ISC Handlers - SANS Internet Storm Center

Back to Handlers

A 'Zip Bomb' to Bypass Security Controls & Sandboxes
Use Your Browser Internal Password Vault... or Not?
Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
Simple PDF Linking to Malicious Content
Multi-Cryptocurrency Clipboard Swapper
XLSB Files: Because Binary is Stealthier Than XML
Malware Delivered Through Free Sharing Tool
Clean Binaries with Suspicious Behaviour
Keep an Eye on WebSockets
Credentials Leaks on VirusTotal
Infostealer in a Batch File
Ukraine & Russia Situation From a Domain Names Perspective
A Good Old Equation Editor Vulnerability Delivering Malware
Remcos RAT Delivered Through Double Compressed Archive
Who Are Those Bots?
CinaRAT Delivered Through HTML ID Attributes
Automation is Nice But Don't Replace Your Knowledge
Be careful with RPMSG files
Malicious ISO Embedded in an HTML Page
Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Obscure Wininet.dll Feature?
RedLine Stealer Delivered Through FTP
Custom Python RAT Builder
Malicious Python Script Targeting Chinese People
Code Reuse In the Malware Landscape
A Simple Batch File That Blocks People
McAfee Phishing Campaign with a Nice Fake Scan
Nicely Crafted indeed.com Login Page
More Undetected PowerShell Dropper
Simple but Undetected PowerShell Backdoor
Python Shellcode Injection From JSON Data
The Importance of Out-of-Band Networks
The UPX Packer Will Never Die!
Info-Stealer Using webhook.site to Exfiltrate Data
Downloader Disguised as Excel Add-In (XLL)
JavaScript Downloader Delivers Agent Tesla Trojan
Shadow IT Makes People More Vulnerable to Phishing
(Ab)Using Security Tools & Controls for the Bad
Thanks to COVID-19, New Types of Documents are Lost in The Wild
Malicious PowerShell Using Client Certificate Authentication
Port-Forwarding with Windows for the Win
New Tool to Add to Your LOLBAS List: cvtres.exe
Keep an Eye on Your Users Mobile Devices (Simple Inventory)
Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
Malicious Calendar Subscriptions Are Back?
Attackers Will Always Abuse Major Events in our Lifes
Cryptocurrency Clipboard Swapper Delivered With Love
Waiting for the C2 to Show Up
Malicious Microsoft Word Remains A Key Infection Vector
Infected With a .reg File
Malicious Content Delivered Through archive.org
Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Multiple BaseXX Obfuscations
Using Sudo with Python For More Security Controls
Python DLL Injection Check
Kaseya VSA Users Hit by Ransomware
"inception.py"... Multiple Base64 Encodings
Do you Like Cookies? Some are for sale!
Easy Access to the NIST RDS Database
Sonicwall SRA 4600 Targeted By an Old Vulnerability
Keeping an Eye on Dangerous Python Modules
Russian Dolls VBS Obfuscation
Malicious PowerShell Hosted on script.google.com
Locking Kernel32.dll As Anti-Debugging Technique
"Serverless" Phishing Campaign
From RunDLL32 to JavaScript then PowerShell
"Open" Access to Industrial Systems Interface is Also Far From Zero
Alternative Ways To Perform Basic Tasks
From Python to .Net
Deeper Analyzis of my Last Malicious PowerPoint Add-On
Malicious PowerPoint Add-On: "Small Is Beautiful"
How Safe Are Your Docker Images?
HTTPS Support for All Internal Services
No Python Interpreter? This Simple RAT Installs Its Own Copy
Simple Powershell Ransomware Creating a 7Z Archive of your Files
C2 Activity: Sandboxes or Real Victims?
Quick Analysis of a Modular InfoStealer
Jumping into Shellcode
Pastebin.com Used As a Simple C2 Channel
Simple Python Keylogger
Defenders, Know Your Operating System Like Attackers Do!
Spotting the Red Team on VirusTotal!
Spam Farm Spotted in the Wild
From VBS, PowerShell, C Sharp, Process Hollowing to RAT
Dynamic Data Exchange (DDE) is Back in the Wild?
The new "LinkedInSecureMessage" ?
AgentTesla Dropped Through Automatic Click in Microsoft Help File
VBA Macro Trying to Alter the Application Menus
New Example of XSL Script Processing aka "Mitre T1220"
Sensitive Data Shared with Cloud Services
Another File Extension to Block in your MTA: .jnlp
Powershell Dropping a REvil Ransomware
Malicious Word Document Delivering an Octopus Backdoor
Malware Victim Selection Through WiFi Identification
Python Backdoor Talking to a C2 Through Ngrok
Live Patching Windows API Calls Using PowerShell
Malicious Python Code and LittleSnitch Detection
PowerShell Dropper Delivering Formbook
When Security Controls Lead to Security Issues
Old Worm But New Obfuscation Technique
How Attackers Brush Up Their Malicious Scripts
Did You Spot "Invoke-Expression"?
Quick Status of the CAA DNS Record Adoption
Mirai-alike Python Scanner
Nicely Obfuscated Python RAT
Analysis of a Phishing Kit
Managing Remote Access for Partners & Contractors
PowerShell Backdoor Launched from a ShellCode
Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client
Party in Ibiza with PowerShell
Malicious Word Document with Dynamic Content
A Mix of Python & VBA in a Malicious Word Document
Suspicious Endpoint Containment with OSSEC
Sandbox Evasion Using NTP
Python and Risky Windows API Calls
Example of Malicious DLL Injected in PowerShell
Malicious Excel Sheet with a NULL VT Score
Keep An Eye on LOLBins
Tracking A Malware Campaign Through VT
Example of Word Document Delivering Qakbot
Using API's to Track Attackers
A Fork of the FTCode Powershell Ransomware
Powershell Bot with Multiple C2 Protocols
Compromized Desktop Applications by Web Technologies
Simple Blocklisting with MISP & pfSense
If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
Sextortion to The Next Level
Malicious Excel Delivering Fileless Payload
Anti-Debugging JavaScript Techniques
Anti-Debugging Technique based on Memory Protection
Flashback on CVE-2019-19781
AgentTesla Delivered via a Malicious PowerPoint Add-In
Malware Triage with FLOSS: API Calls Based Behavior
Using Nmap As a Lightweight Vulnerability Scanner
Keeping an Eye on Malicious Files Life Time
Collecting IOCs from IMAP Folder
Powershell Payload Stored in a PSCredential Object
Malicious Excel With a Strong Obfuscation and Sandbox Evasion
Weaponized RTF Document Generator & Mailer in PowerShell
PowerShell Sample Extracting Payload From SSL
Obfuscated with a Simple 0x0A
Malicious JavaScript Dropping Payload in the Registry
Very Large Sample as Evasion Technique?
COVID-19 Themed Multistage Malware
Critical SMBv3 Vulnerability: Remote Code Execution
Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account
A Safe Excel Sheet Not So Safe
Will You Put Your Password in a Survey?
Show me Your Clipboard Data!
Offensive Tools Are For Blue Teams Too
Simple but Efficient VBScript Obfuscation
Quick Analysis of an Encrypted Compound Document Format
Keep an Eye on Command-Line Browsers
Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript
Why Phishing Remains So Popular?
Complex Obfuscation VS Simple Trick
More Data Exfiltration
Quick Analyzis of a(nother) Maldoc
Ransomware in Node.js
Bypassing UAC to Install a Cryptominer
Code & Data Reuse in the Malware Ecosystem
My Little DoH Setup
Abusing Web Filters Misconfiguration for Reconnaissance
Microsoft Apps Diverted from Their Main Use
Keep an Eye on Remote Access to Mailboxes
Generating PCAP Files from YAML
Quick Malicious VBS Analysis
Security Monitoring: At Network or Host Level?
"Lost_Files" Ransomware
New Scans for Polycom Autoconfiguration Files
Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs
Blocklisting or Whitelisting in the Right Way
Agent Tesla Trojan Abusing Corporate Email Accounts
Rig Exploit Kit Delivering VBScript
Blocking Firefox DoH with Bind
PowerShell Script with a builtin DLL
Private IP Addresses in Malware Samples?
Malware Dropping a Local Node.js Instance
Malware Samples Compiling Their Next Stage on Premise
Simple Mimikatz & RDPWrapper Dropper
100% JavaScript Phishing Page
May People Be Considered as IOC?
Malicious PHP Script Back on Stage?
Analyzis of DNS TXT Records
Russian Dolls Malicious Script Delivering Ursnif
Malicious Script With Multiple Payloads
Using a Travel Packing App for Infosec Purpose
Interesting JavaScript Obfuscation Example
Keep an Eye on Your WMI Logs
Behavioural Malware Analysis with Microsoft ASA
The Risk of Authenticated Vulnerability Scans
From Phishing To Ransomware?
DSSuite - A Docker Container with Didier's Tools
Another Day, Another Suspicious UDF File
Malware Sample Delivered Through UDF Image
New Waves of Scans Detected by an Old Rule
Running your Own Passive DNS Service
New Wave of Extortion Emails: Central Intelligence Agency Case
Keep an Eye on Disposable Email Addresses
Simple Powershell Keyloggers are Back
Old H-Worm Delivered Through GitHub
Suspicious PDF Connecting to a Remote SMB Share
Phishing Kit with JavaScript Keylogger
Tracking Unexpected DNS Changes
DNS Firewalling with MISP
Malicious Script Leaking Data via FTP
Using OSSEC Active-Response as a DFIR Framework
Microsoft OOB Patch for Internet Explorer: Scripting Engine Memory Corruption Vulnerability
Restricting PowerShell Capabilities with NetSh
Phishing Attack Through Non-Delivery Notification
More obfuscated shell scripts: Fake MacOS Flash update
Obfuscated bash script targeting QNap boxes
Divided Payload in Multiple Pasties
VMware Affected by Dell EMC Avamar Vulnerability
Querying DShield from Cortex
The Challenge of Managing Your Digital Library
Quickly Investigating Websites with Lookyloo
Basic Obfuscation With Permissive Languages
Malicious Powershell Script Dissection
Dissecting Malicious Office Documents with Linux
Diving into Malicious AutoIT Code
Malicious Powershell using a Decoy Picture
More Equation Editor Exploit Waves
New Campaign Using Old Equation Editor Vulnerability
"OG" Tools Remain Valuable
More Excel DDE Code Injection
Hunting for Suspicious Processes with OSSEC
Malware Delivered Through MHT Files
Crypto Mining in a Windows Headless Browser
Malicious PowerShell Compiling C# Code on the Fly
3D Printers in The Wild, What Can Go Wrong?
Crypto Mining Is More Popular Than Ever!
Microsoft Publisher Files Delivering Malware
Simple Phishing Through formcrafts.com
Malicious DLL Loaded Through AutoIT
Truncating Payloads and Anonymizing PCAP files
Exploiting the Power of Curl
Windows Batch File Deobfuscation
Searching for Geographically Improbable Login Attempts
Cryptominer Delivered Though Compromized JavaScript File
Are Your Hunting Rules Still Working?
PowerShell: ScriptBlock Logging... Or Not?
Malicious JavaScript Targeting Mobile Browsers
A Bunch of Compromized Wordpress Sites
Converting PCAP Web Traffic to Apache Log
Malicious Post-Exploitation Batch File
Antivirus Evasion? Easy as 1,2,3
"Blocked" Does Not Mean "Forget It"
Malware Distributed via .slk Files
Malicious Powershell Targeting UK Bank Customers
Nice Phishing Sample Delivering Trickbot
Adding Persistence Via Scheduled Tasks
Diving into a Simple Maldoc Generator
Malicious Network Traffic From /bin/bash
The real value of an IOC?
Webshell looking for interesting files
A Suspicious Use of certutil.exe
How are Your Vulnerabilities?
Windows IRC Bot in the Wild
Extending Hunting Capabilities in Your Network
Automatic Hunting for Malicious Files Crossing your Network
Surge in blackmailing?
Administrator's Password Bad Practice
Payload delivery via SMB
CRIMEB4NK IRC Bot
Malicious Bash Script with Multiple Features
The Crypto Miners Fight For CPU Cycles
Reminder: Beware of the "Cloud"
Common Patterns Used in Phishing Campaigns Files
Malware Delivered via Windows Installer Files
Simple but Effective Malicious XLS Sheet
Adaptive Phishing Kit
Investigating Microsoft BITS Activity
Ransomware as a Service
Comment your Packet Captures!
Mining or Nothing!
2017, The Flood of CVEs
Example of 'MouseOver' Link in a Powerpoint File
Microsoft Office VBA Macro Obfuscation via Metadata
Tracking Newly Registered Domains
StartSSL: Termination of Services is Now Scheduled
Using Bad Material for the Good
Phishing Kit (Ab)Using Cloud Services
Apple High Sierra Uses a Passwordless Root Account
Fileless Malicious PowerShell Sample
Proactive Malicious Domain Search
Top-100 Malicious IP STIX Feed
Suspicious Domains Tracking Dashboard
If you want something done right, do it yourself!
Keep An Eye on your Root Certificates
Interesting VBA Dropper
Simple Analysis of an Obfuscated JAR File
Some Powershell Malicious Code
BadRabbit: New ransomware wave hitting RU & UA
Stop relying on file extensions
Version control tools aren't only for Developers
Base64 All The Things!
Investigating Security Incidents with Passive DNS
The easy way to analyze huge amounts of PCAP data
Getting some intelligence from malspam
Another webshell, another backdoor!
AutoIT based malware back in the wild
Malicious AutoIT script delivered in a self-extracting RAR file
Malicious script dropping an executable signed by Avast?
Defang all the things!
Maldoc with auto-updated link
Analysis of a Paypal phishing kit
Increase of phpMyAdmin scans
TinyPot, My Small Honeypot
Bots Searching for Keys & Config Files
Backup Scripts, the FIM of the Poor
A VBScript with Obfuscated Base64 Data
Obfuscating without XOR
Systemd Could Fallback to Google DNS?
Phishing Campaigns Follow Trends
Sharing Private Data with Webcast Invitations
Critical Vulnerability in Samba from 3.5.0 onwards
Typosquatting: Awareness and Hunting
My Little CVE Bot
Massive wave of ransomware ongoing
When Bad Guys are Pwning Bad Guys...
The story of the CFO and CEO...
HTTP Headers... the Achilles' heel of many applications
Another Day, Another Obfuscation Technique
Analysis of a Maldoc with Multiple Layers of Obfuscation
DNS Query Length... Because Size Does Matter
Hunting for Malicious Excel Sheets
Tracking Website Defacers with HTTP Referers
Whitelists: The Holy Grail of Attackers
Pro & Con of Outsourcing your SOC
Diverting built-in features for the bad
Critical VMware vulnerabilities disclosed
Logical & Physical Security Correlation
Nicely Obfuscated JavaScript Sample
Searching for Base64-encoded PE Files
Example of Multiple Stages Dropper
Retro Hunting!
The Side Effect of GeoIP Filters
Not All Malware Samples Are Complex
How your pictures may affect your website reputation
Amazon S3 Outage
Analysis of a Simple PHP Backdoor
How was your stay at the Hotel La Playa?
Analysis of a Suspicious Piece of JavaScript
Many Malware Samples Found on Pastebin
Detecting Undisclosed Vulnerabilities with Security Tools & Features
Quick Analysis of Data Left Available by Attackers
IOC's: Risks of False Positive Alerts Flood Ahead
Malicious SVG Files in the Wild
Backup Files Are Good but Can Be Evil
Who's Attacking Me?
Using Security Tools to Compromize a Network
Ongoing Scans Below the Radar
UAC Bypass in JScript Dropper
The Passwords You Should Never Use
Free Software Quick Security Checklist
Example of Getting Analysts & Researchers Away
Full Packet Capture for Dummies
Another Day, Another Spam...
Spam Delivered via .ICS Files
WiFi Still Remains a Good Attack Vector
Another Day, Another Malicious Behaviour
SNMP Pwn3ge
In Need of a OTP Manager Soon?
Ongoing IMAP Scan, Anyone Else?
Collecting Users Credentials from Locked Devices
Malware Delivered via '.pub' Files
Maxmind.com (Ab)used As Anti-Analysis Technique
Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities
Example of Targeted Attack Through a Proxy PAC File
Voice Message Notifications Deliver Ransomware
Data Classification For the Masses
Analyze of a Linux botnet client source code
Critical Xen PV guests vulnerabilities
Name All the Things!
The Power of Web Shells
Drupal: Patch released today to fix a highly critical RCE in contributed modules
Hunting for Malicious Files with MISP + OSSEC
Phishing Campaign with Blurred Images
Ongoing Spam Campaign Related to Swift
Using Your Password Manager to Monitor Data Leaks
Offensive or Defensive Security? Both!
Docker Containers Logging
Keeping an Eye on Tor Traffic
MISP - Malware Information Sharing Platform
Another Day, Another Wave of Phishing Emails
Microsoft BITS Used to Download Payloads
Windows Command Line Persistence?
What to watch with your FIM?
Improving Bash Forensics Capabilities
IP Addresses Triage
Dockerized DShield SSH Honeypot
SSH Honeypots (Ab)used as Proxy
OSX Ransomware Spread via a Rogue BitTorrent Client Installer
Another Malicious Document, Another Way to Deliver Malicious Code
Quick Audit of *NIX Systems
Analyzis of a Malicious .lnk File with an Embedded Payload
VMware VMSA-2016-0002
Reducing False Positives with Open Data Sources
Hunting for Executable Code in Windows Environments
More Malicious JavaScript Obfuscation
EMET 5.5 Released
Automating Vulnerability Scans
All CVE Details at Your Fingertips
Scripting Web Categorization
/tmp, %TEMP%, ~/Desktop, T:\, ... A goldmine for pentesters!
JavaScript Deobfuscation Tool
Virtual Bitlocker Containers
Hunting for Juicy Information
Unity Makes Strength
Playing With Sandboxes Like a Boss
Enforcing USB Storage Policy with PowerShell
Tracking SSL Certificates
Automatic MIME attachments triage
SIEM is not a product, its a process...
Analyze of a malicious Word document with an embedded payload
Tracking HTTP POST data with ELK
USB cleaning device for the masses
Victim of its own success and (ab)used by malwares
The "Yes, but..." syndrome
AV Phone Scan via Fake BSOD Web Pages
Cyber Security Awareness Month... Through Proverbs
Tracking Privileged Accounts in Windows Environments
Detecting XCodeGhost Activity
The Wordpress Plugins Playground
Feeding DShield with OSSEC Logs
Hunting for IOC's with ioc-parser
Port Scanners: The Good and The Bad
Querying the DShield API from RTIR
Detecting file changes on Microsoft systems with FCIV