Hello and welcome to the Thursday, May 29th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and this episode brought you by the Sands.edu graduate certificate program in cloud security is recorded as usual in Jacksonville, Florida.

Well, in Diaries today, we got another one from one of our undergraduate students.

Jennifer Wilson did a little experiment demonstrating how you can use large language models

like chat GPT in order to assist you in better understanding various artifacts that you may

recover from a honeypot.

Now, in this particular case, well, it was a little bit an oddly named file that sort of

triggered the investigation here.

It had this sort of hex name, but there was a lowercase S at the

end as well, which made it kind of, well, appear that it's not just sort of a simple random hex-encoded

string. And after going forth and back here a little bit with ChatGPT,

Jennifer was able to figure out that this particular file name is associated with Telegram

desktop and, well, where you basically sort of have various encryption keys and such stored.

So certainly an interesting finding something that wasn't quite as easy and straightforward

to find with a simple search.

The help from the chat GPDA system here certainly helped, but also demonstrates how

a lot of this is about asking the right questions,

not accepting the first answer you're getting necessarily as true, and sort of that dialogue,

really, where you have a skilled analyst, use chat sheet, P10 in order to figure out what this

particular string here was really all about.

And Softos published a blog post about attacks that they have observed from Ransomber

that took advantage of unpatched instances of Simple Help.

...