CINXE.COM

<!doctype html><html lang="en"><head><title>InfoSec Diary Blog Archive - SANS Internet Storm Center</title> <meta charset="utf-8"> <meta name="viewport" content="" /> <meta property="og:site_name" content="SANS Internet Storm Center" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://isc.sans.edu/diaryarchive.html" /> <meta property="og:title" content="InfoSec Diary Blog Archive - SANS Internet Storm Center" /> <meta property="og:image" content="https://isc.sans.edu/images/logos/isc/large.png" /> <meta property="twitter:site" content="@sans_isc" /> <meta property="twitter:creator" content="@sans_isc" /> <meta property="twitter:card" content="summary_large_image" /> <meta property="twitter:image" content="https://isc.sans.edu/images/logos/isc/large.png" > <meta property="twitter:image:alt" content="SANS Internet Storm Center" /> <meta property="twitter:title" content="InfoSec Diary Blog Archive - SANS Internet Storm Center" /> <meta name="description" content="Explore an archive of our popular InfoSec Diary Blog including incident handler's notes, thought leadership, and recommendations&period;"> <meta property="og:description" content="Explore an archive of our popular InfoSec Diary Blog including incident handler's notes, thought leadership, and recommendations."> <meta name="AUTHOR" content="SANS Internet Storm Center"/> <meta name="KEYWORDS" content="isc, sans, internet, security, threat, worm, virus, phishing, hacking, vulnerability, podcast"/> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" href="/iscfavicon.ico" /> <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"> <link rel="manifest" href="/site.webmanifest"> <link rel="canonical" href="https://isc.sans.edu/diaryarchive.html" /> <link type="text/css" rel="stylesheet" href="/css/screen.css" /> <link type="text/css" rel="stylesheet" href="/css/msft.css" /> <link type="text/css" rel="stylesheet" href="/css/fontawesome.css" />  <link type="text/css" rel="stylesheet" href="/css/v3.css" /> <link rel="stylesheet" type="text/css" href="/css/bootstrap-modal/bootstrap-modal.min.css"/> <script type="text/javascript" src="/js/jquery-3.7.0.min.js"></script> <script language="javascript" type="text/javascript" src="https://isc.sans.edu/js/count.js"></script> <script src="/js/bootstrap-modal/bootstrap.min.js"></script> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Organization", "name": "SANS Internet Storm Center", "url": "https://isc.sans.edu/", "logo": "https://isc.sans.edu/images/logos/isc/large.png", "email": "handlers@isc.sans.edu", "address": { "streetAddress": "8120 Woodmont Avenue, Suite 310", "addressLocality": "Bethesda", "addressRegion": "Maryland", "addressCountry": "USA", "postalCode": "20814" }, "sameAs": [ "https://twitter.com/sans_isc" ] } </script>  </head> <body class="isc"> <div id="container" class="isc-container"> <header id="isc-header"> <div class="eupopup eupopup-top"></div> <h1> <a href="/"> <svg width="80" height="70" viewBox="0 45 125 125" fill="none" xmlns="http://www.w3.org/2000/svg" baseProfile="tiny" overflow="visible"> <path fill="#7A1502" d="M81.5 105.6h1.4v16.1h-1.4zm-8.2-15.2h31.8v1H73.3z"/><path fill="#FFF" d="M0 0h125v125H0z"/><path fill="#7A1502" d="M18.9 78.6h12.8v1.3H26v14.8h-1.5V79.9h-5.6z"/><path fill="none" d="M32.4 83.9c-2.3 0-3.6 2-3.8 4.2h7.5c-.1-2.2-1.4-4.2-3.7-4.2zm43.3 0c-2.7 0-4.1 2.5-4.1 5s1.4 5 4.1 5 4.1-2.5 4.1-5-1.3-5-4.1-5z"/><path fill="#7A1502" d="M32.4 82.7c-3.7 0-5.3 3.1-5.3 6.2 0 3.3 1.6 6.2 5.3 6.2 2.9 0 4.5-1.5 5.1-4.2H36c-.5 1.8-1.6 3-3.7 3-2.7 0-3.8-2.5-3.8-4.6h9c.1-3.3-1.4-6.6-5.1-6.6zm-3.9 5.4c.2-2.1 1.5-4.2 3.8-4.2s3.6 2 3.7 4.2h-7.5zm15.4-4.2c1.9 0 2.9 1.1 3.3 2.8h1.4c-.3-2.7-2.2-4-4.7-4-3.6 0-5.5 2.8-5.5 6.2 0 3.3 1.9 6.2 5.5 6.2 2.6 0 4.4-1.7 4.8-4.5h-1.4c-.2 1.9-1.6 3.3-3.4 3.3-2.7 0-4.1-2.5-4.1-5s1.3-5 4.1-5zm5.4-5.3v16.1h1.4v-6.8c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-6.5h-1.5zM60 83.1v11.6h1.4v-6.8c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-2H60zm15.7-.4c-3.6 0-5.5 2.8-5.5 6.2 0 3.3 1.9 6.2 5.5 6.2s5.5-2.8 5.5-6.2c0-3.3-1.9-6.2-5.5-6.2zm0 11.2c-2.7 0-4.1-2.5-4.1-5s1.4-5 4.1-5 4.1 2.5 4.1 5-1.3 5-4.1 5zM82 78.6h1.4v16.1H82z"/><path fill="none" d="M101.1 83.9c-2.7 0-3.8 2.4-3.8 4.8 0 2.3 1.2 4.6 3.8 4.6 2.5 0 3.7-2.3 3.7-4.6.1-2.2-1-4.8-3.7-4.8zm-7.3 5c0-2.5-1.4-5-4.1-5-2.7 0-4.1 2.5-4.1 5s1.4 5 4.1 5c2.8 0 4.1-2.5 4.1-5z"/><path fill="#7A1502" d="M95.2 88.9c0-3.3-1.9-6.2-5.5-6.2s-5.5 2.8-5.5 6.2c0 3.3 1.9 6.2 5.5 6.2s5.5-2.9 5.5-6.2zm-9.6 0c0-2.5 1.4-5 4.1-5 2.7 0 4.1 2.5 4.1 5s-1.4 5-4.1 5c-2.7 0-4.1-2.5-4.1-5zm15.5 9.3c-1.6 0-3.1-.6-3.4-2.3h-1.4c.2 2.5 2.5 3.5 4.8 3.5 3.8 0 5.1-2.1 5.2-5.6V83.1h-1.4v2c-.6-1.3-2-2.3-3.7-2.3-3.4 0-5.3 2.7-5.3 5.9 0 3.3 1.5 6 5.3 6 1.7 0 3-1 3.7-2.4v1.6c0 2.7-1.2 4.3-3.8 4.3zm0-4.8c-2.6 0-3.8-2.3-3.8-4.6 0-2.4 1.1-4.8 3.8-4.8 2.7 0 3.7 2.5 3.7 4.8.1 2.3-1.2 4.6-3.7 4.6zm11-.4-3.8-9.9h-1.5l4.6 11.6-.5 1.3c-.5 1.1-.8 1.8-2 1.8-.3 0-.6 0-1-.1v1.2c.2.1.5.1 1.1.1 1.8 0 2.3-.6 3.1-2.5l5.1-13.4h-1.4l-3.7 9.9zm-80.6 3.8H33v16.1h-1.5zm3.3 4.4v11.6h1.4V106c0-2.3 1.4-4 3.7-4 2.3 0 3 1.5 3 3.5v7.3h1.4v-7.5c0-2.8-1-4.5-4.3-4.5-1.6 0-3.2.9-3.7 2.3v-2h-1.5zM49.7 112c-1.9 0-3.3-1-3.4-2.9h-1.4c.2 2.8 2.1 4.1 4.8 4.1 2.2 0 4.7-1 4.7-3.5 0-2-1.7-3-3.3-3.2l-1.9-.4c-1-.2-2.4-.7-2.4-2 0-1.5 1.5-2 2.8-2 1.6 0 3 .8 3 2.5H54c-.1-2.5-1.9-3.7-4.3-3.7-2.1 0-4.4.9-4.4 3.3 0 2 1.4 2.6 3.2 3.1l1.8.4c1.3.3 2.5.8 2.5 2.1.1 1.6-1.7 2.2-3.1 2.2zm7.6-14.2h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.2-.6-1.2-1.5v-7.8h2.4v-1.2h-2.4v-3.7zm3.5 15.1h1.4v-11.6h-1.4v11.6zm0-13.8h1.4v-2.3h-1.4v2.3z"/><path fill="none" d="M69 63.4h4.5l-2.2-13.7zm23 38.7c-2.3 0-3.6 2-3.8 4.2h7.5c-.1-2.2-1.4-4.2-3.7-4.2z"/><path fill="#7A1502" d="M69.2 102.4v-1.2h-2.4v-3.5h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.1-.6-1.1-1.5v-7.8h2.3zm10.5 10.5v-11.6h-1.4v6.1c0 2.4-1.1 4.7-3.5 4.7-2.3 0-3-1.1-3.1-3.2v-7.6h-1.4v7.6c0 2.7 1.1 4.4 4.1 4.4 1.7 0 3.3-.9 4-2.4v2.1h1.3zm6.4-10.5v-1.2h-2.4v-3.5h-1.4v3.5h-2v1.2h2v8c0 2 .6 2.6 2.5 2.6h1.3v-1.2c-.4 0-.8.1-1.2.1-1-.1-1.2-.6-1.2-1.5v-7.8h2.4zm5.9-1.5c-3.7 0-5.3 3.1-5.3 6.2 0 3.3 1.6 6.2 5.3 6.2 2.9 0 4.5-1.5 5.1-4.2h-1.4c-.5 1.8-1.6 3-3.7 3-2.7 0-3.8-2.5-3.8-4.6h9c0-3.3-1.5-6.6-5.2-6.6zm-3.9 5.4c.2-2.1 1.5-4.2 3.8-4.2s3.6 2 3.7 4.2h-7.5zM60.2 71.7c-1.3 0-2.4-.9-3.3-2.6-.9-1.7-1.4-4-1.5-6.8h-.7v10h.7l1-1.9c.6.7 1.3 1.3 1.9 1.6.6.3 1.3.5 2.1.5 1.3 0 2.4-.6 3.3-1.9.8-1.3 1.2-2.9 1.2-5 0-1.4-.3-2.8-.8-4.3-.6-1.5-1.6-3.3-3.1-5.6-.4-.5-.9-1.3-1.5-2.2-1.8-2.5-2.6-4.3-2.6-5.5 0-.8.2-1.5.6-2 .4-.5.9-.7 1.6-.7 1 0 1.9.7 2.6 2.2.7 1.5 1.2 3.5 1.4 6.1h.7v-9h-.7l-.8 1.8c-.4-.6-.9-1-1.5-1.4s-1.1-.5-1.7-.5c-1.2 0-2.1.6-2.9 1.7-.8 1.1-1.1 2.6-1.1 4.5 0 1.5.2 3 .7 4.4.5 1.4 1.6 3.3 3.2 5.8 1.3 2 2.3 3.6 2.8 4.9.6 1.3.8 2.4.8 3.3 0 .8-.2 1.5-.6 2-.6.3-1.1.6-1.8.6zm19.7-.5h-1l-4.6-26.4h-3.2l-4.2 22.6c0 .1 0 .2-.1.3-.4 2.1-1.2 3.3-2.3 3.5v.8h5.6v-.8c-.8 0-1.3-.2-1.6-.4-.3-.2-.5-.7-.5-1.2V69c0-.2 0-.4.1-.7l.6-3.9h4.9l1.1 6.9h-1.9v.7h7l.1-.8zM69 63.4l2.3-13.7 2.2 13.7H69zm12.5 6.9c-.3.5-.8.8-1.6.9v.8H86v-.8c-1.1-.1-1.8-.4-2.3-1-.4-.6-.6-1.6-.6-3.1V49.5L92.4 72h.8V48.8c0-1.3.1-2.1.4-2.5.3-.4.8-.6 1.5-.6h.1v-.8h-5.7v.8c.9 0 1.5.3 1.9.8.4.6.6 1.4.6 2.7v12.1l-6.6-16.4h-5.2v.8H82v21.7c0 1.5-.2 2.5-.5 2.9zm21.3-14.7c-.4-.5-.9-1.3-1.5-2.2-1.8-2.5-2.6-4.3-2.6-5.5 0-.8.2-1.5.6-2 .4-.5.9-.7 1.6-.7 1 0 1.9.7 2.6 2.2.7 1.5 1.2 3.5 1.4 6.1h.7v-9h-.7l-.8 1.8c-.4-.6-.9-1-1.5-1.4-.6-.3-1.1-.5-1.7-.5-1.2 0-2.1.6-2.9 1.7-.8 1.1-1.1 2.6-1.1 4.5 0 1.5.2 3 .7 4.4.5 1.4 1.6 3.3 3.2 5.8 1.3 2 2.3 3.6 2.8 4.9.6 1.3.8 2.4.8 3.3 0 .8-.2 1.5-.6 2-.4.5-1 .8-1.7.8-1.3 0-2.4-.9-3.3-2.6-.9-1.7-1.4-4-1.5-6.8h-.7v10h.7l1-1.9c.6.7 1.3 1.3 1.9 1.6.6.3 1.3.5 2.1.5 1.3 0 2.4-.6 3.3-1.9.8-1.3 1.2-2.9 1.2-5 0-1.4-.3-2.8-.8-4.3-.6-1.7-1.7-3.5-3.2-5.8z"/><path fill="#7A1502" d="M73.8 63.4h31.9v.9H73.8z"/> </svg> </a> <span id="pagetitle"> <a href="/">Internet Storm Center</a></span> </h1> <div class="isc-signin"> <form id="headerSearch" name="searchform" action="/search.html" method="get"> <input type="text" name="q" placeholder="Search...(IP, Port..)" /> <input type="hidden" id="token" name="token" value="4f1515cc5352faf1afe6ef86fa969a67cd4e30a9" /> <input class="btn btn-primary" type="submit" name="Search" value="Search"> </form> <div id="smallHeaderLogin"> <a class="btn btn-primary" href="/login.html">Sign In</a> <a class="btn" href="/register.html">Sign Up</a> <a href="#navigation"></a> </div> </header> <div id="content"> <div class="wrapper"> <div class="isc-alerts"> <div> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12A10,10 0 0,0 12,2M7.07,18.28C7.5,17.38 10.12,16.5 12,16.5C13.88,16.5 16.5,17.38 16.93,18.28C15.57,19.36 13.86,20 12,20C10.14,20 8.43,19.36 7.07,18.28M18.36,16.83C16.93,15.09 13.46,14.5 12,14.5C10.54,14.5 7.07,15.09 5.64,16.83C4.62,15.5 4,13.82 4,12C4,7.59 7.59,4 12,4C16.41,4 20,7.59 20,12C20,13.82 19.38,15.5 18.36,16.83M12,6C10.06,6 8.5,7.56 8.5,9.5C8.5,11.44 10.06,13 12,13C13.94,13 15.5,11.44 15.5,9.5C15.5,7.56 13.94,6 12,6M12,11A1.5,1.5 0 0,1 10.5,9.5A1.5,1.5 0 0,1 12,8A1.5,1.5 0 0,1 13.5,9.5A1.5,1.5 0 0,1 12,11Z" /> </svg> Handler on Duty: <a title="Didier Stevens" href="/handler_list.html#didier-stevens">Didier Stevens</a> </div> <div>Threat Level: <a href="/infocon.html" style="text-transform: capitalize; color: green">green</a></div> </div> <div class="main-content"> <br /><br /> <div> <a id="archive_matrix"></a> <h1>Diaries</h1> </div> <div> <select id="year" onchange="year(2024)"><option value="">Latest Diaries</option><option value=2024>2024</option><option value=2023>2023</option><option value=2022>2022</option><option value=2021>2021</option><option value=2020>2020</option><option value=2019>2019</option><option value=2018>2018</option><option value=2017>2017</option><option value=2016>2016</option><option value=2015>2015</option><option value=2014>2014</option><option value=2013>2013</option><option value=2012>2012</option><option value=2011>2011</option><option value=2010>2010</option><option value=2009>2009</option><option value=2008>2008</option><option value=2007>2007</option><option value=2006>2006</option><option value=2005>2005</option><option value=2004>2004</option><option value=2003>2003</option> </select> </div> <div class="card-smalls"> <div class="isc-card"><div class="card-body"><a class="card-link">Published: 2024-12-02</a><h2 class="card-title"><a href="../diary/Credential+Guard+and+Kerberos+delegation/31488/">Credential Guard and Kerberos delegation</a></h2><div tabindex="0" class="card-content"><p>The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing <a href="https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/">SEC565: Red Team Operations and Adversary Emulation</a> SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.</p> <p>This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.</p> <p>The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.</p> <p>What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet?</p> <p><strong><em>Unconstrained delegation</em></strong></p> <p>Back in 2018, Benjamin Deply, the famous Mimikatz/Kekeo author published a very interesting method (<a href="https://x.com/gentilkiwi/status/998219775485661184">https://x.com/gentilkiwi/status/998219775485661184</a>) of obtaining a user’s TGT without requiring administrator privileges.</p> <p>The trick is the following: as our implant is running under a regular user, that is already authenticated, we will abuse Kerberos GSS-API to ask for a ticket for a service, but not any service – a service that has been configured for unconstrained delegation!</p> <p>The idea is the following – as we will be requesting a service ticket for a service that is configured for unconstrained delegation, the resulting response that we will receive from a domain controller will also include our own TGT. In a normal workflow, this response is converted to an application request (AP-REQ) that is sent to the target service.</p> <p>AP-REQ is made up of two components: a ticket and an authenticator. We are interested in the authenticator – it is encrypted with the ticket session key which is known to us, and to the target service that we want to access. And this is were Benjamin’s great research comes into place – if we request a service ticket for a service that has been configured for unconstrained delegation, the authenticator component will contain our TGT (since the target service will need it)!</p> <p>In other words, we can carve out the TGT of the currently logged in user, without needing administrator privileges! This functionality exists in Rubeus, but if you are running your Cobalt Strike implant (in SEC565 we use Cobalt Strike and Empire), it is better to use a BOF for this purpose. There are several BOF’s you can use, one I like is the tgtdelegation BOF available at <a href="https://github.com/connormcgarr/tgtdelegation">https://github.com/connormcgarr/tgtdelegation</a></p> <p>Before we start using it, one thing we did not mention is how to find a service that has been configured for unconstrained delegation. This is actually trivial as Domain Controllers are configured for unconstrained delegation by default, so we can use, for example, CIFS/domain.controller or HOST/domain.controller as target SPN’s.</p> <p><img alt="" src="https://isc.sans.edu/diaryimages/images/nocredguard.png" style="width: 578px; height: 800px;" /></p> <p>The figure above shows how easy it is to fetch the TGT. You can see how the BOF displayed the AP-REQ output, extracted the session key and identified the encryption algorithm (AES256) and finally (not visible) extracted the TGT.</p> <p><em><strong>Credential Guard</strong></em></p> <p>By fetching a TGT we can now perform a number of other things, including relaying traffic through a SOCKS proxy. So in a recent engagement I tried to do this but all requests failed – every single time the response received did not contain a TGT, even though the target service indeed was configured for unconstrained delegation, and the account used was not marked as “<em>Account is sensitive and cannot be delegated.</em>”</p> <p><img alt="" src="https://isc.sans.edu/diaryimages/images/credguard.png" style="width: 584px; height: 400px;" /></p> <p>In other words, we can see that the AP-REQ was indeed received, but it did not contain our TGT in the authenticator part of the response. What could cause this?</p> <p>After some time and research, it turned out that the reason for this was Credential Guard, which was enabled on the client machine.</p> <p>Among other (great) security features that Credential Guard brings, one thing that is important for this particular attack (or abuse) is that Credential Guard completely blocks Kerberos Unconstrained delegation, which effectively blocks us from extracting the TGT (and will break any application that relies on this feature as well!).</p> <p>Besides this, Credential Guard also blocks NTLMv1 completely and there are a number of other nice security controls, as listed <a href="https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/">https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/</a></p> <p><em><strong>Test and enable!</strong></em></p> <p>In engagements I do I still do not see Credential Guard enabled in many enterprises. No wonder since it can break some things, however as Microsoft is now enabling Credential Guard by default in Windows 11 22H2 and Windows Server 2025, it is definitely worth checking whether your organization is ready for a wide adoption of it. It will not stop every attack, but every single step will help!<br /> <br /> Thanks to my team members Luka, Neven, Fran and Mislav for debugging! In a RT you need a team!<br />  <br /> --<br /> Bojan<br /> <a href="https://twitter.com/bojanz">@bojanz</a><br /> <a href="https://bsky.app/profile/bojanz.bsky.social">@bojanz.bsky.social</a><br /> <a href="https://www.infigo.is/">INFIGO IS</a></p> </div><div class="card-comments"><p>0 Comments </p></div><div class="card-footer"><img src="../images/design/custom/headshots/avatar.jpg" class="img-thumbnail" alt="..."><div class="author-footer"><div class="author"><strong>Bojan Zdrnja</strong></div></div></div></div></div> </div> <script> function year() { year = document.getElementById("year").value; if (year !== "") { window.location = "/diaryarchive.html?year=" + year; } else { window.location = "/diaryarchive.html"; } } function month() { year = $("#year option:selected").text(); month = document.getElementById("month").value; window.location = "/diaryarchive.html?year=" + year + "&month=" + month ; } function matchSelections() { const queryString = window.location.search; const urlParams = new URLSearchParams(queryString); const month = urlParams.get('month'); const year = urlParams.get('year'); if (month != null) { document.getElementById("month").value = month; } if (year != null) { document.getElementById("year").value = year; } } document.addEventListener("DOMContentLoaded", function() { matchSelections(); }); </script> <div class="top-link"><a href="#">Top of page</a></div> </div> </div> </div> <span id="isc-menu" class="isc-menu" tabindex="0" aria-label="Open the menu"> <span class="bar" aria-hidden="true"></span> <span class="bar" aria-hidden="true"></span> <span class="bar" aria-hidden="true"></span> </span> <div id="navigation" class="isc-nav"> <ul> <li> <a href="/index.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M10,20V14H14V20H19V12H22L12,3L2,12H5V20H10Z" /> </svg> Homepage </a> </li> <li class="active"> <a href="/diaryarchive.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M17.5 14.33C18.29 14.33 19.13 14.41 20 14.57V16.07C19.38 15.91 18.54 15.83 17.5 15.83C15.6 15.83 14.11 16.16 13 16.82V15.13C14.17 14.6 15.67 14.33 17.5 14.33M13 12.46C14.29 11.93 15.79 11.67 17.5 11.67C18.29 11.67 19.13 11.74 20 11.9V13.4C19.38 13.24 18.54 13.16 17.5 13.16C15.6 13.16 14.11 13.5 13 14.15M17.5 10.5C15.6 10.5 14.11 10.82 13 11.5V9.84C14.23 9.28 15.73 9 17.5 9C18.29 9 19.13 9.08 20 9.23V10.78C19.26 10.59 18.41 10.5 17.5 10.5M21 18.5V7C19.96 6.67 18.79 6.5 17.5 6.5C15.45 6.5 13.62 7 12 8V19.5C13.62 18.5 15.45 18 17.5 18C18.69 18 19.86 18.16 21 18.5M17.5 4.5C19.85 4.5 21.69 5 23 6V20.56C23 20.68 22.95 20.8 22.84 20.91C22.73 21 22.61 21.08 22.5 21.08C22.39 21.08 22.31 21.06 22.25 21.03C20.97 20.34 19.38 20 17.5 20C15.45 20 13.62 20.5 12 21.5C10.66 20.5 8.83 20 6.5 20C4.84 20 3.25 20.36 1.75 21.07C1.72 21.08 1.68 21.08 1.63 21.1C1.59 21.11 1.55 21.12 1.5 21.12C1.39 21.12 1.27 21.08 1.16 21C1.05 20.89 1 20.78 1 20.65V6C2.34 5 4.18 4.5 6.5 4.5C8.83 4.5 10.66 5 12 6C13.34 5 15.17 4.5 17.5 4.5Z" /> </svg> Diaries </a> </li> <li> <a href="/podcast.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M17,18.25V21.5H7V18.25C7,16.87 9.24,15.75 12,15.75C14.76,15.75 17,16.87 17,18.25M12,5.5A6.5,6.5 0 0,1 18.5,12C18.5,13.25 18.15,14.42 17.54,15.41L16,14.04C16.32,13.43 16.5,12.73 16.5,12C16.5,9.5 14.5,7.5 12,7.5C9.5,7.5 7.5,9.5 7.5,12C7.5,12.73 7.68,13.43 8,14.04L6.46,15.41C5.85,14.42 5.5,13.25 5.5,12A6.5,6.5 0 0,1 12,5.5M12,1.5A10.5,10.5 0 0,1 22.5,12C22.5,14.28 21.77,16.39 20.54,18.11L19.04,16.76C19.96,15.4 20.5,13.76 20.5,12A8.5,8.5 0 0,0 12,3.5A8.5,8.5 0 0,0 3.5,12C3.5,13.76 4.04,15.4 4.96,16.76L3.46,18.11C2.23,16.39 1.5,14.28 1.5,12A10.5,10.5 0 0,1 12,1.5M12,9.5A2.5,2.5 0 0,1 14.5,12A2.5,2.5 0 0,1 12,14.5A2.5,2.5 0 0,1 9.5,12A2.5,2.5 0 0,1 12,9.5Z" /> </svg> Podcasts </a> </li> <li> <a href="/jobs"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M15.5,12C18,12 20,14 20,16.5C20,17.38 19.75,18.21 19.31,18.9L22.39,22L21,23.39L17.88,20.32C17.19,20.75 16.37,21 15.5,21C13,21 11,19 11,16.5C11,14 13,12 15.5,12M15.5,14A2.5,2.5 0 0,0 13,16.5A2.5,2.5 0 0,0 15.5,19A2.5,2.5 0 0,0 18,16.5A2.5,2.5 0 0,0 15.5,14M10,4A4,4 0 0,1 14,8C14,8.91 13.69,9.75 13.18,10.43C12.32,10.75 11.55,11.26 10.91,11.9L10,12A4,4 0 0,1 6,8A4,4 0 0,1 10,4M2,20V18C2,15.88 5.31,14.14 9.5,14C9.18,14.78 9,15.62 9,16.5C9,17.79 9.38,19 10,20H2Z" /> </svg> Jobs </a> </li> <li> <a href="/data"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M19 3H5C3.9 3 3 3.9 3 5V19C3 20.1 3.9 21 5 21H19C20.1 21 21 20.1 21 19V5C21 3.9 20.1 3 19 3M9 17H7V10H9V17M13 17H11V7H13V17M17 17H15V13H17V17Z" /> </svg> Data </a> <ul> <li><a href="/data/port.html">TCP/UDP Port Activity</a></li> <li><a href="/data/trends.html">Port Trends</a></li> <li><a href="/data/ssh.html">SSH/Telnet Scanning Activity</a></li> <li><a href="/weblogs">Weblogs</a></li> <li><a href="/data/threatfeed.html">Threat Feeds Activity</a></li> <li><a href="/data/threatmap.html">Threat Feeds Map</a></li> <li><a href="/data/links.html">Useful InfoSec Links</a></li> <li><a href="/data/presentation.html">Presentations & Papers</a></li> <li><a href="/data/researchpapers.html">Research Papers</a></li> <li><a href="/api">API</a></li> </ul> </li> <li> <a href="/tools/"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M22.7,19L13.6,9.9C14.5,7.6 14,4.9 12.1,3C10.1,1 7.1,0.6 4.7,1.7L9,6L6,9L1.6,4.7C0.4,7.1 0.9,10.1 2.9,12.1C4.8,14 7.5,14.5 9.8,13.6L18.9,22.7C19.3,23.1 19.9,23.1 20.3,22.7L22.6,20.4C23.1,20 23.1,19.3 22.7,19Z" /> </svg> Tools </a> <ul> <li class="first"><a href="/howto.html">DShield Sensor</a></li> <li><a href="/tools/dnslookup">DNS Looking Glass</a></li> <li><a href="/tools/honeypot">Honeypot (RPi/AWS)</a></li> <li><a href="/tools/glossary">InfoSec Glossary</a></li> </ul> </li> <li> <a href="/contact.html"> <svg style="width:20px;height:20px" viewBox="0 0 24 24"> <path fill="currentColor" d="M15.07,11.25L14.17,12.17C13.45,12.89 13,13.5 13,15H11V14.5C11,13.39 11.45,12.39 12.17,11.67L13.41,10.41C13.78,10.05 14,9.55 14,9C14,7.89 13.1,7 12,7A2,2 0 0,0 10,9H8A4,4 0 0,1 12,5A4,4 0 0,1 16,9C16,9.88 15.64,10.67 15.07,11.25M13,19H11V17H13M12,2A10,10 0 0,0 2,12A10,10 0 0,0 12,22A10,10 0 0,0 22,12C22,6.47 17.5,2 12,2Z" /> </svg>Contact Us </a> <ul> <li class="first"><a href="/contact.html">Contact Us</a></li> <li><a href="/about.html">About Us</a></li> <li><a href="/handler_list.html">Handlers</a></li> </ul> <li> <a href="/about.html"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 30" width="20px" height="20px"><path fill="currentColor" d="M 15.001953 3.9921875 C 12.801953 3.9921875 11.001953 5.7821875 11.001953 7.9921875 C 11.001953 10.202188 12.801953 11.992188 15.001953 11.992188 C 17.211953 11.992188 19.011719 10.202187 19.011719 7.9921875 C 19.011719 5.7821875 17.211953 3.9921875 15.001953 3.9921875 z M 6.0019531 8.0039062 C 3.7919531 8.0039062 2.0019531 9.7939062 2.0019531 12.003906 C 2.0019531 14.213906 3.7919531 16.003906 6.0019531 16.003906 C 8.2119531 16.003906 10.001953 14.213906 10.001953 12.003906 C 10.001953 9.7939062 8.2119531 8.0039062 6.0019531 8.0039062 z M 6.0019531 16.003906 L 5.0019531 16.003906 C 2.7919531 16.003906 1.0019531 17.793906 1.0019531 20.003906 L 1.0019531 22.992188 C 1.0019531 23.542188 1.4519531 23.992188 2.0019531 23.992188 L 28.001953 23.992188 C 28.551953 23.992188 29.001953 23.542188 29.001953 22.992188 L 29.001953 20.003906 C 29.001953 17.793906 27.211953 16.003906 25.001953 16.003906 L 24.001953 16.003906 L 23.001953 16.003906 C 22.151953 16.003906 21.362891 16.272422 20.712891 16.732422 C 20.042891 15.142422 18.311719 13.992187 16.261719 13.992188 L 13.751953 13.992188 C 11.701953 13.992188 9.9727344 15.142187 9.3027344 16.742188 C 8.6527344 16.282187 7.8619531 16.003906 7.0019531 16.003906 L 6.0019531 16.003906 z M 24.001953 16.003906 C 26.211953 16.003906 28.001953 14.213906 28.001953 12.003906 C 28.001953 9.7939062 26.211953 8.0039062 24.001953 8.0039062 C 21.791953 8.0039062 20.001953 9.7939062 20.001953 12.003906 C 20.001953 14.213906 21.791953 16.003906 24.001953 16.003906 z M 6.0019531 10.003906 C 7.1019531 10.003906 8.0019531 10.903906 8.0019531 12.003906 C 8.0019531 13.103906 7.1019531 14.003906 6.0019531 14.003906 C 4.9019531 14.003906 4.0019531 13.103906 4.0019531 12.003906 C 4.0019531 10.903906 4.9019531 10.003906 6.0019531 10.003906 z M 24.001953 10.003906 C 25.101953 10.003906 26.001953 10.903906 26.001953 12.003906 C 26.001953 13.103906 25.101953 14.003906 24.001953 14.003906 C 22.901953 14.003906 22.001953 13.103906 22.001953 12.003906 C 22.001953 10.903906 22.901953 10.003906 24.001953 10.003906 z M 5.0019531 18.003906 L 7.0019531 18.003906 C 8.0819531 18.003906 9.0019531 18.923906 9.0019531 20.003906 L 9.0019531 21.992188 L 3.0019531 21.992188 L 3.0019531 20.003906 C 3.0019531 18.903906 3.9019531 18.003906 5.0019531 18.003906 z M 23.001953 18.003906 L 25.001953 18.003906 C 26.081953 18.003906 27.001953 18.923906 27.001953 20.003906 L 27.001953 21.992188 L 21.011719 21.992188 L 21.011719 19.902344 C 21.061719 18.852344 21.931953 18.003906 23.001953 18.003906 z"/></svg> About Us</a></li> </ul>   <div class="questions-sidebar"> <svg width="16" height="16" class="c-nav--footer__svgicon c-slackhash" viewBox="0 0 54 54" xmlns="http://www.w3.org/2000/svg"> <g fill="none" fill-rule="evenodd"> <path d="M19.712.133a5.381 5.381 0 0 0-5.376 5.387 5.381 5.381 0 0 0 5.376 5.386h5.376V5.52A5.381 5.381 0 0 0 19.712.133m0 14.365H5.376A5.381 5.381 0 0 0 0 19.884a5.381 5.381 0 0 0 5.376 5.387h14.336a5.381 5.381 0 0 0 5.376-5.387 5.381 5.381 0 0 0-5.376-5.386" fill="#435165"></path> <path d="M53.76 19.884a5.381 5.381 0 0 0-5.376-5.386 5.381 5.381 0 0 0-5.376 5.386v5.387h5.376a5.381 5.381 0 0 0 5.376-5.387m-14.336 0V5.52A5.381 5.381 0 0 0 34.048.133a5.381 5.381 0 0 0-5.376 5.387v14.364a5.381 5.381 0 0 0 5.376 5.387 5.381 5.381 0 0 0 5.376-5.387" fill="#435165"></path> <path d="M34.048 54a5.381 5.381 0 0 0 5.376-5.387 5.381 5.381 0 0 0-5.376-5.386h-5.376v5.386A5.381 5.381 0 0 0 34.048 54m0-14.365h14.336a5.381 5.381 0 0 0 5.376-5.386 5.381 5.381 0 0 0-5.376-5.387H34.048a5.381 5.381 0 0 0-5.376 5.387 5.381 5.381 0 0 0 5.376 5.386" fill="#435165"></path> <path d="M0 34.249a5.381 5.381 0 0 0 5.376 5.386 5.381 5.381 0 0 0 5.376-5.386v-5.387H5.376A5.381 5.381 0 0 0 0 34.25m14.336-.001v14.364A5.381 5.381 0 0 0 19.712 54a5.381 5.381 0 0 0 5.376-5.387V34.25a5.381 5.381 0 0 0-5.376-5.387 5.381 5.381 0 0 0-5.376 5.387" fill="#435165"></path> </g> </svg> <a rel="noopener" href="/slack/index.html">Slack Channel</a> </div>  <div class="questions-spacer"></div>  <div class="questions-sidebar"> <svg width="16" height="16" viewBox="0 0 54 74" fill="black" xmlns="http://www.w3.org/2000/svg" class="c-nav--footer__svgicon c-slackhash"> <path d="M73.7014 17.4323C72.5616 9.05152 65.1774 2.4469 56.424 1.1671C54.9472 0.950843 49.3518 0.163818 36.3901 0.163818H36.2933C23.3281 0.163818 20.5465 0.950843 19.0697 1.1671C10.56 2.41145 2.78877 8.34604 0.903306 16.826C-0.00357854 21.0022 -0.100361 25.6322 0.068112 29.8793C0.308275 35.9699 0.354874 42.0498 0.91406 48.1156C1.30064 52.1448 1.97502 56.1419 2.93215 60.0769C4.72441 67.3445 11.9795 73.3925 19.0876 75.86C26.6979 78.4332 34.8821 78.8603 42.724 77.0937C43.5866 76.8952 44.4398 76.6647 45.2833 76.4024C47.1867 75.8033 49.4199 75.1332 51.0616 73.9562C51.0841 73.9397 51.1026 73.9184 51.1156 73.8938C51.1286 73.8693 51.1359 73.8421 51.1368 73.8144V67.9366C51.1364 67.9107 51.1302 67.8852 51.1186 67.862C51.1069 67.8388 51.0902 67.8184 51.0695 67.8025C51.0489 67.7865 51.0249 67.7753 50.9994 67.7696C50.9738 67.764 50.9473 67.7641 50.9218 67.7699C45.8976 68.9569 40.7491 69.5519 35.5836 69.5425C26.694 69.5425 24.3031 65.3699 23.6184 63.6327C23.0681 62.1314 22.7186 60.5654 22.5789 58.9744C22.5775 58.9477 22.5825 58.921 22.5934 58.8965C22.6043 58.8721 22.621 58.8505 22.6419 58.8336C22.6629 58.8167 22.6876 58.8049 22.714 58.7992C22.7404 58.7934 22.7678 58.794 22.794 58.8007C27.7345 59.9796 32.799 60.5746 37.8813 60.5733C39.1036 60.5733 40.3223 60.5733 41.5447 60.5414C46.6562 60.3996 52.0437 60.1408 57.0728 59.1694C57.1983 59.1446 57.3237 59.1233 57.4313 59.0914C65.3638 57.5847 72.9128 52.8555 73.6799 40.8799C73.7086 40.4084 73.7803 35.9415 73.7803 35.4523C73.7839 33.7896 74.3216 23.6576 73.7014 17.4323ZM61.4925 47.3144H53.1514V27.107C53.1514 22.8528 51.3591 20.6832 47.7136 20.6832C43.7061 20.6832 41.6988 23.2499 41.6988 28.3194V39.3803H33.4078V28.3194C33.4078 23.2499 31.3969 20.6832 27.3894 20.6832C23.7654 20.6832 21.9552 22.8528 21.9516 27.107V47.3144H13.6176V26.4937C13.6176 22.2395 14.7157 18.8598 16.9118 16.3545C19.1772 13.8552 22.1488 12.5719 25.8373 12.5719C30.1064 12.5719 33.3325 14.1955 35.4832 17.4394L37.5587 20.8853L39.6377 17.4394C41.7884 14.1955 45.0145 12.5719 49.2765 12.5719C52.9614 12.5719 55.9329 13.8552 58.2055 16.3545C60.4017 18.8574 61.4997 22.2371 61.4997 26.4937L61.4925 47.3144Z" fill="inherit"/> </svg> <a rel="me" href="https://infosec.exchange/@sans_isc">Mastodon</a> </div>  <div class="questions-spacer"></div> <div class="questions-sidebar"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 54 54" width="24px" height="24px"><circle cx="28" cy="20" r="12" fill="#9fd5ed"/><circle cx="37" cy="28" r="9" fill="#9fd5ed"/><circle cx="30" cy="29" r="9" fill="#9fd5ed"/><circle cx="18" cy="29" r="9" fill="#9fd5ed"/><circle cx="24" cy="28" r="9" fill="#9fd5ed"/><circle cx="11" cy="28" r="9" fill="#9fd5ed"/><circle cx="15" cy="21" r="7" fill="#9fd5ed"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWya" cx="28" cy="20" r="12" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="28" cy="20" r="12" fill="url(#UWqm9mhW35Ao~JVa4RzWya)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyb" cx="37" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="37" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyb)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyc" cx="30" cy="29" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="30" cy="29" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyc)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyd" cx="18" cy="29" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="18" cy="29" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyd)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWye" cx="24" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="24" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWye)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyf" cx="11" cy="28" r="9" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="11" cy="28" r="9" fill="url(#UWqm9mhW35Ao~JVa4RzWyf)"/><radialGradient id="UWqm9mhW35Ao~JVa4RzWyg" cx="15" cy="21" r="7" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#e3f4ff"/><stop offset="1" stop-color="#e3f4ff" stop-opacity="0"/></radialGradient><circle cx="15" cy="21" r="7" fill="url(#UWqm9mhW35Ao~JVa4RzWyg)"/></svg> <a rel="me" href="https://bsky.app/profile/sansisc.bsky.social">Bluesky</a> </div> <div class="questions-spacer"></div> <div class="questions-sidebar"> <svg width="16" height="16" viewBox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="black"/> </svg> <a rel="noopener" href="https://twitter.com/sans_isc">X</a> </div> <div id="sidebar"> <p>Keep yourself informed with our <a href="/newssummary.html">aggregate InfoSec news</a></p> </div> </div> <div id="footer"> <div class="footer-container"> <div class="footer-links"> <span>© 2024 SANS™ Internet Storm Center</span> <span>Developers: We have an <a href="/api/">API</a> for you!   <a rel="license" href="https://creativecommons.org/licenses/by-nc-sa/4.0/"><img class="lazyload" alt="Creative Commons License" src="/images/cc.png"></a></span> <ul id="footLinks"> <li><a href="/linkback.html">Link To Us</a></li> <li><a href="/about.html">About Us</a></li> <li><a href="/handler_list.html">Handlers</a></li> <li><a href="/privacy.html">Privacy Policy</a></li> </ul> </div> <div class="footer-social"> <ul id="socialIconsFoot"> <li><a rel="noopener" href="https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A"><span class="youtube"></span></a></li> <li class="twitter"><a rel="noopener" href="https://twitter.com/sans_isc"><span class="twitter"></span></a></li> <li class="linkedin"><a rel="noopener" href="https://www.linkedin.com/groups?gid=35470"><span class="linkedin"></span></a></li> <li class="mastodon"><a rel="noopener" href="https://infosec.exchange/@sans_isc"><span class="mastodon"></span></a></li> <li class="rss"><a href="/xml.html"><span class="rss"></span></a></li> </ul> </div> </div> </div> <script type="text/javascript" src="/js/main.js"></script> <script language="JavaScript" type="text/javascript" src="/js/menu.js"></script> </div> <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=1&cb=604051863" async></script></body></html>