HackDig : Dig high-quality web security articles for hackers

[SANS ISC] PowerShell Dropper Delivering Formbook

I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not
Publish At:2020-11-19 08:49 | Read:76 | Comments:0 | Tags:Malware SANS Internet Storm Center Security Obfuscation Powe

[SANS ISC] Quick Status of the CAA DNS Record Adoption

I published the following diary on isc.sans.edu: “Quick Status of the CAA DNS Record Adoption“: In 2017, we already published a guest diary about “CAA” or “Certification Authority Authorization”. I was curious about the status of this technique and the adoption level in 2020. Has it been adopted massively since this dia
Publish At:2020-10-30 09:06 | Read:202 | Comments:0 | Tags:SANS Internet Storm Center Security CAA Certificate Domain S

[SANS ISC] Malicious Word Document with Dynamic Content

I published the following diary on isc.sans.edu: “Malicious Word Document with Dynamic Content“: Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was rece
Publish At:2020-09-30 11:51 | Read:231 | Comments:0 | Tags:Malware SANS Internet Storm Center Security Office PowerShel

[SANS ISC] Party in Ibiza with PowerShell

I published the following diary on isc.sans.edu: “Party in Ibiza with PowerShell“: Today, I would like to talk about PowerShell ISE or “Integration Scripting Environment”. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key
Publish At:2020-09-30 11:51 | Read:230 | Comments:0 | Tags:Malware PowerShell SANS Internet Storm Center Security Obfus

[SANS ISC] Suspicious Endpoint Containment with OSSEC

I published the following diary on isc.sans.edu: “Suspicious Endpoint Containment with OSSEC“: When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections.  To place the device into a restricted environment is definitively better than power
Publish At:2020-09-17 08:05 | Read:286 | Comments:0 | Tags:OSSEC SANS Internet Storm Center Security Incident SANS ISC

[SANS ISC] Example of Malicious DLL Injected in PowerShell

I published the following diary on isc.sans.edu: “Example of Malicious DLL Injected in PowerShell“: For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It’s very easy to develop specific P
Publish At:2020-08-28 14:15 | Read:446 | Comments:0 | Tags:Malware SANS Internet Storm Center Security DLL PowerShell S

[SANS ISC] Keep An Eye on LOLBins

I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, ins
Publish At:2020-08-25 11:55 | Read:762 | Comments:0 | Tags:Malware SANS Internet Storm Center Security LOLBins Operatin

[SANS ISC] Compromized Desktop Applications by Web Technologies

I published the following diary on isc.sans.edu: “Compromized Desktop Applications by Web Technologies”: For a long time now, it has been said that “the new operating system is the browser”. Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform our system maintenances,
Publish At:2020-07-25 14:17 | Read:623 | Comments:0 | Tags:SANS Internet Storm Center Security Compromized JavaScript M

[SANS ISC] Simple Blacklisting with MISP & pfSense

I published the following diary on isc.sans.edu: “Simple Blacklisting with MISP & pfSense“: Here is an example of a simple but effective blacklist system that I’m using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blacklists, there is a well-known one called pfBlocklist. P
Publish At:2020-07-23 08:09 | Read:610 | Comments:0 | Tags:SANS Internet Storm Center Security Blacklist IOC MISP pfSen

[SANS ISC] Sextortion to The Next Level

I published the following diary on isc.sans.edu: “Sextortion to The Next Level“: For a long time, our mailboxes are flooded with emails from “hackers” (note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about us (usually, men visiti
Publish At:2020-06-16 15:54 | Read:401 | Comments:0 | Tags:OSINT SANS Internet Storm Center Security SANS ISC

[SANS ISC] Anti-Debugging JavaScript Techniques

I published the following diary on isc.sans.edu: “Anti-Debugging JavaScript Techniques“: For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the s
Publish At:2020-06-11 08:30 | Read:393 | Comments:0 | Tags:Malware SANS Internet Storm Center Security SANS ISC

[SANS ISC] Anti-Debugging Technique based on Memory Protection

I published the following diary on isc.sans.edu: “Anti-Debugging Technique based on Memory Protection“: Many modern malware samples implement defensive techniques. First of all, we have to distinguish sandbox-evasion and anti-debugging techniques. Today, sandboxes are an easy and quick way to categorize samples based on their behavior. Malware
Publish At:2020-06-04 06:38 | Read:525 | Comments:0 | Tags:Malware SANS Internet Storm Center Security

[SANS ISC] AgentTesla Delivered via a Malicious PowerPoint Add-In

I published the following diary on isc.sans.edu: “AgentTesla Delivered via a Malicious PowerPoint Add-In“: Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common technique
Publish At:2020-05-24 06:01 | Read:585 | Comments:0 | Tags:Malware SANS Internet Storm Center Security AgentTesla Power

[SANS ISC] Using Nmap As a Lightweight Vulnerability Scanner

I published the following diary on isc.sans.edu: “Using Nmap As a Lightweight Vulnerability Scanner“: Yesterday, Bojan wrote a nice diary about the power of the Nmap scripting language (based on LUA). The well-known port scanner can be extended with plenty of scripts that are launched depending on the detected ports. When I read Bojan’s
Publish At:2020-05-18 13:07 | Read:616 | Comments:0 | Tags:SANS Internet Storm Center Security SANS ISC Vulnerability

[SANS ISC] Malicious Excel With a Strong Obfuscation and Sandbox Evasion

I published the following diary on isc.sans.edu: “Malicious Excel With a Strong Obfuscation and Sandbox Evasion“: For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4. But VBA macros remain a classic way to drop the next stage of the attack on the victim’s computer. The attacker has many ways to fetch the next st
Publish At:2020-05-03 06:24 | Read:608 | Comments:0 | Tags:Malware SANS Internet Storm Center Security Evasion Obfuscat

Tools