critical     ADFS Security Feature Bypass […]

Leave a comment Continue Reading →