Diaries by Keyword - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Jan Kopriva

Threat Level: green

Date	Author	Title
2024-06-20	Guy Bruneau	No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary]
2024-06-13	Guy Bruneau	The Art of JQ and Command-line Fu [Guest Diary]
2024-03-28	Xavier Mertens	From JavaScript to AsyncRAT
2024-03-13	Xavier Mertens	Using ChatGPT to Deobfuscate Malicious Scripts
2024-02-20	Xavier Mertens	Python InfoStealer With Dynamic Sandbox Detection
2024-02-09	Xavier Mertens	MSIX With Heavily Obfuscated PowerShell Script
2024-01-26	Xavier Mertens	A Batch File With Multiple Payloads
2024-01-12	Xavier Mertens	One File, Two Payloads
2024-01-02	Johannes Ullrich	Fingerprinting SSH Identification Strings
2023-09-30	Xavier Mertens	Simple Netcat Backdoor in Python Script
2023-07-06	Jesse La Grew	IDS Comparisons with DShield Honeypot Data
2023-06-16	Xavier Mertens	Another RAT Delivered Through VBS
2023-06-09	Xavier Mertens	Undetected PowerShell Backdoor Disguised as a Profile File
2023-05-26	Xavier Mertens	Using DFIR Techniques To Recover From Infrastructure Outages
2023-05-17	Xavier Mertens	Increase in Malicious RAR SFX files
2023-03-30	Xavier Mertens	Bypassing PowerShell Strong Obfuscation
2023-03-21	Didier Stevens	String Obfuscation: Character Pair Reversal
2023-03-18	Xavier Mertens	Old Backdoor, New Obfuscation
2023-02-10	Xavier Mertens	Obfuscated Deactivation of Script Block Logging
2023-02-04	Guy Bruneau	Assemblyline as a Malware Analysis Sandbox
2023-02-01	Didier Stevens	Detecting (Malicious) OneNote Files
2023-01-25	Xavier Mertens	A First Malicious OneNote Document
2022-12-29	Jesse La Grew	Opening the Door for a Knock: Creating a Custom DShield Listener
2022-11-05	Guy Bruneau	Windows Malware with VHD Extension
2022-11-04	Xavier Mertens	Remcos Downloader with Unicode Obfuscation
2022-10-18	Xavier Mertens	Python Obfuscation for Dummies
2022-07-20	Johannes Ullrich	Apple Patches Everything Day
2022-07-06	Johannes Ullrich	How Many SANs are Insane?
2022-06-24	Xavier Mertens	Python (ab)using The Windows GUI
2022-06-19	Didier Stevens	Video: Decoding Obfuscated BASE64 Statistically
2022-06-18	Didier Stevens	Decoding Obfuscated BASE64 Statistically
2022-06-16	Xavier Mertens	Houdini is Back Delivered Through a JavaScript Dropper
2022-06-01	Jan Kopriva	HTML phishing attachments - now with anti-analysis features
2022-05-09	Xavier Mertens	Octopus Backdoor is Back with a New Embedded Obfuscated Bat File
2022-05-07	Guy Bruneau	Phishing PDF Received in my ISC Mailbox
2022-02-01	Xavier Mertens	Automation is Nice But Don't Replace Your Knowledge
2021-11-18	Xavier Mertens	JavaScript Downloader Delivers Agent Tesla Trojan
2021-11-14	Didier Stevens	Video: Obfuscated Maldoc: Reversed BASE64
2021-11-08	Xavier Mertens	(Ab)Using Security Tools & Controls for the Bad
2021-10-18	Xavier Mertens	Malicious PowerShell Using Client Certificate Authentication
2021-09-22	Didier Stevens	An XML-Obfuscated Office Document (CVE-2021-40444)
2021-07-31	Guy Bruneau	Unsolicited DNS Queries
2021-06-24	Xavier Mertens	Do you Like Cookies? Some are for sale!
2021-06-04	Xavier Mertens	Russian Dolls VBS Obfuscation
2021-05-08	Guy Bruneau	Who is Probing the Internet for Research Purposes?
2021-04-10	Guy Bruneau	Building an IDS Sensor with Suricata & Zeek with Logs to ELK
2021-02-26	Guy Bruneau	Pretending to be an Outlook Version Update
2021-01-04	Jan Kopriva	From a small BAT file to Mass Logger infostealer
2020-12-06	Didier Stevens	oledump's Indicators (video)
2020-12-05	Guy Bruneau	Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?
2020-12-04	Guy Bruneau	Detecting Actors Activity with Threat Intel
2020-11-19	Xavier Mertens	PowerShell Dropper Delivering Formbook
2020-11-13	Xavier Mertens	Old Worm But New Obfuscation Technique
2020-11-05	Xavier Mertens	Did You Spot "Invoke-Expression"?
2020-10-30	Xavier Mertens	Quick Status of the CAA DNS Record Adoption
2020-10-24	Guy Bruneau	An Alternative to Shodan, Censys with User-Agent CensysInspect/1.1
2020-10-14	Xavier Mertens	Nicely Obfuscated Python RAT
2020-09-20	Guy Bruneau	Analysis of a Salesforce Phishing Emails
2020-09-04	Jan Kopriva	A blast from the past - XXEncoded VB6.0 Trojan
2020-08-19	Xavier Mertens	Example of Word Document Delivering Qakbot
2020-08-16	Didier Stevens	Small Challenge: A Simple Word Maldoc - Part 3
2020-08-08	Guy Bruneau	Scanning Activity Include Netcat Listener
2020-07-24	Xavier Mertens	Compromized Desktop Applications by Web Technologies
2020-07-19	Guy Bruneau	Scanning Activity for ZeroShell Unauthenticated Access
2020-07-08	Xavier Mertens	If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
2020-06-08	Didier Stevens	Translating BASE64 Obfuscated Scripts
2020-04-27	Xavier Mertens	Powershell Payload Stored in a PSCredential Object
2020-04-24	Xavier Mertens	Malicious Excel With a Strong Obfuscation and Sandbox Evasion
2020-04-10	Xavier Mertens	PowerShell Sample Extracting Payload From SSL
2020-04-03	Xavier Mertens	Obfuscated with a Simple 0x0A
2020-02-22	Xavier Mertens	Simple but Efficient VBScript Obfuscation
2020-02-07	Xavier Mertens	Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript
2020-01-23	Xavier Mertens	Complex Obfuscation VS Simple Trick
2020-01-15	Johannes Ullrich	CVE-2020-0601 Followup
2019-11-22	Xavier Mertens	Abusing Web Filters Misconfiguration for Reconnaissance
2019-10-18	Xavier Mertens	Quick Malicious VBS Analysis
2019-08-09	Xavier Mertens	100% JavaScript Phishing Page
2019-07-11	Xavier Mertens	Russian Dolls Malicious Script Delivering Ursnif
2019-07-02	Xavier Mertens	Malicious Script With Multiple Payloads
2019-06-20	Xavier Mertens	Using a Travel Packing App for Infosec Purpose
2019-06-10	Xavier Mertens	Interesting JavaScript Obfuscation Example
2019-05-31	Didier Stevens	Retrieving Second Stage Payload with Ncat
2019-01-12	Guy Bruneau	Snorpy a Web Base Tool to Build Snort/Suricata Rules
2018-12-31	Didier Stevens	Software Crashes: A New Year's Resolution
2018-12-29	Didier Stevens	Video: De-DOSfuscation Example
2018-12-15	Didier Stevens	De-DOSfuscation Example
2018-12-12	Didier Stevens	Yet Another DOSfuscation Sample
2018-11-27	Xavier Mertens	More obfuscated shell scripts: Fake MacOS Flash update
2018-11-26	Xavier Mertens	Obfuscated bash script targeting QNap boxes
2018-11-16	Xavier Mertens	Basic Obfuscation With Permissive Languages
2018-11-14	Brad Duncan	Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-11-06	Xavier Mertens	Malicious Powershell Script Dissection
2018-10-23	Xavier Mertens	Diving into Malicious AutoIT Code
2018-10-08	Guy Bruneau	Latest Release of rockNSM 2.1
2018-09-30	Didier Stevens	When DOSfuscation Helps...
2018-09-19	Rob VandenBrink	Certificates Revisited - SSL VPN Certificates 2 Ways
2018-09-18	Rob VandenBrink	Using Certificate Transparency as an Attack / Defense Tool
2018-09-05	Rob VandenBrink	Where have all my Certificates gone? (And when do they expire?)
2018-07-30	Didier Stevens	Malicious Word documents using DOSfuscation
2018-07-26	Xavier Mertens	Windows Batch File Deobfuscation
2018-07-03	Didier Stevens	Progress indication for scripts on Windows
2018-06-18	Xavier Mertens	Malicious JavaScript Targeting Mobile Browsers
2018-05-25	Xavier Mertens	Antivirus Evasion? Easy as 1,2,3
2018-04-30	Remco Verhoef	Another approach to webapplication fingerprinting
2018-03-11	Guy Bruneau	rockNSM Configuration & Installation Steps http://handlers.sans.org/gbruneau/rockNSM%20as%20an%20Incident%20Response%20Package.htm
2017-11-23	Xavier Mertens	Proactive Malicious Domain Search
2017-11-11	Xavier Mertens	Keep An Eye on your Root Certificates
2017-11-03	Xavier Mertens	Simple Analysis of an Obfuscated JAR File
2017-10-27	Renato Marinho	"Catch-All" Google Chrome Malicious Extension Steals All Posted Data
2017-09-30	Lorna Hutcheson	Who's Borrowing your Resources?
2017-09-17	Guy Bruneau	rockNSM as a Incident Response Package
2017-07-08	Xavier Mertens	A VBScript with Obfuscated Base64 Data
2017-06-22	Xavier Mertens	Obfuscating without XOR
2017-04-28	Xavier Mertens	Another Day, Another Obfuscation Technique
2017-04-21	Xavier Mertens	Analysis of a Maldoc with Multiple Layers of Obfuscation
2017-04-19	Xavier Mertens	Hunting for Malicious Excel Sheets
2017-03-30	Xavier Mertens	Diverting built-in features for the bad
2017-03-25	Russell Eubanks	Distraction as a Service
2017-03-24	Xavier Mertens	Nicely Obfuscated JavaScript Sample
2017-03-18	Xavier Mertens	Example of Multiple Stages Dropper
2017-02-28	Xavier Mertens	Analysis of a Simple PHP Backdoor
2017-02-12	Xavier Mertens	Analysis of a Suspicious Piece of JavaScript
2017-01-26	Xavier Mertens	IOC's: Risks of False Positive Alerts Flood Ahead
2016-09-15	Xavier Mertens	In Need of a OTP Manager Soon?
2016-08-29	Russ McRee	Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
2016-08-28	Guy Bruneau	Spam with Obfuscated Javascript
2016-08-22	Russ McRee	Red Team Tools Updates: hashcat and SpiderFoot
2016-08-19	Xavier Mertens	Data Classification For the Masses
2016-06-22	Bojan Zdrnja	Security through obscurity never works
2016-06-03	Tom Liston	MySQL is YourSQL
2016-02-20	Didier Stevens	Locky: JavaScript Deobfuscation
2016-02-11	Tom Webb	Tomcat IR with XOR.DDoS
2016-02-07	Xavier Mertens	More Malicious JavaScript Obfuscation
2016-01-29	Xavier Mertens	Scripting Web Categorization
2016-01-25	Rob VandenBrink	Assessing Remote Certificates with Powershell
2016-01-15	Xavier Mertens	JavaScript Deobfuscation Tool
2015-04-08	Tom Webb	Is it a breach or not?
2015-03-26	Daniel Wesemann	Pin-up on your Smartphone!
2015-02-27	Rick Wanner	Let's Encrypt!
2015-02-17	Rob VandenBrink	oclHashcat 1.33 Released
2014-09-19	Guy Bruneau	Added today in oclhashcat 131 Django [Default Auth] (PBKDF2 SHA256 Rounds Salt) Support - http://hashcat.net/hashcat/
2014-08-25	Jim Clausing	Unusual CRL traffic?
2014-08-09	Adrien de Beaupre	Complete application ownage via Multi-POST XSRF
2014-06-28	Mark Hofman	No more Microsoft advisory email notifications?
2014-03-13	Daniel Wesemann	Identification and authentication are hard ... finding out intention is even harder
2014-02-26	Russ McRee	Ongoing NTP Amplification Attacks
2014-01-17	Russ McRee	Massive RFI scans likely a free web app vuln scanner rather than bots
2013-12-20	Daniel Wesemann	authorized key lime pie
2013-12-10	Rob VandenBrink	Those Look Just Like Hashes!
2013-10-05	Richard Porter	Adobe Breach Notification, Notifications?
2013-09-18	Rob VandenBrink	Cisco DCNM Update Released
2013-09-05	Rob VandenBrink	Building Your Own GPU Enabled Private Cloud
2013-09-03	Rob VandenBrink	Is "Reputation Backscatter" a Thing?
2013-08-13	Swa Frantzen	Microsoft security advisories: RDP and MD5 deprecation in Microsoft root certificates
2013-07-27	Scott Fendley	Defending Against Web Server Denial of Service Attacks
2013-05-17	Johannes Ullrich	SSL: Another reason not to ignore IPv6
2013-05-11	Lenny Zeltser	Extracting Digital Signatures from Signed Malware
2013-04-15	Rob VandenBrink	Oops - You Mean That Deleted Server was a Certificate Authority?
2013-04-04	Johannes Ullrich	Microsoft April Patch Tuesday Advance Notification
2013-03-29	Chris Mohan	Does your breach email notification look like a phish?
2013-03-23	Guy Bruneau	Apple ID Two-step Verification Now Available in some Countries
2013-03-06	Adam Swanger	IPv6 Focus Month: Guest Diary: Stephen Groat - Geolocation Using IPv6 Addresses
2013-02-08	Kevin Shortt	Is it Spam or Is it Malware?
2013-01-25	Johannes Ullrich	Vulnerability Scans via Search Engines (Request for Logs)
2013-01-03	Manuel Humberto Santander Pelaez	New year and new CA compromised
2012-12-18	Dan Goldberg	Mitigating the impact of organizational change: a risk assessment
2012-12-03	John Bambenek	John McAfee Exposes His Location in Photo About His Being on Run
2012-07-18	Rob VandenBrink	Vote NO to Weak Keys!
2012-07-14	Tony Carothers	User Awareness and Education
2012-07-05	Adrien de Beaupre	Microsoft advanced notification for July 2012 patch Tuesday
2012-06-25	Guy Bruneau	Using JSDetox to Analyze and Deobfuscate Javascript
2012-06-13	Johannes Ullrich	Microsoft Certificate Updater
2012-05-22	Johannes Ullrich	nmap 6 released
2012-02-08	Jim Clausing	Chrome to stop checking Certificate Revocation List (CRL)?
2012-01-03	Bojan Zdrnja	The tale of obfuscated JavaScript continues
2011-12-08	Adrien de Beaupre	Microsoft Security Bulletin Advance Notification for December 2011
2011-11-01	Russ McRee	Secure languages & frameworks
2011-09-19	Guy Bruneau	MS Security Advisory Update - Fraudulent DigiNotar Certificates
2011-09-09	Guy Bruneau	Apple Certificate Trust Policy Update
2011-09-09	Guy Bruneau	Adobe Publish its List of Trusted Root Certificate - http://www.adobe.com/security/approved-trust-list.html
2011-09-08	Rob VandenBrink	When Good CA's go Bad: Other Things to Check in Your Datacenter
2011-08-16	Johannes Ullrich	What are the most dangerous web applications and how to secure them?
2011-08-14	Guy Bruneau	FireCAT 2.0 Released
2011-07-29	Richard Porter	Apple Lion talking on TCP 5223
2011-07-28	Johannes Ullrich	Announcing: The "404 Project"
2011-07-05	Raul Siles	Helping Developers Understand Security - Spot the Vuln
2011-06-21	Chris Mohan	StartSSL, a web authentication authority, suspend services after a security breach
2011-05-18	Bojan Zdrnja	Android, HTTP and authentication tokens
2011-04-28	Chris Mohan	DSL Reports advise 9,000 accounts were compromised
2011-04-22	Manuel Humberto Santander Pelaez	In-house developed applications: The constant headache for the information security officer
2011-04-03	Richard Porter	Extreme Disclosure? Not yet but a great trend!
2011-02-04	Daniel Wesemann	Oh, just click "yes"
2010-12-25	Manuel Humberto Santander Pelaez	An interesting vulnerability playground to learn application vulnerabilities
2010-12-12	Raul Siles	New trend regarding web application vulnerabilities?
2010-09-21	Johannes Ullrich	Implementing two Factor Authentication on the Cheap
2010-08-16	Raul Siles	Blind Elephant: A New Web Application Fingerprinting Tool
2010-08-15	Manuel Humberto Santander Pelaez	Obfuscated SQL Injection attacks
2010-08-15	Manuel Humberto Santander Pelaez	Python to test web application security
2010-07-02	Johannes Ullrich	OISF released version 1.0.0 of Suricata, the open source IDS/IPS engine http://www.openinfosecfoundation.org
2010-06-26	Guy Bruneau	socat to Simulate a Website
2010-06-14	Manuel Humberto Santander Pelaez	Another way to get protection for application-level attacks
2010-06-14	Manuel Humberto Santander Pelaez	Rogue facebook application acting like a worm
2010-04-13	Adrien de Beaupre	Web App Testing Tools
2010-04-08	Bojan Zdrnja	JavaScript obfuscation in PDF: Sky is the limit
2010-04-06	Daniel Wesemann	Application Logs
2010-03-21	Scott Fendley	Skipfish - Web Application Security Tool
2010-03-10	Rob VandenBrink	Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication
2010-03-08	Raul Siles	Samurai WTF 0.8
2010-03-05	Kyle Haugsness	Javascript obfuscators used in the wild
2010-02-20	Mari Nichols	Is "Green IT" Defeating Security?
2010-01-29	Adrien de Beaupre	Neo-legacy applications
2010-01-24	Pedro Bueno	Outdated client applications
2009-12-19	Deborah Hale	Educationing Our Communities
2009-11-13	Deborah Hale	It's Never Too Early To Start Teaching Them
2009-10-20	Raul Siles	WASC 2008 Statistics
2009-10-09	Rob VandenBrink	THAWTE to discontinue free Email Certificate Services and Web of Trust Service
2009-09-16	Raul Siles	Review the security controls of your Web Applications... all them!
2009-08-28	Adrien de Beaupre	WPA with TKIP done
2009-07-23	John Bambenek	Missouri Passes Breach Notification Law: Gap Still Exists for Banking Account Information
2009-06-30	Chris Carboni	Obfuscated Code
2009-06-30	Chris Carboni	De-Obfuscation Submissions
2009-05-26	Jason Lam	A new Web application security blog
2009-05-20	Tom Liston	Web Toolz
2009-04-24	John Bambenek	Data Leak Prevention: Proactive Security Requirements of Breach Notification Laws
2009-04-21	Bojan Zdrnja	Web application vulnerabilities
2009-04-07	Bojan Zdrnja	Advanced JavaScript obfuscation (or why signature scanning is a failure)
2009-03-02	Swa Frantzen	Obama's leaked chopper blueprints: anything we can learn?
2009-01-12	William Salusky	Web Application Firewalls (WAF) - Have you deployed WAF technology?
2009-01-02	Mark Hofman	Blocking access to MD5 signed certs
2008-11-20	Jason Lam	Large quantity SQL Injection mitigation
2008-09-07	Daniel Wesemann	Staying current, but not too current
2008-09-03	Daniel Wesemann	Static analysis of Shellcode - Part 2
2008-08-03	Deborah Hale	Securing A Network - Lessons Learned
2008-07-14	Daniel Wesemann	Obfuscated JavaScript Redux
2008-04-06	Daniel Wesemann	Advanced obfuscated JavaScript analysis
2008-04-03	Bojan Zdrnja	Mixed (VBScript and JavaScript) obfuscation