Author Archives: SANS Internet Storm Center, InfoCON: green

For most system and network administrators, the free SSH client Putty has been their best friend for years! This tool was also (ab)used by attackers that deployed a trojanized version[1]. Microsoft had the good idea to include OpenSSH (beta version) in Windows 10 Fall Creators Update. One year later, it became a default component with Windows 10 version 1803. I remember the join of type for the first time “ssh” or “scp” in a cmd.exe! SSH is a very powerful tool that can be used in multiple ways, and it was de-facto categorized as a “LOLBIN”[2].

Continue reading Simple SSH Backdoor, (Mon, Jun 2nd)→

YARA 4.5.3 was released with 5 bugfixes.

Continue reading YARA 4.5.3 Release, (Sun, Jun 1st)→

While hunting, I found an interesting picture. It&#;x26;#;39;s a PNG file that was concatenated with two interesting payloads. There are file formats that are good candidates to have data added at the end of the file. PNG is the case because the file format specifications says:

Continue reading A PNG Image With an Embedded Gift, (Sat, May 31st)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, May 30th, 2025 https://isc.sans.edu/podcastdetail/9472, (Fri, May 30th)→

DShield honeypots &#;x26;#;x5b;1&#;x26;#;x5d; receive different types of attack traffic and the volume of that traffic can change over time. I&#;x26;#;39;ve been collecting data from a half dozen honeypots for a little over a year to make comparisons. This data includes:

Continue reading Usage of “passwd” Command in DShield Honeypots, (Fri, May 30th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, May 29th, 2025 https://isc.sans.edu/podcastdetail/9470, (Thu, May 29th)→

[This is a Guest Diary by Ehsaan Mavani, an ISC intern as part of the SANS.edu BACS program]

Continue reading Alternate Data Streams ? Adversary Defense Evasion and Detection [Guest Diary], (Wed, May 28th)→

[This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

Continue reading [Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack, (Wed, May 28th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, May 28th, 2025 https://isc.sans.edu/podcastdetail/9468, (Wed, May 28th)→

This is nothing “amazingly new”, but more of a reminder to secure your “authorized_keys” file for SSH. One of the first things I see even simple bots do to obtain persistent access to a UNIX system is to add a key to the authorized_keys file of whatever account they are compromising.

Continue reading Securing Your SSH authorized_keys File, (Tue, May 27th)→