DETECT

Threat Intelligence with MISP: Part 1 – Setting up MISP with Docker

by
This entry is part 15 of 22 in the series Threat Detection Engineering

Views: 281Step-by-Step Guide to Install MISP Using Docker on Ubuntu In this guide, we will walk through the steps to install the MISP (Malware Information Sharing Platform) using Docker on an Ubuntu server. Prerequisites Before we begin, make sure your system meets the following requirements: Step 1: Update Your Server and Install Docker First, ensure … Read more

Yara

by
This entry is part 14 of 22 in the series Threat Detection Engineering

Views: 34“The pattern matching swiss knife for malware researchers (and everyone else)”  Useful Yara Resources Various Github repositories provide a wealth of examples of YARA, https://github.com/Yara-Rules/rules/tree/master/malware https://github.com/mikesxrs/Open-Source-YARA-rules/tree/masterUseful Yara Rules Repositories The DFIR Report” shares YARA rules derived from their investigations, https://github.com/The-DFIR-Report/Yara-RulesYara DFIR Report YARA in a nutshell YARA is a tool aimed at (but not limited … Read more

Windows Event Logs

by
This entry is part 12 of 22 in the series Threat Detection Engineering

Views: 37Understanding Windows Event Logs Each entry in the Windows Event Log is an “Event” and contains the following primary components: Windows logon types and logon codes Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several … Read more

Wireshark 101 | Packet Operations

by
This entry is part 9 of 17 in the series Incident Response and Forensics

Views: 7Wireshark: Packet Operations Statistics | Summary This menu provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to … Read more

ELASTIC SIEM: Kibana Query Language (KQL) 

by
This entry is part 10 of 22 in the series Threat Detection Engineering

Views: 65Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more

Netminer

by
This entry is part 4 of 17 in the series Incident Response and Forensics

Views: 29NetworkMiner Capability Description Traffic sniffing It can intercept the traffic, sniff it, and collect and log packets that pass through the network. Parsing PCAP files It can parse pcap files and show the content of the packets in detail. Protocol analysis It can identify the used protocols from the parsed pcap file. OS fingerprinting It can identify … Read more