Windows Security Log Quick Reference

This entry is part 20 of 25 in the series Threat Detection Engineering

Views: 3🛡️ For Cybersecurity Defensive Operations and IR/Threat Hunting 🔐 Authentication Events 🗝️ Account Management Events 📂 Object Access Events ✅ Note: Requires enabling object auditing via GPO and SACLs. 🧰 Privilege Use and Logon Types PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts. ⚙️ … Read more

Wireshark 101 | Traffic Analysis and Investigation (PART 01)

This entry is part 10 of 17 in the series Incident Response and Forensics

Views: 20Wireshark: Traffic Analysis Display Filter Reference Investigating Nmap scans Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it is one of the most used network scanner tools, a security analyst should identify the network patterns created with it. Common Nmap scan types, It is essential to know … Read more

Snort 101 (Part 01)

This entry is part 2 of 4 in the series Instrusion Detection and Prevention

Views: 33Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.  There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more

Operationalizing Security: CALDERA Meets WAZUH (PART II)

This entry is part 2 of 17 in the series Red Team Engagements

Views: 234Adversary emulation with Caldera and Wazuh Please visit here to read PART I of this series, which explains the Caldera setup and Windows agent installation. Agent setup Deploy Agents on Linux machines Now, the lab consists of 2 Windows victims and 1 Linux victim, as reported by Caldera below. Configure Sysmon on Windows victims … Read more

(TryHackMe) Servidae: Log Analysis in ELK

This entry is part 1 of 4 in the series TryHackMe

Views: 812Link to the TryHackMe Room; https://tryhackme.com/r/room/servidae Room Objectives: In this room, we will analyze the log data from a compromised workstation using the Kibana interface. Within this room’s tasks, we will explore the components of the Elastic (ELK) Stack and gain insights into the various search and filter functions available in Kibana. Our ultimate … Read more

Threat Detection Engineering

TD_003
This entry is part 18 of 25 in the series Threat Detection Engineering

Views: 20Threat Detection Engineering (TDE) involves designing, implementing, and refining security measures to identify and respond to threats. Here are some key topics and domains covered under TDE: These areas are essential in building a robust threat detection engineering program that keeps up with evolving threats.

Splunk SIEM: Exploring SPL

This entry is part 16 of 25 in the series Threat Detection Engineering

Views: 34Splunk Search & Reporting App Overview The Search & Reporting App is the primary interface on Splunk’s Home page used for searching and analyzing data. This app provides several essential functionalities to enhance the search experience for analysts. Search & Reporting App is the default interface used to search and analyze the data on the Splunk Home … Read more

Threat Intelligence with MISP: Part 1 – Setting up MISP with Docker

This entry is part 15 of 25 in the series Threat Detection Engineering

Views: 923Step-by-Step Guide to Install MISP Using Docker on Ubuntu In this guide, we will walk through the steps to install the MISP (Malware Information Sharing Platform) using Docker on an Ubuntu server. Prerequisites Before we begin, make sure your system meets the following requirements: Step 1: Update Your Server and Install Docker First, ensure … Read more

Code Obfuscation and Deobfuscation

IR_002
This entry is part 13 of 17 in the series Incident Response and Forensics

Views: 63Code Obfuscation is a technique used to make a script more difficult to read by humans but allows it to function the same from a technical point of view, though performance may be slower. This is usually achieved automatically by using an obfuscation tool, which takes code as an input, and attempts to re-write … Read more