indicator-of-compromise – Page 3

Help with this hash practice question [closed]

Posted on July 3, 2020 by muchievil

I come across this question and I am unable to understand why the answer is the third hash (3:30) under the /boot/ section. What exactly is the giveaway?
https://comptiaexamtest.com/Security+SY0-501/comptia-security-exam-practice-questions… Continue reading Help with this hash practice question [closed]→

In Splunk Enterprise Security Intelligence Downloads portion, what exactly does the "Fields" portion mean?

Posted on May 28, 2020 by trallgorm

Trying to configure a download of MISP IoCs in Splunk ES, under Intelligence Downloads. It’s working for IPs but I can’t figure out how to tell Splunk that the feed contains more than just IPs, for example domains and hashes. From the docu… Continue reading In Splunk Enterprise Security Intelligence Downloads portion, what exactly does the "Fields" portion mean?→

How can I add a MISP STIX feed to LogRhythm?

Posted on April 23, 2020 by trallgorm

I have a MISP server set up. I then use a REST API endpoint to get a STIX feed from that server. This portion appears to be working fine. I then try to add that STIX feed to LogRhythms Threat Intelligence Service manager. It tells me that … Continue reading How can I add a MISP STIX feed to LogRhythm?→

Pipelining VT Intelligence searches and sandbox report lookups via APIv3 to automatically generate indicators of compromise

Posted on November 6, 2019 by Emiliano Martinez

TL;DR: VirusTotal APIv3 includes an endpoint to retrieve all the dynamic analysis reports for a given file. This article showcases programmatic retrieval of sandbox behaviour reports in order to produce indicators of compromise that you can use to pow… Continue reading Pipelining VT Intelligence searches and sandbox report lookups via APIv3 to automatically generate indicators of compromise→

Logged in with a hacker’s email address

Posted on September 30, 2019 by Richard Rich Steinmetz

I have an active account at ebay-kleinanzeigen.de (like Craigslist in the US).

Today I got a valid email from them that my email address was changed.

On my mac, I opened up my ebay-kleinanzeigen account in my Chrome brows… Continue reading Logged in with a hacker’s email address→

Refurbished Samsung Galaxy Watch – check for compromise

Posted on July 7, 2019 by TheHansinator

I recently purchased a refurbished Samsung Galaxy Watch off Amazon through a third-party seller. Now, a few hours later, it occurs to me that it is possible that the previous owner could have rooted the device and that the re… Continue reading Refurbished Samsung Galaxy Watch – check for compromise→

Threat Hunting Observations : Basic Scoring Jupyter Notebook for Running processes on Windows Operating Systems

Posted on January 18, 2019 by Hilo21

I am trying to create a scoring Jupyter Notebook created for Windows Processes and I was wondering about what information would I exactly need to generate a basic Score for each process running on a Windows Machine.

For the… Continue reading Threat Hunting Observations : Basic Scoring Jupyter Notebook for Running processes on Windows Operating Systems→

Indicator of Compromise effective periods

Posted on September 4, 2018 by Lester T.

How long should IOCs be monitored? Are there best practices or other reasonings?

I would think monitoring IOCs indefinitely is not ideal. Perhaps 90 days would suffice?

Continue reading Indicator of Compromise effective periods→