Category: SANS™ Internet Storm Center

Since posting a diary about Vega-Lite [1], I have "played" with other queries that might be interesting and the first one that I wanted to explore since the DShield SIEM [2] capture and parse the iptables

A few months ago, I wrote a diary[1] about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it’s used to host malicious

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

There is a common technique used by attackers: They append some data at the end of files (this is called an overlay). This can be used for two main reasons: To hide the appended data from

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA-X is not just a rewrite of YARA in Rust, it comes with new features too. One of these features is the dump command: yr.exe dump ... YARA-X can parse several file formats natively, to support

YARA 4.5.2 was released with 3 small changes and 4 bugfixes.   Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths