Powered By TEKGENX CONSULTING
Views: 3š”ļø For Cybersecurity Defensive Operations and IR/Threat Hunting š Authentication Events šļø Account Management Events š Object Access Events ā Note: Requires enabling object auditing via GPO and SACLs. š§° Privilege Use and Logon Types PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts. āļø … Read more
Views: 36When integrating Windows servers into your Security Information and Event Management (SIEM) platform, selecting the right log sources is crucial for effective threat detection while maintaining optimal system performance. This comprehensive guide outlines the essential Windows event logs to collect, explains their security significance, and provides a ready-to-deploy PowerShell script for configuration.
Views: 169Faraday: Open Source Vulnerability Manager Faraday is a powerful open-source vulnerability management platform designed to help cybersecurity teams streamline their pentesting, vulnerability assessment, and remediation processes. Built with a collaborative and automation-driven approach, Faraday enables security professionals to efficiently collect, analyze, and manage security findings from various tools in a centralized environment. With support … Read more
Views: 25Encrypted Protocol Analysis: Decrypting HTTPS When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the … Read more
Views: 42Investigate Tunnelling Traffic: ICMP and DNS Traffic tunnelling is (also known as “port forwarding”) transferring the data/resources in a secure method to network segments and zones. It can be used for “internet to private networks” and “private networks to internet” flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural … Read more
Views: 11Identifying Hosts When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts … Read more
Views: 25Introduction to Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a cybersecurity solution designed to detect, investigate, and respond to threats at the endpoint level. Endpoints include devices like laptops, desktops, servers, and mobile devices that connect to an organization’s network. These are often the primary targets for attackers, making them … Read more
Views: 40Snort Rules Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember, Snort is in passive mode by default. So most of the time, we will use Snort as anĀ IDS. We will need to startĀ “inline mode” to turn onĀ IPSĀ mode.Ā The Snort rule structure … Read more
Views: 6SNORT in IDS/IPS mode IDS/IPS mode with parameter “-A” There are several alert modes available in snort; Only the “console” and “cmg” parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs. IDS/IPSĀ mode with parameter “-A console” … Read more
Views: 34Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event. There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more