2023 – NetwerkLABS

Threat Hunting Threat Detection and Incident Response Elastic SIEM

Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot

Based on the INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC module from HTB-Academy Hunting for Stuxbot The Stuxbot cybercrime group operates with a broad scope, seizing upon opportunities as they arise, without any specific targeting…

Bharath Narayanasamy Elastic, Threat_hunting

Threat Hunting SOC Analyst Threat Detection and Incident Response

Netminer

NetworkMiner CapabilityDescriptionTraffic sniffingIt can intercept the traffic, sniff it, and collect and log packets that pass through the network.Parsing PCAP filesIt can parse pcap files and show the content of the packets in detail.Protocol analysisIt can identify the…

Bharath Narayanasamy Threat_hunting, threat_detection, netminer, dfir

SOC Analyst Threat Detection and Incident Response BLUE TEAM

Introduction to Network Forensics

Source: Tryhackme Networkminer room Introduction to Network Forensics Network Forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network Forensics discipline covers the work done to access information transmitted…

Bharath Narayanasamy BLUE, networkminer, traffic_analysis, threat_detection, dfir

BLUE TEAM DETECT

Wireshark: 802.11 Denial of Service

Bharath Narayanasamy wireshark, wifi, 802.11

Threat Detection and Incident Response BLUE TEAM DETECT

Analysis with Wireshark

TShark VS. Wireshark (Terminal vs. GUI) TShark is a purpose-built terminal tool based on Wireshark. TShark shares many of the same features that are included in Wireshark and even shares syntax and options. TShark is perfect…

Bharath Narayanasamy wireshark

Cheat Sheets IDENTIFY DETECT

TCPDump

Locate tcpdump which tcpdump Install TCPdump sudo apt install tcpdump Tcpdump Version Validation sudo tcpdump --version TCPDump will resolve IPs to hostnames by default. Traffic Captures with Tcpdump Basic Capture Options Switch CommandResultDWill display any interfaces…

Bharath Narayanasamy tcpdump

DETECT Elastic SIEM

Elastic SIEM: Developing Dashboards & Visualization

Use case 1: Failed Logon Attempts (Disabled Users) https://youtu.be/7Uyqek-FdwI Use case 2: Failed Logon Attempts (using Admin Accounts) https://youtu.be/UGRmsoqk0EM Use case 3: Successful RDP Logon Related To Service Accounts https://youtu.be/eRjA6TpEryk Use case 4: Users Added Or…

Bharath Narayanasamy SIEM, Elastic, Threat_hunting

Elastic SIEM BLUE TEAM DETECT

SIEM Use cases

How To Build SIEM Use Cases Comprehend your needs, risks, and establish alerts for monitoring all necessary systems accordingly. Determine the priority and impact, then map the alert to the kill chain or MITRE framework. Establish…

Bharath Narayanasamy Usecase, SIEM, Elastic

Traffic Analysis

Traffic Analysis Essentials

There are two main techniques used in Traffic Analysis: Flow AnalysisPacket AnalysisCollecting data/evidence from the networking devices. This type of analysis aims to provide statistical results through the data summary without applying in-depth packet-level investigation.Advantage: Easy to…

Bharath Narayanasamy traffic

Brute Force Attacks

Login Brute Forcing

Where to find the passwords/hashes WindowsLinuxunattend.xmlshadowsysprep.infshadow.bakSAMpassword Types of Password Attacks Dictionary attackBrute forceTraffic interceptionMan In the MiddleKey LoggingSocial engineering

Bharath Narayanasamy hydra, brute-force, ncrack