These reports will outline various IOCs detected by my honeypots and provide a snapshot of attacker trends. While these IOCs will be stale by the time you review them, they will provide historical context and opportunities for analysis.
Connection By Country(20):
Top attacking countries are China (23.52%), Ireland (15.6%), Germany(8.58%) and Russia (8.25%). I don’t expect the top attackers to change much over time, but it will be interesting to see how influence shifts based on external factors.
A list of the passwords attempted against my SSH honeypots. I plan to compile a master list of these and release the results every couple months.
Attacker IP addresses(2,669):
Set of unique IPs attempting to connect to my honeypots. I consider these stale after a couple days. They may provide historical context, but I wouldn’t completely rely on the accuracy of them to correlate events.
Honeypot Outbound Requests(1,146):
Outbound connection requests initiated by compromised honeypots. There’s a good chances these resources are compromised and could be involved in a second stage payload. The list also contains everyday sites you would expect (facebook, google, etc.), so it will require some digging through.
Filenames can obviously change overtime, but I continue to see the same files used again and again. While the files name is just one data point to search against, the files hash can also tell us how unique it is.
File Hashes SHA-256(91):
Unique file hashes seen over the last week. Most of these should be identified by VirusTotal and picked up by any AV vendor. My honeypots get fresh IOC hashes that last for maybe a few hours, then Virus Total starts to accurately identify them.
List of the 100 most common SSH commands issued on my honeypots. Good insight into what attackers are doing, but doesn’t accurately portray an entire session. Look for similar commands in your environment.