Incident Response

This entry is part 12 of 4 in the series Digital Forensics and Incident Response

Views: 8Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimizing impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical … Read more

Windows Event Logs

This entry is part 12 of 25 in the series Threat Detection Engineering

Views: 43Understanding Windows Event Logs Each entry in the Windows Event Log is an “Event” and contains the following primary components: Windows logon types and logon codes Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several … Read more

Wireshark 101 | Packet Operations

This entry is part 9 of 17 in the series Incident Response and Forensics

Views: 7Wireshark: Packet Operations Statistics | Summary This menu provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to … Read more

ELASTIC SIEM: Kibana Query Language (KQL) 

This entry is part 10 of 25 in the series Threat Detection Engineering

Views: 127Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more

Threat Detection: Detecting a Webserver Attack

This entry is part 1 of 25 in the series Threat Detection Engineering

Views: 67LAB Setup Let’s use the DIWA ( Deliberately Insecure Web Application) vulnerable created by Tim Steufmehl , to setup the victim machine. Prepare a Linux machiine with Docker installed. Follow the these instructions to install Docker on Ubuntu. With the above steps, the DIWA app should be UP and running on the Linux VM. Let’s … Read more

Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot

This entry is part 7 of 25 in the series Threat Detection Engineering

Views: 543Based on the INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC module from HTB-Academy Hunting for Stuxbot The Stuxbot cybercrime group operates with a broad scope, seizing upon opportunities as they arise, without any specific targeting strategy – their motto seems to be anyone, anytime.  The primary motivation behind their actions appears to be espionage … Read more

Netminer

This entry is part 4 of 17 in the series Incident Response and Forensics

Views: 41NetworkMiner Capability Description Traffic sniffing It can intercept the traffic, sniff it, and collect and log packets that pass through the network. Parsing PCAP files It can parse pcap files and show the content of the packets in detail. Protocol analysis It can identify the used protocols from the parsed pcap file. OS fingerprinting It can identify … Read more