Traffic Analysis Quiz: Mr Natural, (Thu, Dec 3rd)
Introduction It’s time for another ISC traffic analysis quiz! Like previous quizzes, we...
Read More
Category: SANS ISC Bulletins
Decrypting PowerShell Payloads (video), (Mon, Nov 30th)
PowerShell scripts are often used to deliver malicious payloads: shellcode, another PowerShell script, reflective DLL, … And you’ve probably encountered malicious scripts with an encrypted payload, for example encrypted...
Read More
Quick Tip: Using JARM With a SOCKS Proxy, (Sun, Nov 29th)
Rik talked about JARM yesterday “Threat Hunting with JARM”. JARM is a tool to...
Read More
Threat Hunting with JARM, (Fri, Nov 27th)
Recently I have been testing a new tool created by the people at Salesforce. The tool is called...
Read MoreLive Patching Windows API Calls Using PowerShell, (Wed, Nov 25th)
It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function to...
Read MoreThe special case of TCP RST, (Tue, Nov 24th)
In TCP, packets with the “Reset” (RST or R) flag are sent to abort a connection. Probably the most common reason you are seeing this is that an SYN packet is sent to a closed port. But RST packets may be sent in...
Read More
Quick Tip: Cobalt Strike Beacon Analysis, (Mon, Nov 23rd)
Several of our handlers, like Brad and Renato, have written diary entries about malware infections...
Read More
Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format, (Sun, Nov 22nd)
In diary entry “Quick Tip: Extracting all VBA Code from a Maldoc” I explain which...
Read MoreVMware privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) – https://www.vmware.com/security/advisories/VMSA-2020-0026.html, (Sat, Nov 21st)
———– Guy Bruneau IPSS Inc. My Handler Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United...
Read MoreMalicious Python Code and LittleSnitch Detection, (Fri, Nov 20th)
We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications and are,...
Read More
PowerShell Dropper Delivering Formbook, (Thu, Nov 19th)
Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I...
Read MoreWhen Security Controls Lead to Security Issues, (Wed, Nov 18th)
The job of security professionals is to protect customers’ assets and, even more, today, customers’ data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats...
Read More