‘Twas the night before Christmas, and fresh off the LAN The packets were coming fast out of the span. My wireshark was up with my templates in place, In hopes that I’d find an IP I could trace. The smart home was snug in its /28 With a meager allow-list, and a lock on the gate. With a few hours to setup and wrap this year’s catches I’d been charging them up, and applying their patches, When down in the VLAN there’d been such a spike I’d opened the logs to see what it looked like. Away to the dashboard I stumbled and flew; Most days I’m on Red, but tonight, I was Blue. The DST in the headers was a weird bogon range. “Two oh three... zero? You can’t route there... how strange.” When what, to my wondering eyes, should come back But a TCP handshake -- not a RST, but an ACK! A cool sweaty IR-like calm to me came, As the nightmares and malwares, I ruled out by name: “The SPIDERs and PANDAs don’t care about me, It’s not running Windows, so it’s not IcedID… Not Trickbot, not Ryuk, not Buer or Clop, Not Scarab or Locky, no second-stage drop.” A session had opened on port 443, And a download began - not one started by me. I looked back to ensure that the capture was on, And stood by to cut comms once the vandal was gone. But the session closed up just as fast as it came And the download just sat there - “GIFT.BIN” was its name. I’d retrieved a live sample! And without any warning, Had got something fun to unwrap Christmas morning. I checked ..
Support the originator by clicking the read the rest link below.
