SOC Analyst

Windows Event Logs

by
This entry is part 10 of 13 in the series Incident Response and Forensics

Views: 31Windows logon types and logon codes Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.  In Windows, there are several ways a logon can occur locally, and remotely.  Logon Type Numeric Identifier Description Logon Right Used only by the system … Read more

Wireshark 101 | Traffic Analysis

by
This entry is part 8 of 13 in the series Incident Response and Forensics

Views: 7Wireshark: Traffic Analysis Display Filter Reference Investigating Nmap scans Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it is one of the most used network scanner tools, a security analyst should identify the network patterns created with it. Common Nmap scan types, It is essential to know … Read more

Wireshark 101 | Packet Operations

by
This entry is part 7 of 13 in the series Incident Response and Forensics

Views: 4Wireshark: Packet Operations Statistics | Summary This menu provides multiple statistics options ready to investigate to help users see the big picture in terms of the scope of the traffic, available protocols, endpoints and conversations, and some protocol-specific details like DHCP, DNS and HTTP/2. For a security analyst, it is crucial to know how to … Read more

SOC Tools and Useful Links

by
This entry is part 13 of 23 in the series Threat Detection Engineering

Views: 211- IP & URL Reputation 1. Virus Total : https://www.virustotal.com/gui/home/upload2. URL Scan : https://urlscan.io/3. AbuseIPDB: https://www.abuseipdb.com/4. Cisco Talos: https://www.talosintelligence.com/5. IBM X-Force: https://lnkd.in/gt8iyHE56. URL Filtering(Palo Alto): https://lnkd.in/e4bkm5Eq7. URL Filtering(Symantec): https://lnkd.in/g4qQGsHG8. IP Void: https://www.ipvoid.com/9. URL Void: https://www.urlvoid.com/ 2- File | Hash | Search | Analysis | Sandboxing 1. File Extension >>https://filesec.io/# 2. LOLBAS >>https://lnkd.in/dDa8XgiM 3. GTFOBins >>https://lnkd.in/dRVzVz87 4. File Hash Check >> https://lnkd.in/gNqxtn4d 5. Hash Search … Read more

ELASTIC SIEM: Kibana Query Language (KQL) 

by
This entry is part 13 of 23 in the series Threat Detection Engineering

Views: 46Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more

Threat Detection: Detecting a Webserver Attack

by
This entry is part 1 of 23 in the series Threat Detection Engineering

Views: 47LAB Setup Let’s use the DIWA ( Deliberately Insecure Web Application) vulnerable created by Tim Steufmehl , to setup the victim machine. Prepare a Linux machiine with Docker installed. Follow the these instructions to install Docker on Ubuntu. With the above steps, the DIWA app should be UP and running on the Linux VM. Let’s … Read more