SANS Internet Storm Center, InfoCON: green SANS Internet Storm Center - Cooperative Cyber Security Monitor
- Infocon: greenon 16 July 2025 at 8:30 am
ISC Stormcast For Wednesday, July 16th, 2025 https://isc.sans.edu/podcastdetail/9528
- ISC Stormcast For Wednesday, July 16th, 2025 https://isc.sans.edu/podcastdetail/9528, (Wed, Jul 16th)on 16 July 2025 at 2:00 am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
- Keylogger Data Stored in an ADS, (Tue, Jul 15th)on 15 July 2025 at 7:32 am
If many malware samples try to be "filess" (read: they try to reduce their filesystem footprint to the bare minimum), another technique remains interesting: Alternate Data Streams or "ADS"[1]. This NTFS feature allows files to contain multiple data streams, enabling hidden or additional metadata to be stored alongside the main file content without being visible in standard file listings. A common usage of ADS is the "Mark of the Web"[2] that helps to flag files as suspicious or not depending on their origin.
- ISC Stormcast For Tuesday, July 15th, 2025 https://isc.sans.edu/podcastdetail/9526, (Tue, Jul 15th)on 15 July 2025 at 2:05 am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
- DShield Honeypot Log Volume Increase, (Mon, Jul 14th)on 14 July 2025 at 6:58 pm
The volume of honeypot logs changes over time. Very rarely are honeypot logs quiet, meaning that there are no internet scans or malicious activity generating logs. Honeypots can see large increases in activity [1], but this has tended to be the exception, rather than the rule. Within the last few months, however, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from my residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that I run and archive logs from frequently.