SANS ISC: ISC Handlers - Internet Security | DShield

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

ISC Handlers

Recent Diaries:

Recent Diaries:

• VMware Security Advisories -VMSA-2017-0014
• Triaging suspicious files with pestudio
• An Introduction to VolUtility
• PowerShell 5.1 for Windows 7 and later
• Back in Time Memory Forensics

Recent Diaries:

• domain_stats.py a web api for SEIM phishing hunts
• System Resource Utilization Monitor
• Some tools updates
• Powershell Malware - No Hard drive, Just hard times
• Offensive Countermeasures against stolen passswords

Recent Diaries:

• Great Misadventures of Security Vendors: Absurd Sandboxing Edition
• Ransomware Operators Cold Calling UK Schools to Get Malware Through
• Was the Brazilian version of Google hijacked two days ago?
• New Year's Resolution: Build Your Own Malware Lab?
• Mixed Messages : Novel Phishing Attempts Trying to Steal Your E-mail Password Goes Wrong

Click to  View Handler Page

Click to  View Handler Created Tools

Recent Diaries:

• rockNSM as a Incident Response Package
• tshark 2.4 New Feature - Command Line Export Objects
• Text Banking Scams
• Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
• CyberChef a Must Have Tool in your Tool bag!

Click to  View Handler Page

Recent Diaries:

• Tricks for DLL analysis
• The Wonderful World of CMS strikes again
• Attention *NIX admins, time to patch!
• Heartbleed hunting
• CSAM: WebHosting BruteForce logs

Recent Diaries:

• Cisco Security Advisory: Default Credentials
• Exploit o' the day: DROWN
• Disaster Recovery Starts with a Plan
• GnuPG (GPG) 2.1.9 release announced
• Risk... in the most obscure places

Click to  View Handler Page

Recent Diaries:

• Forensic use of mount --bind
• New tool: mac-robber.py
• WTF tcp port 81
• New tool: sigs.py
• Quick and dirty generic listener

Recent Diaries:

• YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday
• Equifax breach
• Modern Web Application Penetration Testing , Hash Length Extension Attacks
• Struts vulnerability patch released by apache, patch now
• A day in the life of a pentester, or is my job is too sexy for me?

Recent Diaries:

• Malspam pushing Word documents with Hancitor malware
• Emails threatening DDoS allegedly from Phantom Squad
• Email attachment using CVE-2017-8759 exploit targets Argentina
• Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox
• Malspam pushing Trickbot banking Trojan

Recent Diaries:

• What is the State of Your Union?
• Trends Over Time
• An Occasional Look in the Rear View Mirror
• What Can You Learn On Your Own?
• KNOW before NO

Recent Diaries:

• Gate to Fiesta exploit kit on 94.242.216.69
• VMWare ESX/ESXi Security Advisory
• Defending Against Web Server Denial of Service Attacks
• ISC BIND DoS
• Apple Blocks Older Insecure Versions of Flash Player

Recent Diaries:

• Holiday Safe Computing Tips
• Angler Exploit Kits Reported
• Cisco Security Advisories Issued
• Dropbox Breach
• The life of an IT Manager

Recent Diaries:

• New Adobe Flash Vulnerability - CVE-2015-0313
• Microsoft Security Bulletin Advance Notification for July 2014
• PHP 5.4.27 released
• Sunday Reading
• Symantec goes yellow

Recent Diaries:

• Outlook Web Access based attacks
• It has been a month and a bit how is your new patching program holding up?
• Looking for some emails
• Time for some predictions
• Checking my honeypot day

Recent Diaries:

• What is going on with Port 83?
• File2pcap - A new tool for your toolkit!
• BitTorrent or Something Else?
• Cisco - Issue with Clock Signal Component
• Packet Analysis - Where do you start?

Recent Diaries:

• Lessons Learned from Industrial Control Systems
• Nmap/Google Summer of Code
• F-Secure: FSC-2015-2: PATH TRAVERSAL VULNERABILITY
• PHP 5.5.23 is available
• Repurposing Logs

Renato Marinho is Chief Research Officer at Morphus Labs. His journey in the area began in 2001, when he created Nettion, one of the first firewalls to use the contemporary UTM (Unified Threat Management) concept. Experienced in cyber security, Marinho was internationally recognized in 2016 by his research that unveiled Mamba, the first full disk encryption ransomware. At Morphus Labs, he oversees research, innovation and development of new products. Master and PhD candidate in Applied Informatics, he is also professor at University of Fortaleza teaching Computer Forensics in the post-graduate course. He is also a speaker having presented at Ignite Cybersecurity Conference, BSides Delaware, BSides Vienna, WSKS Portugal and Brazilian CSIRTs Forum.

Recent Diaries:

• XPCTRA Malware Steals Banking and Digital Wallet User's Credentials
• Ongoing Ykcol (Locky) campaign
• Second Google Chrome Extension Banker Malware in Two Weeks
• EngineBox Malware Supports 10+ Brazilian Banks
• (Banker(GoogleChromeExtension)).targeting("Brazil")

Click to  View Handler Created Tools

Recent Diaries:

• Windows Auditing with WINspect
• Adversary hunting with SOF-ELK
• WannaCry? Do your own data analysis.
• Critical security update: PHPMailer 5.2.20 (CVE-2016-10045)
• Steganography in Action: Image Steganography & StegExpose

Xavier Mertens is a freelance security consultant based in Belgium. Xavier started his own company (https://www.truesec.be) in 2013 to offer pentesting, incident handling and forensic services. He holds GIAC certifications and is also CISSP and CISA. Xavier has a blog about security (https://blog.rootshell.be) and is co-organizer of the BruCON security conference (http://www.brucon.org).

Recent Diaries:

• Getting some intelligence from malspam
• Another webshell, another backdoor!
• AutoIT based malware back in the wild
• Malicious AutoIT script delivered in a self-extracting RAR file
• Malicious script dropping an executable signed by Avast?

Click to  View Handler Created Tools

Recent Diaries:

• Back to Basics: Writing Change Requests in Natural Language
• Wait What? We don?t have to change passwords every 90 days?
• Do you have Intel AMT? Then you have a problem today! Intel Active Management Technology INTEL-SA-00075
• What is really being proxied?
• December 2016 Patch Tuesday Brief and Updates

Recent Diaries:

• New Internet Storm Center Director
• A Day In The Life Of A DShield Sensor
• Stuxnet Analysis
• Cyber Security Awareness Month - Day 31 - Tying it all together
• Cyber Security Awareness Month - Day 15 - What Teachers Need to Know About Their Students

Mr. Santander Pelaez currently serves as the Chief Information Security Officer of Empresas Publicas de Medellin E.S.P. in Medellin,Colombia. His areas of interest are Intrusion Detection, Computer Forensics, Incident Response, SCADA Security, Network Design and cyberwarfare.

Recent Diaries:

• Effective security governance
• Encryption inside Utility Industrial Control Systems (ICS) communication protocols: a must to preserve the confidentiality of information and reliability of the industrial process
• CVE-2016-7461: VMware Workstation and Fusion updates address critical out-of-bounds memory access vulnerability
• Performing network forensics with Dshell. Part 2: Decoder development process
• VMWare Security Advisories VMSA-2016-0005

Recent Diaries:

• Curious SNMP Traffic Spike
• XOR DDOS Mitigation and Analysis
• Social Engineering Alive and Well
• NTP DDoS Counts Have Dropped
• Avast forums hacked

Didier Stevens (Microsoft MVP Consumer Security) holds many certifications from SANS, Microsoft, Cisco, ... He is a Senior Analyst (NVISO https://www.nviso.be). Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs.com). You can find his open source security tools on his IT security related blog at https://blog.DidierStevens.com.

Recent Diaries:

• Analyzing JPEG files
• Malware analysis output sanitization
• It is a resume - Part 2
• It is a resume - Part 1
• Malware analysis: searching for dots

Recent Diaries:

• Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2)
• Analysis of Competing Hypotheses (ACH part 1)
• How many “Epoch” times? Epocalypse.py timestamp converter
• Defining Threat Intelligence Requirements
• Volatility Bot: Automated Memory Analysis

Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top 5 influential IT security thinkers. His research interests include IPv6, Network Traffic Analysis and Secure Software Development. Johannes is regularly invited to speak at conferences and has been interviewed by major publications, radio as well as TV stations. He is a member of the SANS Technology Institute's Faculty and Administration as well as Curriculum and Long Range Planning Committee. As chief research officer for the SANS Institute, Johannes is currently responsible for the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. More Details: http://www.linkedin.com/in/johannesullrich

Click to  View Handler Page

Recent Diaries:

• Microsoft Patch Tuesday September 2017
• The Mirai Botnet: A Look Back and Ahead At What's Next
• An Update On DVR Malware: A DVR Torture Chamber
• Microsoft Patch Tuesday August 2017
• Use of the Open Graph Protocol to Disguise Malicious Facebook Links

Click to  View Handler Created Tools

Recent Diaries:

• No IPv6? Challenge Accepted! (Part 1)
• Rooting Out Hosts that Support Older Samba Versions
• As Your Admin Walks Out the Door ..
• What did we Learn from WannaCry? - Oh Wait, We Already Knew That!
• OAuth, and It's High Time for Some Personal "Security-Scaping" Today

Recent Diaries:

• Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue)
• Cloudflare data leak...what does it mean to me?
• Practical collision attack against SHA-1
• Multiple vulnerabilities discovered in popular printer models
• More on Protocol 47 denys

Recent Diaries:

• Remote SOC Workers Concerns
• Summer STEM for Kids
• SSMA Usage
• Dynamite Phishing
• Blocking Powershell Connection via Windows Firewall.

Click to  View Handler Created Tools

Recent Diaries:

• Free Bitcoins? Why not?
• Attacking NoSQL applications (part 2)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts)
• Uberscammers