INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Python Bot Delivered Through DLL Side-Loading
Published: 2025-03-18
Last Updated: 2025-03-18 09:12:46 UTC
by Xavier Mertens (Version: 1)
One of my hunting rules triggered some suspicious Python code, and, diving deeper, I found an interesting example of DLL side-loading. This technique involves placing a malicious DLL with the same name and export structure as a legitimate DLL in a location the application checks first, causing the application to load the malicious DLL instead of the intended one. This is a classic vulnerability seen for years in many software. The attacker also implemented simple tricks to bypass classic security controls.
The malware is delivered through a ZIP archive: 'Hootsuite<.>zip'. The archive contains some files that have the Hidden protection flag ...
Read the full entry: https://isc.sans.edu/diary/Python+Bot+Delivered+Through+DLL+SideLoading/31778/
File Hashes Analysis with Power BI from Data Stored in DShield SIEM
Published: 2025-03-12
Last Updated: 2025-03-13 00:41:51 UTC
by Guy Bruneau (Version: 1)
I previously used Power BI to analyze DShield sensor data and this time I wanted to show how it could be used by selecting certain type of data as a large dataset and export it for analysis. This time, I ran a query in Elastic Discover and exported that data to analyze it in PowerBI into a CSV format. The first step was to run a query in Discover and select the past 60 days with the following query ...
Next was to export that data in a CSV file: Kibana_Export_CSV
Next step is to import the data into Power BI for analysis. In Power BI, Select Excel workbook and select all files and open the file you exported from Kibana followed by Load. From the interface, start building the visualization you want to analyze.
First, configure the @timestamp to split the date and time by selecting Transform data and right click on the @timestamp to Remove Duplicates to create 2 columns ...
Read the full entry: https://isc.sans.edu/diary/File+Hashes+Analysis+with+Power+BI+from+Data+Stored+in+DShield+SIEM/31764/
Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing)
Published: 2025-03-12
Last Updated: 2025-03-12 14:42:07 UTC
by Johannes Ullrich (Version: 1)
Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare vulnerabilities to determine if the system is running the extensions or to gather additional information to aid exploitation.
Initially, based on the URL, I suspected brute forcing. However, after reviewing some complete requests (see below), it turns out that these attempts are exploiting the Log4j vulnerability ...