INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.https://isc.sans.edu/about.html
Detecting (Malicious) OneNote Files
Published: 2023-02-01
Last Updated: 2023-02-01 08:57:26 UTC
by Didier Stevens (Version: 1)
We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470).
OneNote files have their own binary fileformat: [MS-ONESTORE].
A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.
Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.
Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that's GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that's GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).
This allows you to detect OneNote files with embedded files. Which are not necessarily malicious ... Because an embedded file can just be a picture, for example.
Read the full entry:
https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494/
Decoding DNS over HTTP(s) Requests
Published: 2023-01-30
Last Updated: 2023-01-30 16:51:54 UTC
by Johannes Ullrich (Version: 1)
I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.
Read the full entry:
https://isc.sans.edu/diary/Decoding+DNS+over+HTTPs+Requests/29488/
Live Linux IR with UAC
Published: 2023-01-26
Last Updated: 2023-01-26 23:07:32 UTC
by Tom Webb (Version: 1)
The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. It can dump results files to SFTP, Azure, S3, and IBM storage natively.
With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made.
Read the full entry: