Lmst
Login

#DFIR

RDP Snitchrdpsnitch@infosec.exchange
2025-05-31

2025-05-29 RDP #Honeypot IOCs - 31398 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
165.232.170.129 - 24966
128.199.168.88 - 5115
143.198.221.164 - 528

Top ASNs:
AS14061 - 31029
AS204428 - 48
AS396982 - 48

Top Accounts:
hello - 31065
142.93.8.59 - 129
Test - 33

Top ISPs:
DigitalOcean, LLC - 31029
SS-Net - 48
Google LLC - 48

Top Clients:
Unknown - 31398

Top Software:
Unknown - 31398

Top Keyboards:
Unknown - 31398

Top IP Classification:
hosting - 31176
Unknown - 201
hosting & proxy - 21

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/aS0d1xUc

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-31

2025-05-29 RDP #Honeypot IOCs - 31397 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
165.232.170.129 - 24965
128.199.168.88 - 5115
143.198.221.164 - 528

Top ASNs:
AS14061 - 31028
AS204428 - 48
AS396982 - 48

Top Accounts:
hello - 31064
142.93.8.59 - 129
Test - 33

Top ISPs:
DigitalOcean, LLC - 31028
SS-Net - 48
Google LLC - 48

Top Clients:
Unknown - 31397

Top Software:
Unknown - 31397

Top Keyboards:
Unknown - 31397

Top IP Classification:
hosting - 31175
Unknown - 201
hosting & proxy - 21

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/95JAv8Uc

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-31

2025-05-29 RDP #Honeypot IOCs - 31396 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
165.232.170.129 - 24964
128.199.168.88 - 5115
143.198.221.164 - 528

Top ASNs:
AS14061 - 31027
AS204428 - 48
AS396982 - 48

Top Accounts:
hello - 31063
142.93.8.59 - 129
Test - 33

Top ISPs:
DigitalOcean, LLC - 31027
SS-Net - 48
Google LLC - 48

Top Clients:
Unknown - 31396

Top Software:
Unknown - 31396

Top Keyboards:
Unknown - 31396

Top IP Classification:
hosting - 31174
Unknown - 201
hosting & proxy - 21

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/AVebmZuy

#CyberSec #SOC #Blueteam #SecOps #Security

Vern McCandlishmalanalysis@infosec.exchange
2025-05-30

Remembering the forensics and accident reconstruction experts testifying in the Karen Read trial is going to run 24/7 in my head if I ever have to testify again.

"Answer the question posed"
"Do not offer additional response"
"I don't know is a full answer"
"Do not be arrogant, seriously, don't"

#DFIR

Mike ShewardSecureOwl@infosec.exchange
2025-05-30

Mini Digital Forensic Diaries story: got sent to a university in London to investigate a case where a student, who bragged of hacker prowess openly, was suspected of introducing malware to a machine and stealing a lecturers password.

“We don’t know how, but we know they logged into the account, and sent emails - and this is the only machine the lecturer uses,” came the brief.

Imaged the machine suspected of being targeted.

While giving the lecturer their laptop back post imaging I observed, via projector, the lecturer entering in their password to the username field on the login screen.

“Whoops, I’m always doing that - at least this time it wasn’t in front of the students,” they said.

Sure enough, there was no evidence of anything untoward on the laptop, but I had a good theory as to what may have occurred.

Check out more, less mini, stories like this at infosecdiaries.com.

#dfir #forensics #blueteam #infosec

Forensic Focusforensicfocus@dfir.social
2025-05-30

Read the latest DFIR news – Forensics Europe Expo returns, new IoT forensics guidance from SWGDE, Apple Unified Logs insights, and more. forensicfocus.com/news/digital #DigitalForensics #DFIR forensicfocus.com/news/digital

Chris Sanders 🔎 🧠chrissanders88@infosec.exchange
2025-05-30

An analyst told me that their leadership expects them to complete alert triage to root cause analysis within 15 minutes. What are some of the problems with this? #SOC #DFIR

harryrharryr@chaos.social
2025-05-30

The #pyarmor deobfuscation journey continues. My colleague published another blogpost, digging even deeper into the topic: cyber.wtf/2025/05/30/pyarmor-b

#DFIR #malware

circlcircl@social.circl.lu
2025-05-30

We are pleased to announce the official publication of new and updated Neolea training materials. The Neolea initiative is dedicated to providing high-quality, open-source educational resources designed to assist law enforcement agencies (and others) in enhancing their digital forensic and investigative capabilities.

🔗 misp-lea.org/news/2025/05/30/N
🔗 github.com/neolea/neolea-train

#opensource #training #dfir

RDP Snitchrdpsnitch@infosec.exchange
2025-05-30

2025-05-28 RDP #Honeypot IOCs - 18147 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 6801
128.199.168.88 - 5724
165.232.170.129 - 4398

Top ASNs:
AS14061 - 11046
AS11427 - 6801
AS204428 - 54

Top Accounts:
hello - 17859
142.93.8.59 - 126
Administr - 60

Top ISPs:
DigitalOcean, LLC - 11046
Charter Communications Inc - 6801
SS-Net - 54

Top Clients:
Unknown - 18147

Top Software:
Unknown - 18147

Top Keyboards:
Unknown - 18147

Top IP Classification:
hosting - 11112
Unknown - 7029
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/Aw939apu

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-30

2025-05-28 RDP #Honeypot IOCs - 18146 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 6801
128.199.168.88 - 5724
165.232.170.129 - 4397

Top ASNs:
AS14061 - 11045
AS11427 - 6801
AS204428 - 54

Top Accounts:
hello - 17858
142.93.8.59 - 126
Administr - 60

Top ISPs:
DigitalOcean, LLC - 11045
Charter Communications Inc - 6801
SS-Net - 54

Top Clients:
Unknown - 18146

Top Software:
Unknown - 18146

Top Keyboards:
Unknown - 18146

Top IP Classification:
hosting - 11111
Unknown - 7029
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/F0M15KM8

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-30

2025-05-28 RDP #Honeypot IOCs - 18145 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 6801
128.199.168.88 - 5724
165.232.170.129 - 4396

Top ASNs:
AS14061 - 11044
AS11427 - 6801
AS204428 - 54

Top Accounts:
hello - 17857
142.93.8.59 - 126
Administr - 60

Top ISPs:
DigitalOcean, LLC - 11044
Charter Communications Inc - 6801
SS-Net - 54

Top Clients:
Unknown - 18145

Top Software:
Unknown - 18145

Top Keyboards:
Unknown - 18145

Top IP Classification:
hosting - 11110
Unknown - 7029
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/tqG0NUsM

#CyberSec #SOC #Blueteam #SecOps #Security

Saltmyhashsaltmyhash@infosec.exchange
2025-05-29

@chrissanders88 100% agree. From a SOC perspective, it’s all assumptions on why it fired, and not seeing the exact logic prevents the analyst from fully understanding the reason for alerting and where to potentially pivot next. I’m gonna guess there’s “secret sauce” involved for why they don’t share, but from a detection engineering perspective I need to confirm your logic to ensure I don’t need to supplement it with my own. Is your rule too narrow in scope? Is it outdated and no longer relevant? Does it cover multiple OSes? Security teams have been burned too many times assuming a vendor’s detection base provides coverage for certain threats when in reality it sat there and watched while it happened. Custom logic should always have comments for what it’s looking for, relevant cyber threat intelligence reporting to support its creation, MITRE ATT&CK T-code for tracking, and tips for SOC analysis. #soc #dfir #DetectionEngineering #threatintelligence #cti

Chris Sanders 🔎 🧠chrissanders88@infosec.exchange
2025-05-29

And no, vendors, the detection signature isn't your market differentiator. That should be, among other things, your ability to create and maintain high-quality detection signatures quickly. #ThreatIntel #SOC #DFIR

r1cksecr1cksec@infosec.exchange
2025-05-29

A collection of over 1000 Git repositories with tools for IT security/infosec. Caution, there will be malware🕵️‍♂️

github.com/r1cksec/cheatsheets

#infosec #cybersecurity #redteam #pentest #dfir #threatintel #malware #opensource

RDP Snitchrdpsnitch@infosec.exchange
2025-05-29

2025-05-28 RDP #Honeypot IOCs - 18144 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 6801
128.199.168.88 - 5724
165.232.170.129 - 4395

Top ASNs:
AS14061 - 11043
AS11427 - 6801
AS204428 - 54

Top Accounts:
hello - 17856
142.93.8.59 - 126
Administr - 60

Top ISPs:
DigitalOcean, LLC - 11043
Charter Communications Inc - 6801
SS-Net - 54

Top Clients:
Unknown - 18144

Top Software:
Unknown - 18144

Top Keyboards:
Unknown - 18144

Top IP Classification:
hosting - 11109
Unknown - 7029
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/nMQ8CNXU

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-29

2025-05-28 RDP #Honeypot IOCs - 12096 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 4534
128.199.168.88 - 3816
165.232.170.129 - 2930

Top ASNs:
AS14061 - 7362
AS11427 - 4534
AS204428 - 36

Top Accounts:
hello - 11904
142.93.8.59 - 84
Administr - 40

Top ISPs:
DigitalOcean, LLC - 7362
Charter Communications Inc - 4534
SS-Net - 36

Top Clients:
Unknown - 12096

Top Software:
Unknown - 12096

Top Keyboards:
Unknown - 12096

Top IP Classification:
hosting - 7406
Unknown - 4686
proxy - 4

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/fZW57bHF

#CyberSec #SOC #Blueteam #SecOps #Security

RDP Snitchrdpsnitch@infosec.exchange
2025-05-29

2025-05-28 RDP #Honeypot IOCs - 6048 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 2267
128.199.168.88 - 1908
165.232.170.129 - 1465

Top ASNs:
AS14061 - 3681
AS11427 - 2267
AS204428 - 18

Top Accounts:
hello - 5952
142.93.8.59 - 42
Administr - 20

Top ISPs:
DigitalOcean, LLC - 3681
Charter Communications Inc - 2267
SS-Net - 18

Top Clients:
Unknown - 6048

Top Software:
Unknown - 6048

Top Keyboards:
Unknown - 6048

Top IP Classification:
hosting - 3703
Unknown - 2343
proxy - 2

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/9n0wXuWk

#CyberSec #SOC #Blueteam #SecOps #Security

13reak :fedora:13reak@infosec.exchange
2025-05-28

Interesting defense against attacks:

Move your SSH authorized_keys to a different location and set the rights to 0444. Then an attacker needs root rights to place an SSH backdoor.

isc.sans.edu/diary/31986

#DFIR #knowledgedrop #hardening

RDP Snitchrdpsnitch@infosec.exchange
2025-05-28

2025-05-27 RDP #Honeypot IOCs - 44448 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
24.173.30.170 - 13512
165.232.170.129 - 12423
167.172.131.118 - 9429

Top ASNs:
AS14061 - 30687
AS11427 - 13512
AS4826 - 54

Top Accounts:
hello - 44202
142.93.8.59 - 111
Test - 30

Top ISPs:
DigitalOcean, LLC - 30687
Charter Communications Inc - 13512
Vocus PTY LTD - 54

Top Clients:
Unknown - 44448

Top Software:
Unknown - 44448

Top Keyboards:
Unknown - 44448

Top IP Classification:
hosting - 30729
Unknown - 13710
proxy - 6

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/R0Ax2ADD

#CyberSec #SOC #Blueteam #SecOps #Security

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst