Archive by Author

Investigating an Odd DNS Query, (Thu, May 23rd)

I have been asked this question a few times, and figure it may be worthwhile to document this in a quick diary. This is typically the result of watching for odd DNS queries (and I highly recommend that). But not all DNS queries are created equal, and sometimes you will see odd, or even malicious, […]

Leave a comment Continue Reading →

An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps], (Wed, May 22nd)

[Please comment if you have any feedback / suggested additions/corrections. You can also use our comment form ] The most notable vulnerabilities patched by Microsoft last week addressed an input validation flaw in the Remote Desktop Service. To exploit the vulnerability, an attacker would send a specially crafted Remote Desktop Protocol (RDP) request to the Remote […]

Leave a comment Continue Reading →

Using Shodan Monitoring, (Tue, May 21st)

Back in March, Shodan started a new service called Shodan Monitor(1). What this service does is notify you of ports that are open on the network you  specify. When you initially setup your network, you put in your CIDR to monitor and then select notification triggers where you will get emails for any of these […]

Leave a comment Continue Reading →

CVE-2019-0604 Attack, (Mon, May 20th)

Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604.  The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability.  Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be […]

Leave a comment Continue Reading →

Is Metadata Only Approach, Good Enough for Network Traffic Analysis?, (Sun, May 19th)

Five years ago I wrote a diary how metadata could be used to detect suspicious activity[1]. Obviously collecting packets allows the analyst to scrutinize the payload which allows in-depth analysis. However, with higher content being encrypted and the cost of storing terabyte of packets, more organization are now looking at a metadata-only approach to be […]

Leave a comment Continue Reading →

The Risk of Authenticated Vulnerability Scans, (Thu, May 16th)

NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack the hashes, just relay them to the victim machine. To achieve this, we need a “responder” that will capture […]

Leave a comment Continue Reading →

VMWare just released a security update to address a DLL-hijacking issue affecting VMware Workstation Pro / Player. Details: https://www.vmware.com/security/advisories/VMSA-2019-0007.html, (Tue, May 14th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →

Microsoft May 2019 Patch Tuesday, (Tue, May 14th)

This month we got patches for 79 vulnerabilities from Microsoft and 2 from Adobe. From those, 23 are critical and 2 were previously known – including the one that has been exploited in the wild. The exploited vulnerability (CVE-2019-0863) affects the way Windows Error Reporting (WER) handles files. It may allow a local attacker to elevate […]

Leave a comment Continue Reading →

From Phishing To Ransomware?, (Mon, May 13th)

On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a simple phishing. Here is a copy of the email, which was nicely redacted: When the victim […]

Leave a comment Continue Reading →

DSSuite – A Docker Container with Didier's Tools, (Fri, May 10th)

If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious documents. His tools are also used by many security analysts and researchers. The complete toolbox is available on his github.com page[1]. You can clone […]

Leave a comment Continue Reading →