Remote desktop protocol (RDP) is designed by Microsoft for remote management of Windows-based virtual desktops. It provides users a graphical interface to connect over the network to a remote computer. Having a remote access feature leaves the door open for attackers.
I’ll use this post to summarise some of the information and commands that I use when investigating an RDP incident.
Note that RDP connections are usually done via tcp/3389.
Investigating RDP goes best in … Read more.
I published an article on IBM Security Intelligence on What Are the Different Types of Cyberthreat Intelligence?.
The article covers analysing the The Different Types of Threat Intelligence and the prerequisites to Start With a Cyberthreat Intelligence Program.
Cisco Talos published an analysis on the new VPNFilter malware that targets at least 500K networking devices worldwide. The post describes how the stage 1 of the malware extracts IP coordinates from the GPS latitude and longitude fields in the EXIF information of images.
A post by Kaspersky further analysed the VPNFilter EXIF to C2 mechanism. Unfortunately all the photobucket.com galleries that were used by the malware as storage for the images have been deleted. … Read more.
I published an article on IBM Security Intelligence on Analyzing PDF and Office Documents Delivered Via Malspam .
The article covers analysing the static properties of malspam and further in depth analysis of malspam via for example the tools from Didier Stevens.
I published an article on IBM Security Intelligence on How to Choose the Right Malware Classification Scheme to Improve Incident Response.
The article covers malware classification in an ideal world, some of the existing classification schemes and how machine-parsable malware classification can help make incident response processes more fluent.
Twitter is a great source for conducting open source intelligence. One of my favorite tools is Tweetsniff from Xavier Mertens. It will grab a Twitter user timeline for further processing, for example in Elasticsearch.
Another tool that I recently discovered is Tinfoleak. Tinfoleak is build for Twitter intelligence analysis and provides you with an HTML file output.
I wanted to use Tinfoleak to build profiles of users to tune targeted phishing campaigns (spear phishing) for … Read more.
I published an article on IBM Security Intelligence on Reducing Dwell Time With Automated Incident Response. The article covers collecting event information, sharing intelligence data and then moving towards automated incident response together with automated digital forensic acquisition (with MIG & GRR).
The incident response orchestration process covers TheHive, MISP, LogicHub and VMRay to extend further on automation.
Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this The link is only viewable if you enable HTML content in the e-mail client.
The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service).
bitly.com, via HTTPS, received 301 Moved Permanently; go2l.ink, via HTTP, received 302 FOUND; A PHP page … Read more.
When you do analysis of malware in for example x64dbg or IDA Pro it’s important that you understand how functions are called, what arguments are passed to the function and how to recognize the local variables within that function.
Further down in this post are my notes from the SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques course and the The IDA Pro Book.
First some core concepts.
A function is a … Read more.
I did my first podcast interview for Risky Business (hosted by Patrick Gray) and described how I use VMRay for automated malware analysis. I enjoyed it a lot! You can listen to at Risky Business #480 — Uber, Kaspersky woes continue, the part on VMRay starts at 41:30.
If you’re interested in integrating VMRay with MISP then have a look at
MISP EcoSystem – Threat Intelligence, VMRay, MISP from Koen Van Impe … Read more.
Graphs made with cudeso posts stats
By continuing to use the site, you agree to the use of cookies. more information
An HTTP cookie, is a small piece of text sent from a website and stored in your web browser. Cookies are a reliable mechanism for websites to remember your preferences and improve your browsing experience.
If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.