importing wildfire reports into misp and thehive

I’m experimenting with thehive and associated projects (misp in particular) and will be describing some issues I run into & how I’ve fixed them (fingers crossed). One of the first things I tried was to import events from wildfire to misp. I found a package called pan-stix and installed it on my osx box. RunningContinue reading “importing wildfire reports into misp and thehive”

Examining strange wscript behavior

We use cylance with script control, and periodically I review the outliers that have been blocked. I came across this one recently: wscript.exe “C:ProgramData{18E0DD83-92A2-5745-1464-C9078E2642C9}domo.txt” “68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e6574” “//B” “//E:jscript” “–IsErIk” I took a copy of the domo.txt script and uploaded to VT: I also ran that hex string through a hex decoder: 68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e = According toContinue reading “Examining strange wscript behavior”


Unfortunately, as of 16 April 2019, I’m still seeing traffic on this domain. Here are some others I’m seeing: dfbfb63dcaff96fbe9616fb806e4799f.com8d46980d994cc618aeed127df1b5c86d8acd86ce.info07bf396c25d9a624281c97752aee0247e4229b84.xyz07bf396c25d9a624281c97752aee0247e4229b84.com07bf396c25d9a624281c97752aee0247e4229b84.infod234304f57772cf6be78ab6c24a65c91ce896fff.xyzd2343

I’m now the proud owner of these domains: Why would I purchase such strange looking domains you ask? It all started long ago, while working for my enterprise. I saw some activity flagged by OpenDNS / Umbrella for some CnC traffic bound for these domains. It was being blocked but as IContinue reading “”

CAA Test Results

As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far: Amazon Certificate Manager (ACM) It does not appear they honor the IODEF since I didn’t receive an email. Let’s Encrypt appears to also block issuance: Let’s Encrypt (using lego) 2018/12/29 16:44:30 Could not obtain certificatesContinue reading “CAA Test Results”