-
Simple SSH Backdoor, (Mon, Jun 2nd)
For most system and network administrators, the free SSH client Putty has been their best friend for years! This tool was also (ab)used by attackers that deployed a trojanized version[1]. Microsoft had the good idea to include OpenSSH (beta version) in Windows 10 Fall Creators Update. One year later, it became a default component with Windows…
-
YARA 4.5.3 Release, (Sun, Jun 1st)
YARA 4.5.3 was released with 5 bugfixes. I want to take this as an opportunity to remind you that YARA is to be replaced with YARA-X, a rewrite in Rust. YARA-X is already powering VirusTotal. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
A PNG Image With an Embedded Gift, (Sat, May 31st)
While hunting, I found an interesting picture. It’s a PNG file that was concatenated with two interesting payloads. There are file formats that are good candidates to have data added at the end of the file. PNG is the case because the file format specifications says: “One notable restriction is that IHDR must appear first and IEND must appear…
-
ISC Stormcast For Friday, May 30th, 2025 https://isc.sans.edu/podcastdetail/9472, (Fri, May 30th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Usage of “passwd” Command in DShield Honeypots, (Fri, May 30th)
DShield honeypots [1] receive different types of attack traffic and the volume of that traffic can change over time. I’ve been collecting data from a half dozen honeypots for a little over a year to make comparisons. This data includes: Cowrie logs [2], which contain SSH and telnet attacks Web honeypot logs Firewall logs (iptables)…
-
ISC Stormcast For Thursday, May 29th, 2025 https://isc.sans.edu/podcastdetail/9470, (Thu, May 29th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
![Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary], (Wed, May 28th)](/wp-content/uploads/2025/05/Ehsaan_Mavani_Picture1-d3b6AK.png)
Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary], (Wed, May 28th)
[This is a Guest Diary by Ehsaan Mavani, an ISC intern as part of the SANS.edu BACS program] Introduction Adversaries are leveraging alternate data streams to hide malicious data with the intent of evading detection. Numerous different malicious software has been designed to read and write to alternate data streams [1]. To better assist in…
-
![[Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack, (Wed, May 28th)](/wp-content/uploads/2025/05/2025-05-30_figure1-Ge7mii.png)
[Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack, (Wed, May 28th)
[This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1].] As part of my BACS internship with SANS, I setup and maintained a DShield honeypot instance using a physical Raspberry Pi device. As I was putting together each of my attack…
-
ISC Stormcast For Wednesday, May 28th, 2025 https://isc.sans.edu/podcastdetail/9468, (Wed, May 28th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
Securing Your SSH authorized_keys File, (Tue, May 27th)
This is nothing “amazingly new”, but more of a reminder to secure your “authorized_keys” file for SSH. One of the first things I see even simple bots do to obtain persistent access to a UNIX system is to add a key to the authorized_keys file of whatever account they are compromising. So here are a…
