DETECT

Windows Event Logs

by
This entry is part 10 of 13 in the series Incident Response and Forensics

Views: 15Windows logon types and logon codes Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several ways a logon can occur locally, and remotely.  Logon Type Numeric Identifier Description Logon Right Used only by the system … Read more

Wireshark 101 | Packet Operations

by
This entry is part 7 of 13 in the series Incident Response and Forensics

Views: 3Wireshark: Packet Operations Statistics | Summary This menu provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to … Read more

ELASTIC SIEM: Kibana Query Language (KQL) 

by
This entry is part 13 of 17 in the series Threat Detection Engineering

Views: 27Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more

Adversary emulation with Caldera and Wazuh: Part 02

by
This entry is part 2 of 5 in the series Wazuh - SIEM and XDR

Views: 21 Deploy Agents on Linux machines 2 Windows and 1 Linux agents Configure sysmon We configure the agent to capture Sysmon events by adding the following settings to the agent configuration file in “C:\Program Files (x86)\ossec-agent\ossec.conf” Restart the Wazh agent after modifying the agent configuration file. Detection using Wazuh The attacks against the Linux agent … Read more

Snort 101

by

Views: 13Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.  There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more

Netminer

by
This entry is part 4 of 13 in the series Incident Response and Forensics

Views: 13NetworkMiner Capability Description Traffic sniffing It can intercept the traffic, sniff it, and collect and log packets that pass through the network. Parsing PCAP files It can parse pcap files and show the content of the packets in detail. Protocol analysis It can identify the used protocols from the parsed pcap file. OS fingerprinting It can identify … Read more

Introduction to Network Forensics

by
This entry is part 3 of 13 in the series Incident Response and Forensics

Views: 18Source: Tryhackme Networkminer room Introduction to Network Forensics Network Forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network Forensics discipline covers the work done to access information transmitted by listening and investigating live and recorded traffic, gathering evidence/artefacts and understanding potential problems.  The investigation tries to … Read more