INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
[Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data
Published: 2025-02-26
Last Updated: 2025-02-26 02:21:53 UTC
by Robin Zaheer, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Robin Zaheer, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
During my time as an intern with SANS Internet Storm Center, my DShield honeypot has seen a variety of attacks that prove to be interesting case studies. Most commonly, I have seen thousands upon thousands of password guessing attacks, for which the ISC provides a nifty webpage that displays the top source IPs, usernames, and passwords used in said attacks observed by my honeypot for SSH/Telnet. Here is a snapshot of that page ...
These attacks are most certainly worth studying, but I think the attacks that occur after the attackers succeed in their password guessing draw my interest the most. After all, attacker behavior is most easily studied when they are given the access necessary to attempt what they mean to do within a target system. The attack I wish to focus on today utilizes a cloud IP that has remained undetected by malicious IP identifiers. It started with the following password guessing attack ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Malware+Source+Servers+The+Threat+of+Attackers+Using+Ephemeral+Ports+as+Service+Ports+to+Upload+Data/31710/
Using ES|QL in Kibana to Queries DShield Honeypot Logs
Published: 2025-02-20
Last Updated: 2025-02-20 02:06:46 UTC
by Guy Bruneau (Version: 1)
With the Elastic released of version 8.17.0, it included "The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive." With this released, I started exploring some of the many options available with ES|QL in Kibana, enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.
To illustrate this, I will show two different queries, one with user.name and one with source actor IP addresses. While writing the query, you will notice after you include the pipe (|), a list of possible ES|QL field options will appear, refer to this reference for ES|QL language.
This is an example of a simple strategy where the only field selected is the user.name stored in the Elasticsearch cowrie table. In this example, the output is limited by time and up to 1000 rows. By adding | LIMIT 10 to the end of the query, the output would only show the TOP 10 vs. up to 1000 ...
Read the full entry: https://isc.sans.edu/diary/Using+ESQL+in+Kibana+to+Queries+DShield+Honeypot+Logs/31704/