incident-analysis – Page 2 – WindowsTechs.com

Incident Management & Monitoring

Posted on August 1, 2021 by HawkerOne

What is the best books for beginners on Incident Management & Monitoring ?
who have especially advice for a beginner?
share me pls

Continue reading Incident Management & Monitoring→

Clonezilla for forensic disk image

Posted on May 12, 2021 by Jack

I was wondering if it’s reasonable and forensically correct to use Clonezilla for the image of an attacked machine.
Since some of the commercial products are very expensive I’m turning to open source solutions.
Provided that:

is an offlin… Continue reading Clonezilla for forensic disk image→

Based on these HTTPS requests what type of attack is this?

Posted on October 7, 2020 by theoneandonly2

I’m seeing over 1000 attempts to hit my API endpoints with many 500 responses. It seems clear that the would-be attacker is attempting to poke around the APIs, but it isn’t clear to me what type of attack they’re attempting. Hoping someone… Continue reading Based on these HTTPS requests what type of attack is this?→

Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords

Posted on August 26, 2020 by contool

For the second time my website seems to be the target of a large automated attack. It seems complex enough and very well executed. I have the following systems in place:

Captcha on 3rd failed login from IP
Account lock for 30 min after 5 … Continue reading Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords→

Could presence of the string "_CONSOLE" in multiple files indicate a hack?

Posted on June 26, 2020 by Mtl Dev

I run a combination of Linux & Windows machines with Dropbox.
Many "selective sync conflicts" occurred, for unknown reasons. Meaning two copies of the same folder appear on dropbox – each copy should be identical.
I will pic… Continue reading Could presence of the string "_CONSOLE" in multiple files indicate a hack?→

Has this PC been hacked? What’s going on?

Posted on May 14, 2020 by Stilez

I’m reasonably technically competent, but I don’t know how to interpret this PC issue. As its a real-world incident, there’s some back-story.

I’m in the UK. The suspect PC runs Win8.1 up to date, used for simple desktop stuff by a family… Continue reading Has this PC been hacked? What’s going on?→

Suspicious calls to testgvbgjbhjb.com

Posted on February 22, 2020 by F.Rahamim

On the last few days, one of our endpoints calls to testgvbgjbhjb.com
the calls came from google chrome outside.

I used TCPView to find suspicious connections and check if there any unknown
extension.

The owner of the domain made it a 1… Continue reading Suspicious calls to testgvbgjbhjb.com→

AlienVault Alert – What is this event saying? [closed]

Posted on January 19, 2020 by Austin Songer

Title: ALA4747 – AV Policy violation, Tor anonymity network usage on 172.30.0.11 (172.30.0.11:64689 -> 8.8.8.8:53)
Extra info:
Source IPs: 172.30.0.11
Source Ports: 64689
Dest. IPs: 8.8.8.8
Dest. Ports: 53
Ticket details
Descripti… Continue reading AlienVault Alert – What is this event saying? [closed]→

Under which conditions can dllhost.exe spawn child process? | MITRE ATT&CK T1191

Posted on June 19, 2019 by pinpwn

I was looking for conditions/circumstances under which Dllhost.exe can spawn a child process. I examined a huge quantity of event logs from various Windows system and didn’t come across any event in which Dllhost.exe spawns a child process… Continue reading Under which conditions can dllhost.exe spawn child process? | MITRE ATT&CK T1191→

Tools for reverse engineering malicious executables?

Posted on April 2, 2019 by Student for Life

Are there any tools that one can reliably use for decompiling malicious executables in order to understand the inner workings of the same? Or any other reliable tool/way to quickly derive the code?

Continue reading Tools for reverse engineering malicious executables?→