INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.https://isc.sans.edu/about.html
A First Malicious OneNote Document
Published: 2023-01-25
Last Updated: 2023-01-25 08:45:41 UTC
by Xavier Mertens (Version: 1)
Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. OneNote files (ending the extension ".one") are handled automatically by computers that have the Microsoft Office suite installed. Yesterday, my honeypot caught a first sample. This is a good opportunity to have a look at these files. The file, called "delivery-note.one", was delivered as an attachment to a classic phishing email.
Read the complete entry:
https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470/
Importance of signing in Windows environments
Published: 2023-01-20
Last Updated: 2023-01-20 09:29:29 UTC
by Bojan Zdrnja (Version: 1)
NTLM relaying has been a plague in Windows environments for many years – and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services.
While there are many potential targets here, in most red team engagements my colleagues and myself are relaying credentials to other SMB, LDAP or HTTP(S) services (especially on AD CS server, used for issuing certificates). So one of the mandatory “health check” activities should be to verify if your systems really have signing enabled. Here are two *very simple* ways on how I do it when I encounter large number of internal assets.
Read the complete entry:
https://isc.sans.edu/diary/Importance+of+signing+in+Windows+environments/29456/
SPF and DMARC use on 100k most popular domains
Published: 2023-01-19
Last Updated: 2023-01-19 11:16:28 UTC
by Jan Kopriva (Version: 1)
Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world[1]. The results weren’t too optimistic – it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.
Since I created a quick script for gathering SPF and DMARC records for an arbitrary list of domains for that diary, I thought it might be interesting to use it again this week, hopefully to get some more optimistic data. Specifically, I used it to take a look at SPF and DMARC adoption on world’s most popular domains – the top 100 thousand (as well as th top 10 thousand and the top 1 thousand) most visited domains according to the Tranco list[2].
Read the complete entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+100k+most+popular+domains/29452/