Browsed by
Tag: threat hunting

Onion-Zeek-RITA

Onion-Zeek-RITA

This research is also available for download from the SANS Reading Room. I’ve included the link below. Feel free to add comments or ask questions on this website even if you download the paper from the SANS Reading Room. Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity Changelog26Dec2018 – Originally posted6Jan2019 – Added link to SANS Reading Room Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity Abstract The information security industry is predicted to exceed 100 billion dollars in the…

Read More Read More

Mysterious outbound UDP traffic on port 8888… Help!

Mysterious outbound UDP traffic on port 8888… Help!

What is this traffic on port 8888? Or a device is infected and trying to communicate over port 8888 to IP addresses all over the world?!?! I’ve seen forum posts with similar titles a handful of times now and the final result is often someone discovering the Private Internet Access (PIA) client on a device or computer. I get a chuckle every time I see it because I was once in their shoes so I figured I would make a…

Read More Read More

Shadow Brokers Dump And Best Practices

Shadow Brokers Dump And Best Practices

Well that’s a weird title, right? Now that the dust has settled to some degree, let’s look at a not-so-obvious takeaway from the latest security news that simultaneously set everyone’s hair on fire? The latest Shadow Brokers dump is bad on so many different levels. Let’s not concentrate on the potential levels of government and private industry collusion our guts told us existed, but we weren’t sure of. Even now, Microsoft is claiming the vulnerabilities were fixed as part of a…

Read More Read More

Uncovering Indicators of Compromise

Uncovering Indicators of Compromise

This is the “newest” version of a paper and script I originally wrote as part of my SANS gold paper for the GCCC certification. The paper re-write was primarily in preparation for my presentation of the topic at the 2016 Nagios World Conference… Unfortunately, the conference was canceled. <sigh> Nonetheless, the paper now covers version 6 of the Critical Security Controls instead of 5.1. Changelog 6October2015 – Originally posted 16October2016 – Updated for version 6 of CSCs The original paper in PDF…

Read More Read More