Threat Intelligence Report- IOCs Weekly

These reports outline various IOCs detected by my honeypots and provide a snapshot of attacker trends. While these IOCs will be stale by the time you review them, they will provide historical context and opportunities for analysis. 

Attacker Location:

Connection By Country(20):

2020_06_28-IOC_COUNTRY.csv

Top attacking countries are China (24.04%) Ireland (16.49%), Russia (8.36%), United States (8.24%), Panama (7.06%). I’ll be interesting to see how they change over time. I’ll create another report detailing this ever quarter.

Passwords(11,071):

2020_06_28-IOC_PASSWORDS.csv

A list of the passwords attempted against my SSH honeypots. I plan to compile a master list of these and release the results every couple months.

Attacker IP addresses(3,676):

2020_06_28-IOC_IP.csv

Set of unique IPs attempting to connect to my honeypots. I consider these stale after a couple days. They may provide historical context, but I wouldn’t completely rely on the accuracy of them to correlate events.

Honeypot Outbound Requests(1,860):

2020_06_28-IOC_OUTBOUND.csv

Outbound connection requests initiated by compromised honeypots. There’s a good chances these resources are compromised and could be involved in a second stage payload. The list also contains everyday sites you would expect (facebook, google, etc.), so it will require some digging through.

Filenames(24):

2020_06_28-IOC_FILENAME.csv

Filenames can obviously change overtime, but I continue to see the same files used again and again. While the files name is just one data point to search against, the files hash can also tell us how unique it is.

File Hashes SHA-256(336):

2020_06_28-IOC_SHA256.csv

Unique file hashes seen over the last week. Most of these should be identified by VirusTotal and picked up by any AV vendor. My honeypots get fresh IOC hashes that last for maybe a few hours, then Virus Total starts to accurately identify them.

SSH Commands(100):

2020_06_28-IOC_CMD.csv

List of the 100 most common SSH commands issued on my honeypots. Good insight into what attackers are doing, but doesn’t accurately portray an entire session. Look for similar commands in your environment.

Leave a Reply

Your email address will not be published. Required fields are marked *