Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Detecting Actors Activity with Threat Intel

Published: 2020-12-04
Last Updated: 2020-12-04 03:30:47 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Over the past three weeks I have applied threat intel to all the inbound traffic going to my honeypot and the stats have shown some interesting trends. The top 20 TCP ports targeted have been between 1-50 and top 20 UDP 7-11211. During this period, the sensor recorded over 301K indicators matching threat intel from known actors.

A Look at the Top 3 IPs

The port the most targeted over that period has been the Telnet (TCP/23) service with over 97% of the traffic.

As a security practitioner, I have stopped using Telnet years ago (a honeypot being the exception). To find out how widespread Telnet is available, a query for this service on Shodan[4] shows there are still thousand of host showing this port as open and/or active. This map from Censys [8] illustrate a list of 2090422 hosts matched the search query where Telnet was open. Censys only shows the first 500 locations on the map.

IP launched a large scan on the 30 Nov (12:00-06:00) lasting for 6 hours actively scanning various TCP ports multiple times (46836 records). However, IP has been a lot more consistent over time, scanning mostly TCP ports between 1000-1100 illustrated below:

The third IP has been scanning a single port over the past few and it is MemoryCache (UDP/11211). This source was first report in DShield on the 14 Nov 2020 with a last report today. The reports in DShield are mostly against LDAP (UDP/389) and only one record for 11211.

Last, this is the list of top 10 IPs with Intel source, techniques and total.

Two freely and widely available intel platform Anomali Staxx[1] after registration is available for download and installed locally (has API) and AlienVault[2] can be accessed via API and is widely supported.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Traffic Analysis Quiz: Mr Natural
Dec 3rd 2020
1 day ago by Brad (0 comments)

Decrypting PowerShell Payloads (video)
Nov 30th 2020
4 days ago by DidierStevens (0 comments)

Quick Tip: Using JARM With a SOCKS Proxy
Nov 29th 2020
5 days ago by DidierStevens (0 comments)

Threat Hunting with JARM
Nov 27th 2020
6 days ago by Rick (0 comments)

View All Diaries →

Latest Discussions

Port 23 & 2323
created Nov 15th 2020
2 weeks ago by Anonymous (0 replies)

Gmail hacked vis MS Outlook / virus/malware
created Oct 13th 2020
1 month ago by Anonymous (3 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
2 months ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
3 months ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Old Worm But New Obfuscation Technique
Nov 13th 2020
3 weeks ago by Xme (0 comments)

AV Cleaned Maldoc
Nov 2nd 2020
1 month ago by DidierStevens (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 month ago by DidierStevens (0 comments)

Traffic Analysis Quiz:
Oct 16th 2020
1 month ago by Brad (0 comments)

send lots of email to