SANS ISC: ISC Handlers - Internet Security | DShield

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • Computer Forensics
  • Software Security
  • Government OnSite Training

ISC Handlers

Recent Diaries:

Recent Diaries:

• An Introduction to VolUtility
• PowerShell 5.1 for Windows 7 and later
• Back in Time Memory Forensics
• Windows Events log for IR/Forensics ,Part 2
• Windows Events log for IR/Forensics ,Part 1

Recent Diaries:

• domain_stats.py a web api for SEIM phishing hunts
• System Resource Utilization Monitor
• Some tools updates
• Powershell Malware - No Hard drive, Just hard times
• Offensive Countermeasures against stolen passswords

Recent Diaries:

• Great Misadventures of Security Vendors: Absurd Sandboxing Edition
• Ransomware Operators Cold Calling UK Schools to Get Malware Through
• Was the Brazilian version of Google hijacked two days ago?
• New Year's Resolution: Build Your Own Malware Lab?
• Mixed Messages : Novel Phishing Attempts Trying to Steal Your E-mail Password Goes Wrong

Click to  View Handler Page

Click to  View Handler Created Tools

Recent Diaries:

• Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
• CyberChef a Must Have Tool in your Tool bag!
• Microsoft Released Guidance for WannaCrypt
• IPFire - A Household Multipurpose Security Gateway
• Honeypot Logs and Tracking a VBE Script

Click to  View Handler Page

Recent Diaries:

• Tricks for DLL analysis
• The Wonderful World of CMS strikes again
• Attention *NIX admins, time to patch!
• Heartbleed hunting
• CSAM: WebHosting BruteForce logs

Recent Diaries:

• Cisco Security Advisory: Default Credentials
• Exploit o' the day: DROWN
• Disaster Recovery Starts with a Plan
• GnuPG (GPG) 2.1.9 release announced
• Risk... in the most obscure places

Click to  View Handler Page

Recent Diaries:

• WTF tcp port 81
• New tool: sigs.py
• Quick and dirty generic listener
• New tool: docker-mount.py
• Guest Diary: Linux Capabilities - A friend and foe

Recent Diaries:

• A day in the life of a pentester, or is my job is too sexy for me?
• Infocon change to yellow for Adobe Flash issues
• OOB Adobe patch!
• Less is, umm, less?
• Security update for Adobe Flash player

Recent Diaries:

• NemucodAES and the malspam that distributes it
• Catching up with Blank Slate: a malspam campaign still going strong
• Petya? I hardly know ya! - an ISC update on the 2017-06-27 ransomware outbreak
• Checking out the new Petya variant
• Wide-scale Petya variant ransomware attack noted

Recent Diaries:

• An Occasional Look in the Rear View Mirror
• What Can You Learn On Your Own?
• KNOW before NO
• Distraction as a Service
• What's On Your Not To Do List?

Recent Diaries:

• Gate to Fiesta exploit kit on 94.242.216.69
• VMWare ESX/ESXi Security Advisory
• Defending Against Web Server Denial of Service Attacks
• ISC BIND DoS
• Apple Blocks Older Insecure Versions of Flash Player

Recent Diaries:

• Holiday Safe Computing Tips
• Angler Exploit Kits Reported
• Cisco Security Advisories Issued
• Dropbox Breach
• The life of an IT Manager

Recent Diaries:

• New Adobe Flash Vulnerability - CVE-2015-0313
• Microsoft Security Bulletin Advance Notification for July 2014
• PHP 5.4.27 released
• Sunday Reading
• Symantec goes yellow

Recent Diaries:

• It has been a month and a bit how is your new patching program holding up?
• Looking for some emails
• Time for some predictions
• Checking my honeypot day
• Malware being distributed pretending to be from AU Fedcourts

Recent Diaries:

• What is going on with Port 83?
• File2pcap - A new tool for your toolkit!
• BitTorrent or Something Else?
• Cisco - Issue with Clock Signal Component
• Packet Analysis - Where do you start?

Recent Diaries:

• Lessons Learned from Industrial Control Systems
• Nmap/Google Summer of Code
• F-Secure: FSC-2015-2: PATH TRAVERSAL VULNERABILITY
• PHP 5.5.23 is available
• Repurposing Logs

Renato Marinho is Chief Research Officer at Morphus Labs. His journey in the area began in 2001, when he created Nettion, one of the first firewalls to use the contemporary UTM (Unified Threat Management) concept. Experienced in cyber security, Marinho was internationally recognized in 2016 by his research that unveiled Mamba, the first full disk encryption ransomware. At Morphus Labs, he oversees research, innovation and development of new products. Master and PhD candidate in Applied Informatics, he is also professor at University of Fortaleza teaching Computer Forensics in the post-graduate course. He is also a speaker having presented at Ignite Cybersecurity Conference, BSides Delaware, BSides Vienna, WSKS Portugal and Brazilian CSIRTs Forum.

Recent Diaries:

• Black Hat is coming and with it a good reason to update your "Broadcom-based" devices
• SMS Phishing induces victims to photograph its own token card
• July's Microsoft Patch Tuesday
• DDoS Extortion E-mail: Yet Another Bluff?

Click to  View Handler Created Tools

Recent Diaries:

• Adversary hunting with SOF-ELK
• WannaCry? Do your own data analysis.
• Critical security update: PHPMailer 5.2.20 (CVE-2016-10045)
• Steganography in Action: Image Steganography & StegExpose
• Scapy vs. CozyDuke

Xavier Mertens is a freelance security consultant based in Belgium. Xavier started his own company (https://www.truesec.be) in 2013 to offer pentesting, incident handling and forensic services. He holds GIAC certifications and is also CISSP and CISA. Xavier has a blog about security (https://blog.rootshell.be) and is co-organizer of the BruCON security conference (http://www.brucon.org).

Recent Diaries:

• Bots Searching for Keys & Config Files
• Backup Scripts, the FIM of the Poor
• A VBScript with Obfuscated Base64 Data
• Obfuscating without XOR
• Systemd Could Fallback to Google DNS?

Click to  View Handler Created Tools

Recent Diaries:

• Wait What? We don?t have to change passwords every 90 days?
• Do you have Intel AMT? Then you have a problem today! Intel Active Management Technology INTEL-SA-00075
• What is really being proxied?
• December 2016 Patch Tuesday Brief and Updates
• Guest Diary, Etay Nir: Flipping the Economy of a Hacker

Mr. Santander Pelaez currently serves as the Chief Information Security Officer of Empresas Publicas de Medellin E.S.P. in Medellin,Colombia. His areas of interest are Intrusion Detection, Computer Forensics, Incident Response, SCADA Security, Network Design and cyberwarfare.

Recent Diaries:

• Effective security governance
• Encryption inside Utility Industrial Control Systems (ICS) communication protocols: a must to preserve the confidentiality of information and reliability of the industrial process
• CVE-2016-7461: VMware Workstation and Fusion updates address critical out-of-bounds memory access vulnerability
• Performing network forensics with Dshell. Part 2: Decoder development process
• VMWare Security Advisories VMSA-2016-0005

Recent Diaries:

• Curious SNMP Traffic Spike
• XOR DDOS Mitigation and Analysis
• Social Engineering Alive and Well
• NTP DDoS Counts Have Dropped
• Avast forums hacked

Didier Stevens (Microsoft MVP Consumer Security) holds many certifications from SANS, Microsoft, Cisco, ... He is a Senior Analyst (NVISO https://www.nviso.be). Didier started his own company in 2012 to provide IT security training services (http://DidierStevensLabs.com). You can find his open source security tools on his IT security related blog at https://blog.DidierStevens.com.

Recent Diaries:

• Another .lnk File
• Malicious .iso Attachments
• Office maldoc + .lnk
• Basic Office maldoc analysis
• Selecting domains with random names

Recent Diaries:

• Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2)
• Analysis of Competing Hypotheses (ACH part 1)
• How many “Epoch” times? Epocalypse.py timestamp converter
• Defining Threat Intelligence Requirements
• Volatility Bot: Automated Memory Analysis

Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top 5 influential IT security thinkers. His research interests include IPv6, Network Traffic Analysis and Secure Software Development. Johannes is regularly invited to speak at conferences and has been interviewed by major publications, radio as well as TV stations. He is a member of the SANS Technology Institute's Faculty and Administration as well as Curriculum and Long Range Planning Committee. As chief research officer for the SANS Institute, Johannes is currently responsible for the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. More Details: http://www.linkedin.com/in/johannesullrich

Click to  View Handler Page

Recent Diaries:

• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud (Part 1)
• Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious"
• Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received.
• Windows Error Reporting: DFIR Benefits and Privacy Concerns

Click to  View Handler Created Tools

Recent Diaries:

• As Your Admin Walks Out the Door ..
• What did we Learn from WannaCry? - Oh Wait, We Already Knew That!
• OAuth, and It's High Time for Some Personal "Security-Scaping" Today
• The Quest for the Universal Fingerprint
• Migrating Telnet to SSH without Migrating

Recent Diaries:

• Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue)
• Cloudflare data leak...what does it mean to me?
• Practical collision attack against SHA-1
• Multiple vulnerabilities discovered in popular printer models
• More on Protocol 47 denys

Recent Diaries:

• Summer STEM for Kids
• SSMA Usage
• Dynamite Phishing
• Blocking Powershell Connection via Windows Firewall.
• Mapping Attack Methodology to Controls

Recent Diaries:

• Are you getting I-CANNED ?
• Decoding Pseudo-Darkleech (Part #2)
• Decoding Pseudo-Darkleech (#1)
• New Years Resolutions
• Critical Security Controls: Getting to know the unknown

Click to  View Handler Created Tools

Recent Diaries:

• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts)
• Uberscammers
• OAUTH phishing against Google Docs ? beware!
• Powershelling with exploits