Powered By TEKGENX CONSULTING
Views: 3Encrypted Protocol Analysis: Decrypting HTTPS When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the … Read more
Views: 2Investigate Tunnelling Traffic: ICMP and DNS Traffic tunnelling is (also known as “port forwarding”) transferring the data/resources in a secure method to network segments and zones. It can be used for “internet to private networks” and “private networks to internet” flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural … Read more
Views: 2Identifying Hosts When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts … Read more
Views: 7Introduction to Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a cybersecurity solution designed to detect, investigate, and respond to threats at the endpoint level. Endpoints include devices like laptops, desktops, servers, and mobile devices that connect to an organization’s network. These are often the primary targets for attackers, making them … Read more
Views: 9Snort Rules Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember, Snort is in passive mode by default. So most of the time, we will use Snort as an IDS. We will need to start “inline mode” to turn on IPS mode. The Snort rule structure … Read more
Views: 0SNORT in IDS/IPS mode IDS/IPS mode with parameter “-A” There are several alert modes available in snort; Only the “console” and “cmg” parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs. IDS/IPS mode with parameter “-A console” … Read more
Views: 28Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event. There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more
Views: 73Splunk Search Processing Language comprises of multiple functions, operators and commands that are used together to form a simple to complex search and get the desired results from the ingested logs. Main components of SPL Search Field Operators Comparison Operators These operators are used to compare the values against the fields. Field Name Operator … Read more
Views: 36Shipping OPNsense firewall logs to Splunk centralizes log management, allowing for seamless consolidation with other network and system logs. This integration enhances visibility into network traffic, enabling the identification of threats like port scans, malware communication, or brute force attacks. By correlating OPNsense logs with logs from other sources, organizations can perform faster root … Read more
Views: 90Adversary emulation with Caldera and Wazuh Please visit here to read PART I of this series, which explains the Caldera setup and Windows agent installation. Agent setup Deploy Agents on Linux machines Now, the lab consists of 2 Windows victims and 1 Linux victim, as reported by Caldera below. Configure Sysmon on Windows victims … Read more