Category: SANS™ Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While trying to process some of my honeypot data, I ran into the following error in my Python script: "Exception has occurred: ValueError values should be unique if codes is not None" I received the error

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For a whille now, I have seen scans that contain the pattern "%%target%%" in the URL. For example, today this particular URL is popular: /%%target%%/wp-content/themes/twentytwentyone/style.css I have been ignoring these scans so far. The "wp-content" in

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Michael Tigges, an ISC intern as part of the SANS.edu BACS program] On July 16, 2024, I received notification of a suspicious tunnel being opened via SSH in relation to

I recorded a quick live stream with a quick update on CVE-2024-38063. The video focuses on determining the exploitability, particularly whether your systems are reachable by IPv6. After recording this video, Stephen Sims pointed me to

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I found a tiny .bat file that looked not suspicious at all: 3650.bat (SHA256:bca5c30a413db21f2f85d7297cf3a9d8cedfd662c77aacee49e821c8b7749290) with a very low VirusTotal score (2/65)[1]. The file is very simple, it invokes a PowerShell: @shift /0 @echo off powershell.exe -WindowStyle Hidden