-
SANS ISC Internship Setup: AWS DShield Sensor + DShield SIEM [Guest Diary], (Tue, Nov 26th)
[This is a Guest Diary by John Paul Zaguirre , an ISC intern as part of the SANS.edu BACS program] Introduction This is a blog post documentation on how to set up the DShield Sensor in AWS, DShield SIEM locally, and connecting them both. I initially setup a Raspberry Pi5 to use as a DShield…
-
ISC Stormcast For Wednesday, November 27th, 2024 https://isc.sans.edu/podcastdetail/9234, (Wed, Nov 27th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
![[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware, (Tue, Nov 26th)](/wp-content/uploads/2024/11/2024-11-27_figure1-R9o2ix.png)
[Guest Diary] Using Zeek, Snort, and Grafana to Detect Crypto Mining Malware, (Tue, Nov 26th)
[This is a Guest Diary by David Fitzmaurice, an ISC intern as part of the SANS.edu Bachelor’s Degree in Applied Cybersecurity (BACS) program [1]. Over the last six months there have been frequent SSH connections leaving versions of the RedTail malware on my DShield Honeypot [2]. This variation of the malware is placed on a…
-
ISC Stormcast For Tuesday, November 26th, 2024 https://isc.sans.edu/podcastdetail/9232, (Tue, Nov 26th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
The strange case of disappearing Russian servers, (Mon, Nov 25th)
Few months ago, I noticed that something strange was happening with the number of servers seen by Shodan in Russia… In order to identify any unusual changes on the internet that might be worth a closer look, I have put together a simple script few years ago. It periodically goes over data that was gathered…
-
Quick & Dirty Obfuscated JavaScript Analysis, (Sun, Nov 24th)
As mentioned in diary entry “Increase In Phishing SVG Attachments“, I have a phishing SVG sample with heavily obfuscated JavaScript. As I didn’t want to spend time doing static analysis, I did a quick dynamic analysis instead. TL;DR: I open the SVG file in a VM disconnected from the Internet, and use Edge’s developer tools…
-
Decrypting a PDF With a User Password, (Sat, Nov 23rd)
In diary entry “Analyzing an Encrypted Phishing PDF“, I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn’t have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document? The PDF…
-
Wireshark 4.4.2 Released, (Sat, Nov 23rd)
Wireshark release 4.4.2 fixes 2 vulnerabilities and 33 bugs. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
-
An Infostealer Searching for « BIP-0039 » Data, (Fri, Nov 22nd)
I like obfuscation techniques implemented by malware developers. If their primary purpose is to defeat security controls and automatic scanners, they are a great starting point for malware analysts. Indeed, if some data or actions have been obfuscated, that means that they can disclose interesting TTP’s. When reviewing a malicious Python script, I found this piece…
-
ISC Stormcast For Friday, November 22nd, 2024 https://isc.sans.edu/podcastdetail/9230, (Fri, Nov 22nd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
