- Party in Ibiza with PowerShell
- Malicious Word Document with Dynamic Content
- A Mix of Python & VBA in a Malicious Word Document
- Suspicious Endpoint Containment with OSSEC
- Sandbox Evasion Using NTP
- Python and Risky Windows API Calls
- Example of Malicious DLL Injected in PowerShell
- Malicious Excel Sheet with a NULL VT Score
- Keep An Eye on LOLBins
- Tracking A Malware Campaign Through VT
- Example of Word Document Delivering Qakbot
- Using API's to Track Attackers
- A Fork of the FTCode Powershell Ransomware
- Powershell Bot with Multiple C2 Protocols
- Compromized Desktop Applications by Web Technologies
- Simple Blocklisting with MISP & pfSense
- If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
- Sextortion to The Next Level
- Malicious Excel Delivering Fileless Payload
- Anti-Debugging JavaScript Techniques
- Anti-Debugging Technique based on Memory Protection
- Flashback on CVE-2019-19781
- AgentTesla Delivered via a Malicious PowerPoint Add-In
- Malware Triage with FLOSS: API Calls Based Behavior
- Using Nmap As a Lightweight Vulnerability Scanner
- Keeping an Eye on Malicious Files Life Time
- Collecting IOCs from IMAP Folder
- Powershell Payload Stored in a PSCredential Object
- Malicious Excel With a Strong Obfuscation and Sandbox Evasion
- Weaponized RTF Document Generator & Mailer in PowerShell
- PowerShell Sample Extracting Payload From SSL
- Obfuscated with a Simple 0x0A
- Malicious JavaScript Dropping Payload in the Registry
- Very Large Sample as Evasion Technique?
- COVID-19 Themed Multistage Malware
- Critical SMBv3 Vulnerability: Remote Code Execution
- Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account
- A Safe Excel Sheet Not So Safe
- Will You Put Your Password in a Survey?
- Show me Your Clipboard Data!
- Offensive Tools Are For Blue Teams Too
- Simple but Efficient VBScript Obfuscation
- Quick Analysis of an Encrypted Compound Document Format
- Keep an Eye on Command-Line Browsers
- Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript
- Why Phishing Remains So Popular?
- Complex Obfuscation VS Simple Trick
- More Data Exfiltration
- Quick Analyzis of a(nother) Maldoc
- Ransomware in Node.js
- Bypassing UAC to Install a Cryptominer
- Code & Data Reuse in the Malware Ecosystem
- My Little DoH Setup
- Abusing Web Filters Misconfiguration for Reconnaissance
- Microsoft Apps Diverted from Their Main Use
- Keep an Eye on Remote Access to Mailboxes
- Generating PCAP Files from YAML
- Quick Malicious VBS Analysis
- Security Monitoring: At Network or Host Level?
- "Lost_Files" Ransomware
- New Scans for Polycom Autoconfiguration Files
- Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs
- Blocklisting or Whitelisting in the Right Way
- Agent Tesla Trojan Abusing Corporate Email Accounts
- Rig Exploit Kit Delivering VBScript
- Blocking Firefox DoH with Bind
- PowerShell Script with a builtin DLL
- Private IP Addresses in Malware Samples?
- Malware Dropping a Local Node.js Instance
- Malware Samples Compiling Their Next Stage on Premise
- Simple Mimikatz & RDPWrapper Dropper
- 100% JavaScript Phishing Page
- May People Be Considered as IOC?
- Malicious PHP Script Back on Stage?
- Analyzis of DNS TXT Records
- Russian Dolls Malicious Script Delivering Ursnif
- Malicious Script With Multiple Payloads
- Using a Travel Packing App for Infosec Purpose
- Interesting JavaScript Obfuscation Example
- Keep an Eye on Your WMI Logs
- Behavioural Malware Analysis with Microsoft ASA
- The Risk of Authenticated Vulnerability Scans
- From Phishing To Ransomware?
- DSSuite - A Docker Container with Didier's Tools
- Another Day, Another Suspicious UDF File
- Malware Sample Delivered Through UDF Image
- New Waves of Scans Detected by an Old Rule
- Running your Own Passive DNS Service
- New Wave of Extortion Emails: Central Intelligence Agency Case
- Keep an Eye on Disposable Email Addresses
- Simple Powershell Keyloggers are Back
- Old H-Worm Delivered Through GitHub
- Suspicious PDF Connecting to a Remote SMB Share
- Phishing Kit with JavaScript Keylogger
- Tracking Unexpected DNS Changes
- DNS Firewalling with MISP
- Malicious Script Leaking Data via FTP
- Using OSSEC Active-Response as a DFIR Framework
- Microsoft OOB Patch for Internet Explorer: Scripting Engine Memory Corruption Vulnerability
- Restricting PowerShell Capabilities with NetSh
- Phishing Attack Through Non-Delivery Notification
- More obfuscated shell scripts: Fake MacOS Flash update
- Obfuscated bash script targeting QNap boxes
- Divided Payload in Multiple Pasties
- VMware Affected by Dell EMC Avamar Vulnerability
- Querying DShield from Cortex
- The Challenge of Managing Your Digital Library
- Quickly Investigating Websites with Lookyloo
- Basic Obfuscation With Permissive Languages
- Malicious Powershell Script Dissection
- Dissecting Malicious Office Documents with Linux
- Diving into Malicious AutoIT Code
- Malicious Powershell using a Decoy Picture
- More Equation Editor Exploit Waves
- New Campaign Using Old Equation Editor Vulnerability
- "OG" Tools Remain Valuable
- More Excel DDE Code Injection
- Hunting for Suspicious Processes with OSSEC
- Malware Delivered Through MHT Files
- Crypto Mining in a Windows Headless Browser
- Malicious PowerShell Compiling C# Code on the Fly
- 3D Printers in The Wild, What Can Go Wrong?
- Crypto Mining Is More Popular Than Ever!
- Microsoft Publisher Files Delivering Malware
- Simple Phishing Through formcrafts.com
- Malicious DLL Loaded Through AutoIT
- Truncating Payloads and Anonymizing PCAP files
- Exploiting the Power of Curl
- Windows Batch File Deobfuscation
- Searching for Geographically Improbable Login Attempts
- Cryptominer Delivered Though Compromized JavaScript File
- Are Your Hunting Rules Still Working?
- PowerShell: ScriptBlock Logging... Or Not?
- Malicious JavaScript Targeting Mobile Browsers
- A Bunch of Compromized Wordpress Sites
- Converting PCAP Web Traffic to Apache Log
- Malicious Post-Exploitation Batch File
- Antivirus Evasion? Easy as 1,2,3
- "Blocked" Does Not Mean "Forget It"
- Malware Distributed via .slk Files
- Malicious Powershell Targeting UK Bank Customers
- Nice Phishing Sample Delivering Trickbot
- Adding Persistence Via Scheduled Tasks
- Diving into a Simple Maldoc Generator
- Malicious Network Traffic From /bin/bash
- The real value of an IOC?
- Webshell looking for interesting files
- A Suspicious Use of certutil.exe
- How are Your Vulnerabilities?
- Windows IRC Bot in the Wild
- Extending Hunting Capabilities in Your Network
- Automatic Hunting for Malicious Files Crossing your Network
- Surge in blackmailing?
- Administrator's Password Bad Practice
- Payload delivery via SMB
- CRIMEB4NK IRC Bot
- Malicious Bash Script with Multiple Features
- The Crypto Miners Fight For CPU Cycles
- Reminder: Beware of the "Cloud"
- Common Patterns Used in Phishing Campaigns Files
- Malware Delivered via Windows Installer Files
- Simple but Effective Malicious XLS Sheet
- Adaptive Phishing Kit
- Investigating Microsoft BITS Activity
- Ransomware as a Service
- Comment your Packet Captures!
- Mining or Nothing!
- 2017, The Flood of CVEs
- Example of 'MouseOver' Link in a Powerpoint File
- Microsoft Office VBA Macro Obfuscation via Metadata
- Tracking Newly Registered Domains
- StartSSL: Termination of Services is Now Scheduled
- Using Bad Material for the Good
- Phishing Kit (Ab)Using Cloud Services
- Apple High Sierra Uses a Passwordless Root Account
- Fileless Malicious PowerShell Sample
- Proactive Malicious Domain Search
- Top-100 Malicious IP STIX Feed
- Suspicious Domains Tracking Dashboard
- If you want something done right, do it yourself!
- Keep An Eye on your Root Certificates
- Interesting VBA Dropper
- Simple Analysis of an Obfuscated JAR File
- Some Powershell Malicious Code
- BadRabbit: New ransomware wave hitting RU & UA
- Stop relying on file extensions
- Version control tools aren't only for Developers
- Base64 All The Things!
- Investigating Security Incidents with Passive DNS
- The easy way to analyze huge amounts of PCAP data
- Getting some intelligence from malspam
- Another webshell, another backdoor!
- AutoIT based malware back in the wild
- Malicious AutoIT script delivered in a self-extracting RAR file
- Malicious script dropping an executable signed by Avast?
- Defang all the things!
- Maldoc with auto-updated link
- Analysis of a Paypal phishing kit
- Increase of phpMyAdmin scans
- TinyPot, My Small Honeypot
- Bots Searching for Keys & Config Files
- Backup Scripts, the FIM of the Poor
- A VBScript with Obfuscated Base64 Data
- Obfuscating without XOR
- Systemd Could Fallback to Google DNS?
- Phishing Campaigns Follow Trends
- Sharing Private Data with Webcast Invitations
- Critical Vulnerability in Samba from 3.5.0 onwards
- Typosquatting: Awareness and Hunting
- My Little CVE Bot
- Massive wave of ransomware ongoing
- When Bad Guys are Pwning Bad Guys...
- The story of the CFO and CEO...
- HTTP Headers... the Achilles' heel of many applications
- Another Day, Another Obfuscation Technique
- Analysis of a Maldoc with Multiple Layers of Obfuscation
- DNS Query Length... Because Size Does Matter
- Hunting for Malicious Excel Sheets
- Tracking Website Defacers with HTTP Referers
- Whitelists: The Holy Grail of Attackers
- Pro & Con of Outsourcing your SOC
- Diverting built-in features for the bad
- Critical VMware vulnerabilities disclosed
- Logical & Physical Security Correlation
- Nicely Obfuscated JavaScript Sample
- Searching for Base64-encoded PE Files
- Example of Multiple Stages Dropper
- Retro Hunting!
- The Side Effect of GeoIP Filters
- Not All Malware Samples Are Complex
- How your pictures may affect your website reputation
- Amazon S3 Outage
- Analysis of a Simple PHP Backdoor
- How was your stay at the Hotel La Playa?
- Analysis of a Suspicious Piece of JavaScript
- Many Malware Samples Found on Pastebin
- Detecting Undisclosed Vulnerabilities with Security Tools & Features
- Quick Analysis of Data Left Available by Attackers
- IOC's: Risks of False Positive Alerts Flood Ahead
- Malicious SVG Files in the Wild
- Backup Files Are Good but Can Be Evil
- Who's Attacking Me?
- Using Security Tools to Compromize a Network
- Ongoing Scans Below the Radar
- UAC Bypass in JScript Dropper
- The Passwords You Should Never Use
- Free Software Quick Security Checklist
- Example of Getting Analysts & Researchers Away
- Full Packet Capture for Dummies
- Another Day, Another Spam...
- Spam Delivered via .ICS Files
- WiFi Still Remains a Good Attack Vector
- Another Day, Another Malicious Behaviour
- SNMP Pwn3ge
- In Need of a OTP Manager Soon?
- Ongoing IMAP Scan, Anyone Else?
- Collecting Users Credentials from Locked Devices
- Malware Delivered via '.pub' Files
- Maxmind.com (Ab)used As Anti-Analysis Technique
- Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities
- Example of Targeted Attack Through a Proxy PAC File
- Voice Message Notifications Deliver Ransomware
- Data Classification For the Masses
- Analyze of a Linux botnet client source code
- Critical Xen PV guests vulnerabilities
- Name All the Things!
- The Power of Web Shells
- Drupal: Patch released today to fix a highly critical RCE in contributed modules
- Hunting for Malicious Files with MISP + OSSEC
- Phishing Campaign with Blurred Images
- Ongoing Spam Campaign Related to Swift
- Using Your Password Manager to Monitor Data Leaks
- Offensive or Defensive Security? Both!
- Docker Containers Logging
- Keeping an Eye on Tor Traffic
- MISP - Malware Information Sharing Platform
- Another Day, Another Wave of Phishing Emails
- Microsoft BITS Used to Download Payloads
- Windows Command Line Persistence?
- What to watch with your FIM?
- Improving Bash Forensics Capabilities
- IP Addresses Triage
- Dockerized DShield SSH Honeypot
- SSH Honeypots (Ab)used as Proxy
- OSX Ransomware Spread via a Rogue BitTorrent Client Installer
- Another Malicious Document, Another Way to Deliver Malicious Code
- Quick Audit of *NIX Systems
- Analyzis of a Malicious .lnk File with an Embedded Payload
- VMware VMSA-2016-0002
- Reducing False Positives with Open Data Sources
- Hunting for Executable Code in Windows Environments
- More Malicious JavaScript Obfuscation
- EMET 5.5 Released
- Automating Vulnerability Scans
- All CVE Details at Your Fingertips
- Scripting Web Categorization
- /tmp, %TEMP%, ~/Desktop, T:\, ... A goldmine for pentesters!
- JavaScript Deobfuscation Tool
- Virtual Bitlocker Containers
- Hunting for Juicy Information
- Unity Makes Strength
- Playing With Sandboxes Like a Boss
- Enforcing USB Storage Policy with PowerShell
- Tracking SSL Certificates
- Automatic MIME attachments triage
- SIEM is not a product, its a process...
- Analyze of a malicious Word document with an embedded payload
- Tracking HTTP POST data with ELK
- USB cleaning device for the masses
- Victim of its own success and (ab)used by malwares
- The "Yes, but..." syndrome
- AV Phone Scan via Fake BSOD Web Pages
- Cyber Security Awareness Month... Through Proverbs
- Tracking Privileged Accounts in Windows Environments
- Detecting XCodeGhost Activity
- The Wordpress Plugins Playground
- Feeding DShield with OSSEC Logs
- Hunting for IOC's with ioc-parser
- Port Scanners: The Good and The Bad
- Querying the DShield API from RTIR
- Detecting file changes on Microsoft systems with FCIV
Threat Level: green
Handler on Duty: Johannes Ullrich
SANS ISC: ISC Handlers ISC Handlers
Questions? Feedback?
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Have you seen our swag? Buy SANS ISC Gear
