Threat Detection: Detecting a Webserver Attack

This entry is part 1 of 22 in the series Threat Detection Engineering

Views: 55LAB Setup Let’s use the DIWA ( Deliberately Insecure Web Application) vulnerable created by Tim Steufmehl , to setup the victim machine. Prepare a Linux machiine with Docker installed. Follow the these instructions to install Docker on Ubuntu. With the above steps, the DIWA app should be UP and running on the Linux VM. Let’s … Read more

Threat Intelligence for SOC

This entry is part 2 of 22 in the series Threat Detection Engineering

Views: 49Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments. There are different classifications of Threat Intelligence, and the primary types of it are: Threat Intelligence Producers Threat Intelligence Producers … Read more

Detection Engineering vs Threat Hunting

This entry is part 3 of 22 in the series Threat Detection Engineering

Views: 30DETECTION ENGINEERING: REINFORCING THE KNOWN Threat detection is the process of identifying threats in an organization that is actively trying to attack the endpoints, networks, devices and systems. Unlike threat hunting, a threat detection is a reactive approach: threat mitigation mechanisms activate only when the organization’s security system receives alerts on potential security breaches. … Read more

Yara 101

This entry is part 4 of 22 in the series Threat Detection Engineering

Views: 22YARA is a powerful pattern-matching tool and rule format used for identifying and classifying files based on specific patterns, characteristics, or content. SOC analysts commonly use YARA rules to detect and classify malware samples, suspicious files, or indicators of compromise (IOCs). Yara is an essential tool used by SOC analysts to enhance their threat detection … Read more

Custom detection rule with the MITRE ATT&CK framework in Splunk

This entry is part 5 of 22 in the series Threat Detection Engineering

Views: 51Let’s walk through a practical example of creating a custom detection rule with the MITRE ATT&CK framework in Splunk. Example:Let’s say we want to create a detection rule for the technique T1566.001 – “Phishing: Spearphishing Attachment” from the MITRE ATT&CK framework. This technique involves targeted phishing attacks where attackers send malicious attachments via email … Read more

Investigate SQLi attacks using Splunk

This entry is part 6 of 22 in the series Threat Detection Engineering

Views: 81Sure! Here are a few Splunk queries that can help detect web application attacks: Note: Replace <your_index> and <your_sourcetype> with the appropriate values from your Splunk environment. Also, make sure you have the corresponding lookup tables (sql_injection_keywords.csv, xss_keywords.csv, etc.) populated with relevant attack patterns. You may need to modify the queries based on your … Read more

Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot

This entry is part 7 of 22 in the series Threat Detection Engineering

Views: 363Based on the INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC module from HTB-Academy Hunting for Stuxbot The Stuxbot cybercrime group operates with a broad scope, seizing upon opportunities as they arise, without any specific targeting strategy – their motto seems to be anyone, anytime.  The primary motivation behind their actions appears to be espionage … Read more

MITRE Framework

This entry is part 8 of 22 in the series Threat Detection Engineering

Views: 26MITRE ATT&CK Navigator https://mitre-attack.github.io/attack-navigator MITRE D3FEND https://d3fend.mitre.org MITRE ENGAGE MITRE Engage MITRE Engage Matrix ATT&CK Emulation Plans https://mitre-engenuity.org Center of Threat-Informed Defense (CTID) Cyber Analytics Repository https://car.mitre.org

SOC Tools and Useful Links

This entry is part 9 of 22 in the series Threat Detection Engineering

Views: 281- IP & URL Reputation 1. Virus Total : https://www.virustotal.com/gui/home/upload2. URL Scan : https://urlscan.io/3. AbuseIPDB: https://www.abuseipdb.com/4. Cisco Talos: https://www.talosintelligence.com/5. IBM X-Force: https://lnkd.in/gt8iyHE56. URL Filtering(Palo Alto): https://lnkd.in/e4bkm5Eq7. URL Filtering(Symantec): https://lnkd.in/g4qQGsHG8. IP Void: https://www.ipvoid.com/9. URL Void: https://www.urlvoid.com/ 2- File | Hash | Search | Analysis | Sandboxing 1. File Extension >>https://filesec.io/# 2. LOLBAS >>https://lnkd.in/dDa8XgiM 3. GTFOBins >>https://lnkd.in/dRVzVz87 4. File Hash Check >> https://lnkd.in/gNqxtn4d 5. Hash Search … Read more

ELASTIC SIEM: Kibana Query Language (KQL) 

This entry is part 10 of 22 in the series Threat Detection Engineering

Views: 65Different Syntax Languages Kibana supports two types of syntax languages for querying in Kibana: KQL (Kibana Query Language) and Lucene Query Syntax. Special Characters Certain characters are reserved in ELK queries and must be escaped before usage. Reserved characters in ELK include +, -, =, &&, ||, &, | and !. For instance, using the + character in a query will result in an error; to escape this character, precede it with … Read more