Diaries by Keyword - SANS Internet Storm Center

Handler on Duty: Xavier Mertens

Threat Level: green

Date	Author	Title
2025-02-15	Xavier Mertens	The Danger of IP Volatility
2024-12-24	Xavier Mertens	More SSH Fun!
2024-10-03	Guy Bruneau	Kickstart Your DShield Honeypot [Guest Diary]
2024-07-25	Xavier Mertens	XWorm Hidden With Process Hollowing
2024-04-15	Johannes Ullrich	Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400)
2024-04-13	Johannes Ullrich	Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)
2024-03-17	Guy Bruneau	Gamified Learning: Using Capture the Flag Challenges to Supplement Cybersecurity Training [Guest Diary]
2024-01-07	Guy Bruneau	Suspicious Prometei Botnet Activity
2023-11-09	Xavier Mertens	Visual Examples of Code Injection
2023-11-08	Xavier Mertens	Example of Phishing Campaign Project File
2023-09-18	Johannes Ullrich	Internet Wide Multi VPN Search From Single /24 Network
2023-08-26	Xavier Mertens	macOS: Who?s Behind This Network Connection?
2023-06-09	Xavier Mertens	Undetected PowerShell Backdoor Disguised as a Profile File
2023-05-24	Jesse La Grew	More Data Enrichment for Cowrie Logs
2023-01-12	Russ McRee	Prowler v3: AWS & Azure security assessments
2022-10-07	Xavier Mertens	Critical Fortinet Vulnerability Ahead
2022-09-14	Xavier Mertens	Easy Process Injection within Python
2022-05-30	Xavier Mertens	New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme (CVE-2022-30190)
2022-03-15	Xavier Mertens	Clean Binaries with Suspicious Behaviour
2021-11-14	Didier Stevens	External Email System FBI Compromised: Sending Out Fake Warnings
2021-10-14	Xavier Mertens	Port-Forwarding with Windows for the Win
2021-09-15	Brad Duncan	Hancitor campaign abusing Microsoft's OneDrive
2021-08-09	Jan Kopriva	ProxyShell - how many Exchange servers are affected and where are they?
2021-08-01	Didier Stevens	procdump Version 10.1
2021-05-30	Didier Stevens	Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update
2021-04-25	Didier Stevens	Sysinternals: Procmon and Sysmon update
2021-04-16	Xavier Mertens	HTTPS Support for All Internal Services
2021-03-04	Xavier Mertens	From VBS, PowerShell, C Sharp, Process Hollowing to RAT
2021-02-28	Didier Stevens	Maldocs: Protection Passwords
2021-02-22	Didier Stevens	Unprotecting Malicious Documents For Inspection
2021-01-17	Didier Stevens	New Release of Sysmon Adding Detection for Process Tampering
2020-09-17	Xavier Mertens	Suspicious Endpoint Containment with OSSEC
2020-06-05	Johannes Ullrich	Cyber Security for Protests
2020-04-30	Xavier Mertens	Collecting IOCs from IMAP Folder
2020-03-21	Guy Bruneau	Honeypot - Scanning and Targeting Devices & Services
2020-02-16	Guy Bruneau	SOAR or not to SOAR?
2019-09-27	Xavier Mertens	New Scans for Polycom Autoconfiguration Files
2019-07-18	Xavier Mertens	Malicious PHP Script Back on Stage?
2019-06-27	Rob VandenBrink	Finding the Gold in a Pile of Pennies - Long Tail Analysis in PowerShell
2019-02-17	Didier Stevens	Video: Finding Property Values in Office Documents
2019-02-16	Didier Stevens	Finding Property Values in Office Documents
2018-09-20	Xavier Mertens	Hunting for Suspicious Processes with OSSEC
2018-07-03	Didier Stevens	Progress indication for scripts on Windows
2018-06-22	Lorna Hutcheson	XPS Attachment Used for Phishing
2018-06-13	Xavier Mertens	A Bunch of Compromized Wordpress Sites
2017-04-02	Guy Bruneau	IPFire - A Household Multipurpose Security Gateway
2017-03-08	Richard Porter	What is really being proxied?
2016-08-29	Russ McRee	Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
2016-08-24	Xavier Mertens	Example of Targeted Attack Through a Proxy PAC File
2016-08-19	Xavier Mertens	Data Classification For the Masses
2016-06-15	Richard Porter	Warp Speed Ahead, L7 Open Source Packet Generator: Warp17
2016-03-13	Xavier Mertens	SSH Honeypots (Ab)used as Proxy
2016-01-31	Guy Bruneau	Windows 10 and System Protection for DATA Default is OFF
2015-07-17	Didier Stevens	Process Explorer and VirusTotal
2015-03-08	Brad Duncan	What Happened to You, Asprox Botnet?
2015-03-07	Guy Bruneau	Should it be Mandatory to have an Independent Security Audit after a Breach?
2014-07-30	Rick Wanner	Symantec Endpoint Protection Privilege Escalation Zero Day
2014-07-19	Russ McRee	Keeping the RATs out: the trap is sprung - Part 3
2014-07-18	Russ McRee	Keeping the RATs out: **it happens - Part 2
2014-07-16	Russ McRee	Keeping the RATs out: an exercise in building IOCs - Part 1
2014-07-08	Johannes Ullrich	Hardcoded Netgear Prosafe Switch Password
2014-04-27	Tony Carothers	The Dreaded "D" Word of IT
2014-03-22	Guy Bruneau	How the Compromise of a User Account Lead to a Spam Incident
2014-02-27	Richard Porter	DDoS and BCP 38
2014-02-24	Russ McRee	Explicit Trusted Proxy in HTTP/2.0 or...not so much
2014-02-10	Rob VandenBrink	A Tale of Two Admins (and no Change Control)
2014-02-07	Rob VandenBrink	Hello Virustotal? It's Microsoft Calling.
2013-05-20	Guy Bruneau	Sysinternals Updates for Accesschk, Procdump, RAMMap and Strings http://blogs.technet.com/b/sysinternals/archive/2013/05/17/updates-accesschk-v5-11-procdump-v6-0-rammap-v1-22-strings-v2-51.aspx
2013-04-14	Johannes Ullrich	Protocol 61 Packets Follow Up
2013-03-09	Guy Bruneau	IPv6 Focus Month: IPv6 Encapsulation - Protocol 41
2013-02-22	Johannes Ullrich	When web sites go bad: bible . org compromise
2013-02-06	Adam Swanger	Sysinternals in particular Process Explorer update https://blogs.technet.com/b/sysinternals/?Redirected=true
2012-12-06	Johannes Ullrich	How to identify if you are behind a "Transparent Proxy"
2012-07-02	Dan Goldberg	Storms of June 29th 2012 in Mid Atlantic region of the USA
2012-06-27	Daniel Wesemann	What's up with port 79 ?
2012-04-26	Richard Porter	Define Irony: A medical device with a Virus?
2012-04-12	Guy Bruneau	HP ProCurve 5400 zl Switch, Flash Cards Infected with Malware
2012-03-16	Russ McRee	MS12-020 RDP vulnerabilities: Patch, Mitigate, Detect
2012-02-27	Johannes Ullrich	Odd Vanishing Signatures in OS X XProtect
2012-01-13	Guy Bruneau	Sysinternals Updates - http://blogs.technet.com/b/sysinternals/archive/2012/01/13/updates-autoruns-v11-21-coreinfo-v3-03-portmon-v-3-03-process-explorer-v15-12-mark-s-blog-and-mark-at-rsa-2012.aspx
2011-12-19	Guy Bruneau	Process Explorer Update 15.11 with bugfixes - http://technet.microsoft.com/en-us/sysinternals/bb896653
2011-11-01	Russ McRee	Honeynet Project: Android Reverse Engineering (A.R.E.) Virtual Machine released
2011-09-26	Jason Lam	MySQL.com compromised spreading malware
2011-08-14	Guy Bruneau	Telex - A Radical New Approach to Bypass Security
2011-08-05	Johannes Ullrich	Common Web Attacks. A quick 404 project update
2011-07-28	Johannes Ullrich	Announcing: The "404 Project"
2011-06-19	Guy Bruneau	Sega Pass Compromised - 1.29 Million Customers Data Leaked
2011-06-12	Mark Hofman	Cloud thoughts
2011-04-18	John Bambenek	Wordpress.com Security Breach
2011-04-04	Mark Hofman	When your service provider has a breach
2011-04-02	Rick Wanner	RSA/EMC: Anatomy of a compromise
2011-02-21	Adrien de Beaupre	Winamp forums compromised
2011-01-12	Richard Porter	How Many Loyalty Cards do you Carry?
2010-12-13	Deborah Hale	Gawker Media Breach of Security
2010-12-02	Kevin Johnson	ProFTPD distribution servers compromised
2010-07-21	Adrien de Beaupre	Adobe Reader Protected Mode
2010-06-04	Rick Wanner	New Honeynet Project Forensic Challenge
2010-03-28	Rick Wanner	Honeynet Project: 2010 Forensic Challenge #3
2010-03-10	Rob VandenBrink	Microsoft re-release of KB973811 - attacks on Extended Protection for Authentication
2010-02-28	Mari Nichols	Disasters take practice
2010-02-01	Rob VandenBrink	NMAP 5.21 - Is UDP Protocol Specific Scanning Important? Why Should I Care?
2010-01-26	Jason Lam	e107 CMS system website compromised
2010-01-23	Lorna Hutcheson	The necessary evils: Policies, Processes and Procedures
2009-12-07	Rob VandenBrink	Layer 2 Network Protections – reloaded!
2009-11-11	Rob VandenBrink	Layer 2 Network Protections against Man in the Middle Attacks
2009-11-05	Swa Frantzen	TLS Man-in-the-middle on renegotiation vulnerability made public
2009-10-30	Rob VandenBrink	New version of NIST 800-41, Firewalls and Firewall Policy Guidelines
2009-10-22	Adrien de Beaupre	Cyber Security Awareness Month - Day 22 port 502 TCP - Modbus
2009-10-05	Adrien de Beaupre	Time to change your hotmail/gmail/yahoo password
2009-10-02	Stephen Hall	New SysInternal fun for the weekend
2009-09-19	Rick Wanner	Sysinternals Tools Updates
2009-09-07	Jim Clausing	Request for packets
2009-08-30	Tony Carothers	How do I recover from.....?
2009-08-29	Guy Bruneau	Immunet Protect - Cloud and Community Malware Protection
2009-08-28	Adrien de Beaupre	apache.org compromised
2009-07-29	Bojan Zdrnja	Increasing number of attacks on security sites
2009-06-27	Tony Carothers	New NIAP Strategy on the Horizon
2009-06-21	Scott Fendley	phpMyAdmin Scans
2009-03-10	Swa Frantzen	Browser plug-ins, transparent proxies and same origin policies
2009-02-11	Robert Danford	ProFTPd SQL Authentication Vulnerability exploit activity
2008-11-16	Maarten Van Horenbeeck	Detection of Trojan control channels
2008-08-25	John Bambenek	Thoughts on the Best Western Compromise
2008-04-07	John Bambenek	HP USB Keys Shipped with Malware for your Proliant Server
2006-12-18	Toby Kohlenberg	ORDB Shutting down
2006-08-17	Swa Frantzen	Microsoft August 2006 Patches: STATUS