Windows Security Log Quick Reference

This entry is part 20 of 25 in the series Threat Detection Engineering

Views: 3šŸ›”ļø For Cybersecurity Defensive Operations and IR/Threat Hunting šŸ” Authentication Events šŸ—ļø Account Management Events šŸ“‚ Object Access Events āœ… Note: Requires enabling object auditing via GPO and SACLs. 🧰 Privilege Use and Logon Types PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts. āš™ļø … Read more

SIEM: Onboarding WIndows Servers

This entry is part 19 of 25 in the series Threat Detection Engineering

Views: 26When integrating Windows servers into your Security Information and Event Management (SIEM) platform, selecting the right log sources is crucial for effective threat detection while maintaining optimal system performance. This comprehensive guide outlines the essential Windows event logs to collect, explains their security significance, and provides a ready-to-deploy PowerShell script for configuration.

Vulnerability Management: FARADAY

This entry is part 2 of 4 in the series Governance Risk Compliance

Views: 117Faraday: Open Source Vulnerability Manager Faraday is a powerful open-source vulnerability management platform designed to help cybersecurity teams streamline their pentesting, vulnerability assessment, and remediation processes. Built with a collaborative and automation-driven approach, Faraday enables security professionals to efficiently collect, analyze, and manage security findings from various tools in a centralized environment. With support … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 04)

This entry is part 17 of 17 in the series Incident Response and Forensics

Views: 24Encrypted Protocol Analysis: Decrypting HTTPS When investigating web traffic, analysts often run across encrypted traffic. This is caused by using the Hypertext Transfer Protocol Secure (HTTPS) protocol for enhanced security against spoofing, sniffing and intercepting attacks. HTTPS uses TLS protocol to encrypt communications, so it is impossible to decrypt the traffic and view the … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 03)

This entry is part 16 of 17 in the series Incident Response and Forensics

Views: 41Investigate Tunnelling Traffic: ICMP and DNS Traffic tunnelling is (also known as “port forwarding”) transferring the data/resources in a secure method to network segments and zones. It can be used for “internet to private networks” and “private networks to internet” flow/direction. There is an encapsulation process to hide the data, so the transferred data appear natural … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 02)

This entry is part 14 of 17 in the series Incident Response and Forensics

Views: 11Identifying Hosts When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts … Read more

Endpoint Detection and Response (EDR) : Lima Charlie (Part 01)

This entry is part 1 of 1 in the series Endpoint Detection and Response (EDR)

Views: 24Introduction to Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a cybersecurity solution designed to detect, investigate, and respond to threats at the endpoint level. Endpoints include devices like laptops, desktops, servers, and mobile devices that connect to an organization’s network. These are often the primary targets for attackers, making them … Read more

SNORT 101 (Part 03)

This entry is part 13 of 4 in the series Instrusion Detection and Prevention

Views: 32Snort Rules Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember, Snort is in passive mode by default. So most of the time, we will use Snort as anĀ IDS. We will need to startĀ “inline mode” to turn onĀ IPSĀ mode.Ā  The Snort rule structure … Read more

SNORT 101 (Part 02)

This entry is part 14 of 4 in the series Instrusion Detection and Prevention

Views: 5SNORT in IDS/IPS mode IDS/IPS mode with parameter “-A” There are several alert modes available in snort; Only the “console” and “cmg” parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs.  IDS/IPSĀ mode with parameter “-A console” … Read more

Snort 101 (Part 01)

This entry is part 2 of 4 in the series Instrusion Detection and Prevention

Views: 33Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.  There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more