SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.org

tcpdump

SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, May 21st, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the

ISC.INCIDENTS.ORG

Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group. DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRST SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138

netbios 547 DHCPv6s

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.org

tcpdump

SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, May 21st, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the

ISC.INCIDENTS.ORG

Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group. DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRST SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138

netbios 547 DHCPv6s

ISC.INCIDENTS.ORG

isc.incidents.org

SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

ISC.INCIDENTS.ORG

Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group.

INCIDENTS.ORG

incidents.org

POWERPOINT PRESENTATIONWEB VIEW The Vulnerability. Directory traversal (at least part of it) No authentication required. Can lead to code execution on Citrix Application Delivery Controller / Citrix Gateway

WWW.INCIDENTS.ORG

www.incidents.org

ISC.INCIDENTS.ORG

isc.incidents.org

WWW.INCIDENTS.ORG

GI [{s F Ю ! O )% p X ) ID D1W = E d ` {z , .w k 6 o _ z n Y u n +י П? L ^ 硌 Vy V Ҭ% ( A = v7 % {n C q ? _F^ P G _ 1 s t Z T. * RdJXQx ęL 9 0 E B O ^ BM =, :} - } 鿮 Z h L~V p ~ > _ . 鷡΄9{qv r ? pH ߑZ c"R J Nt -~ A iM - Z rdylk 5^I 1m o ˲!鶧{> ܹ } r U x 4 ; /v 賵 C Q /v 5[ /Z xt T k 3 s > 5 - c_ Y - h 1 d y 4 ߘ o j # W j^ k ?Ň\ 5 : d~ A * 3 =V ~ aM SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.org

tcpdump

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138

netbios 547 DHCPv6s

POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.org

tcpdump

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT UDP HEADER TCPDUMP USAGE SOURCE PORT DESTINATION PORT UDP Header 0 1 2 3 0 Source Port Destination Port 4 Length Checksum - Common UDP Ports 7 echo 137 netbios-ns 546 DHCPv6c 19 chargen 138

netbios 547 DHCPv6s

POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the

ISC.INCIDENTS.ORG

isc.incidents.org

SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center IPV6 TCP/IP AND TCPDUMP IPv6 TCP/IP and tcpdump POCKET REFERENCE GUIDE incidents@sans.org • +1 317.580.9756 • http://www.sans.org • http://www.incidents.org

tcpdump

POWERPOINT PRESENTATIONWEB VIEW The Vulnerability. Directory traversal (at least part of it) No authentication required. Can lead to code execution on Citrix Application Delivery Controller / Citrix Gateway

ISC.INCIDENTS.ORG

Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group.

WWW.INCIDENTS.ORG

www.incidents.org

DSHIELD FRAMEWORK FIREWALL LOG CONVERSION CLIENT Send any questions to info@dshield.org. This script reads the log that your firewall produces and converts it to DShield format and emails it into DShield. CONFIGURE IT FIRST

ISC.INCIDENTS.ORG

isc.incidents.org

WWW.INCIDENTS.ORG

GI h n i C ~ h > T k tE eR ERF [ D > p Й a1Ï d S O J& w \l ӏ Ο /O ܗ T : ;h˿; 0/ l : b C2 d ( H ͒TO (Z *f^ ZyY +THjC qCyq | wv N 3 , 0 0 P yR( { + BM b B = :W3 ^ Jj h/ 0S ( ~б 7T u洨i zޘ ԋ } ۶ | GC ݵ 6 _R j o ߟ d > ȷ SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS INTERNET STORM CENTER 45.146.165.72 89.248.165.202 recyber.net 45.143.200.34 185.191.34.213 45.143.203.2 185.191.34.205 185.191.34.212 92.63.197.94 45.155.205.223 185.191.34.204 45.146.164 SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events.

INCIDENTS.ORG

146.88.240.4 www.arbor-observatory.com 194.165.16.27 141.98.81.154 45.146.164.211 5.188.62.240 89.248.165.202 recyber.net 193.27.228.64 185.191.34.207 45.155.205.165 SANS INTERNET STORM CENTER, INFOCON: GREEN Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images to multi-stage SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR FRIDAY SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Friday, June 4th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs SANS DAILY NETWORK SECURITY PODCAST (STORMCAST) FOR SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Thursday, May 20th, 2021 . SANS Site Network. Current Site; SANS Internet Storm Center

INCIDENTS.ORG

incidents.org

WWW.INCIDENTS.ORG

www.incidents.org

SECURING ALL THE THINGS: CIS BENCHMARKS FOR THE WIN! Using Benchmarks in Real Life •These documents are written with the goal of scripting and automation •CIS creates scripts in OVAL, these are used directly in CIS-CAT D-LINK KIWI SYSLOG SETUP FOR D-SHIELD Kiwi Syslog Daemon with D-Link DI-804V Router . Your router must be installed and working. Go into the configuration panel ( http://192.168.0.1 ) and click on the POWERPOINT PRESENTATIONWEB VIEW Who/What is Affected? Citrix ADC / Gateway 13.0. Citrix ADC / NetScaler Gateway 12.1 / 12.0 / 11.1. Citrix Netscaler ADC / NetScaler

Gateway 10.5

ISC.INCIDENTS.ORG

isc.incidents.org

SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. SANS INTERNET STORM CENTER You can see that the Google Script expects two parameters: 'se' and 'ip'. The IP is the public IP address of the victim (collected by visiting api.ipify.org). When the script is called, it returns a chunk of Base64 data decoded and interpreted by PowerShell. It's a simple backdoor that communicates with the C2 hosted on scripts.google.com. SANS INTERNET STORM CENTER 45.146.165.72 89.248.165.202 recyber.net 45.143.200.34 185.191.34.213 45.143.203.2 185.191.34.205 185.191.34.212 92.63.197.94 45.155.205.223 185.191.34.204 45.146.164 SANS INTERNET STORMCENTER DAILY NETWORK/CYBER SECURITY AND A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events.

INCIDENTS.ORG

146.88.240.4 www.arbor-observatory.com 194.165.16.27 141.98.81.154 45.146.164.211 5.188.62.240 89.248.165.202 recyber.net 193.27.228.64 185.191.34.207 45.155.205.165 SANS INTERNET STORM CENTER, INFOCON: GREEN Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images to multi-stage Threat Level: green Handler on Duty: Didier Stevens SANS ISC: SANS Internet Storm Center

* SANS Site Network

* Current Site

* SANS Internet Storm Center * Other SANS Sites Help * Graduate Degree Programs

* Security Training

* Security Certification * Security Awareness Training * Penetration Testing * Industrial Control Systems * Cyber Defense Foundations

* DFIR

* Software Security

* Government OnSite Training SANS Internet Storm Center Sign Up for Free!   Forgot Password? Log In or Sign Up for Free ! Last Daily Podcast (Mon, Nov 23rd):VMWare Update; DB2 Vuln; Fortinet

SSL VPN

LATEST DIARIES

QUICK TIP: COBALT STRIKE BEACON ANALYSIS

*

*

*

PUBLISHED: 2020-11-23 LAST UPDATED: 2020-11-23 08:21:30 UTC BY Didier Stevens (Version: 1)

0 comment(s)

Several of our handlers, like Brad and Renato, have written diary entries about malware infections that involved the red team framework

Cobalt Strike.

In this diary entry, I'll show you how you can quickly extract the configuration of Cobalt Strike beacons mentioned in these 2 diary

entries:

* Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike * Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike The configuration of a beacon is stored as an encoded table of

type-length-value

records. There are a couple of tools to analyze Cobalt Strike beacons, and I recently made my own tool 1768.py

public.

The analysis of the sample that Brad mentioned in his diary entry (1)

is simple:

In the screenshot above, you can see all the records of the decoded configuration of this sample. Records that you might be most interested in as an analyst, are the server record, the port record and the URL used with GET and POST (highlighted in red). In Renato's diary entry (2), there are 2 artifacts to analyze. There's the shellcode: Renato explained how to deal with the different layers of obfuscation of this shellcode. Here I use different of my tools to deobfuscate the shellcode, and then pass it on to my 1768.py tool: The payload downloaded by this shellcode is easy to analyze:

Didier Stevens

Senior handler

Microsoft MVP

blog.DidierStevens.com DidierStevensLabs.com Keywords: cobaltstrike malware

0 comment(s)

Join us at SANS! Attend with Didier Stevens in starting If you have more information or corrections regarding our diary,

please

share

.

Top of page

RECENT DIARIES

QUICK TIP: EXTRACTING ALL VBA CODE FROM A MALDOC - JSON FORMAT

NOV 22ND 2020

14 HOURS AGO _BY DIDIERSTEVENS_ (0 COMMENTS) MALICIOUS PYTHON CODE AND LITTLESNITCH DETECTION

NOV 20TH 2020

3 DAYS AGO _BY XME_ (0 COMMENTS) POWERSHELL DROPPER DELIVERING FORMBOOK

NOV 19TH 2020

4 DAYS AGO _BY XME_ (0 COMMENTS) WHEN SECURITY CONTROLS LEAD TO SECURITY ISSUES

NOV 18TH 2020

5 DAYS AGO _BY XME_ (0 COMMENTS) HEARTBLEED, BLUEKEEP AND OTHER VULNERABILITIES THAT DIDN'T DISAPPEAR JUST BECAUSE WE DON'T TALK ABOUT THEM ANYMORE

NOV 16TH 2020

1 WEEK AGO _BY JAN_ (0 COMMENTS) View All Diaries →

Top of page

LATEST DISCUSSIONS

PORT 23 & 2323 107.173.58.179 CREATED NOV 15TH 2020 1 WEEK AGO BY ANONYMOUS (0 REPLIES) GMAIL HACKED VIS MS OUTLOOK / REQUEST.ZIP VIRUS/MALWARE CREATED OCT 13TH 2020 1 MONTH AGO BY ANONYMOUS (3 REPLIES) WHY IS THE ENTIRE COMMUNITY SO... I DON'T KNOW THE WORDS... CREATED SEP 8TH 2020 2 MONTHS AGO BY EVERSEEKER (0 REPLIES) I CAN NOT FIND THE BLUETOOTH CHANNEL! CREATED AUG 31ST 2020 2 MONTHS AGO BY MARTIN (0 REPLIES) FELLOW CYBER SECURITY PRO'S, WHERE DO YOU GET YOUR REGULAR FEEDS OF

INFORMATION?

CREATED AUG 11TH 2020 3 MONTHS AGO BY ANONYMOUS (0 REPLIES)

View All Forums →

Top of page

LATEST NEWS

TOP DIARIES

AN INFECTION FROM RIG EXPLOIT KIT

JUN 17TH 2019

1 YEAR AGO _BY BRAD_ (0 COMMENTS) OLD WORM BUT NEW OBFUSCATION TECHNIQUE

NOV 13TH 2020

1 WEEK AGO _BY XME_ (0 COMMENTS)

AV CLEANED MALDOC

NOV 2ND 2020

2 WEEKS AGO _BY DIDIERSTEVENS_ (0 COMMENTS) OPEN PACKAGING CONVENTIONS

OCT 10TH 2020

1 MONTH AGO _BY DIDIERSTEVENS_ (0 COMMENTS) TRAFFIC ANALYSIS QUIZ: UGLY-WOLF.NET

OCT 16TH 2020

1 MONTH AGO _BY BRAD_ (0 COMMENTS) send lots of email to money@stifortunes.com

* Contact Us

* Contact Us

* About Us

* Handlers

* Diary

* Podcasts

* Jobs

* Tools

* DShield Sensor

* DNS Looking Glass

* Honeypot (RPi/AWS)

* InfoSec Glossary

* Fightback

* Data

* HTTP Header Activity * TCP/UDP Port Activity

* Port Trends

* Presentations & Papers * SSH Scanning Activity

* SSL CRL Activity

* Suspicious Domains * Threat Feeds Activity

* Threat Feeds Map

* Useful InfoSec Links

* Weblogs

* Research Papers

* Forums

* Auditing

* Diary Discussions

* Forensics

* General Discussions

* Industry News

* Network Security

* Penetration Testing

* Software Security

------------------------- QUESTIONS? FEEDBACK? Use our contact form or

report bugs here

For interactive help and to chat with other users, try our Slack

group.

Integrate our data into your projects

* YouTube

* Twitter

* LinkedIn

* ISC Feed

* Shop

* Link To Us

* About Us

* Handlers

* Privacy Policy

* Back To Top

DEVELOPERS: We have an API for you!