Since posting a diary about Vega-Lite [1], I have "played" with other queries that might be interesting and the first one that I wanted to explore since the DShield SIEM [2] capture and parse the iptables
Continue ReadingCategory: SANS™ Internet Storm Center
Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th)
A few months ago, I wrote a diary[1] about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic
Continue ReadingISC Stormcast For Wednesday, September 18th, 2024 https://isc.sans.edu/podcastdetail/9142, (Wed, Sep 18th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue Reading23:59, Time to Exfiltrate!, (Tue, Sep 17th)
Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it’s used to host malicious
Continue ReadingISC Stormcast For Tuesday, September 17th, 2024 https://isc.sans.edu/podcastdetail/9140, (Tue, Sep 17th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue ReadingManaging PE Files With Overlays, (Mon, Sep 16th)
There is a common technique used by attackers: They append some data at the end of files (this is called an overlay). This can be used for two main reasons: To hide the appended data from
Continue ReadingISC Stormcast For Monday, September 16th, 2024 https://isc.sans.edu/podcastdetail/9138, (Mon, Sep 16th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue ReadingYARA-X’s Dump Command, (Sun, Sep 15th)
YARA-X is not just a rewrite of YARA in Rust, it comes with new features too. One of these features is the dump command: yr.exe dump ... YARA-X can parse several file formats natively, to support
Continue ReadingYARA 4.5.2 Release, (Sat, Sep 14th)
YARA 4.5.2 was released with 3 small changes and 4 bugfixes. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Continue ReadingFinding Honeypot Data Clusters Using DBSCAN: Part 2, (Fri, Sep 13th)
In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths
Continue Reading