Collaborate Disseminate
I received this Logwatch report:
Connection attempts using mod_proxy:
xx.xx.xxx.xx -> codeforces.com:443: 1 Time(s)
A total of 2 possible successful probes were detected (the following URLs
contain strings that match one or mor… Continue reading Can anyone provide any advice on this Logwatch analysis?
I have an assignment in which I have three logs from a network. One for control, from which I can define a typical behaviour pattern, one in which I have strange behaviour from accesses within the network, and a third one from accesses out… Continue reading How to analyze anomalous behavior in network having network log?
I recently learned about such a tool as Invoke-Phant0m, this tool has several implementations, one of which is a PowerShell script.
The Invoke-Phant0m.ps1 script is a PowerShell script that uses WMI (Windows Management Instrumentation) tec… Continue reading How to track thread termination if Invoke-Phant0m terminates a thread with no trace in Sysmon?
My server was attacked recently and while going through the logs I found this payload
0x160x030x010x000xee0x010x000x000xea0x030x036{0xd80x12:R0xb3c0x86Ss0xbdI0xf50xc90xc6;.3Q0xf0O0x0e0xd50x880xcc0xe4)0x8bJ+0xe4
0x160x030x010x010x070x010x0… Continue reading What does this payload mean? [closed]
I have found out that a strangers printer had been connected to my localhost:631. How do I use Lynis to retrieve any possible information about it’s interactions with my computer from system logs? Is it even possible?
Are there any other s… Continue reading Can you use Lynis to retrieve data on connected printers from the system logs? [closed]
As per Microsoft documentation, event id 4723 should be generated if a user changed his own password, however upon testing in the lab, 4724 is generated instead, 4724 should be generated if adminstrators change a users password, Anyone kn… Continue reading Windows event ID 4724 generated for password change [migrated]
I had a security engineer analyze a packet capture from my machine.
About five IPs were used in an attack. It was the only IP (6) that was detected multiple times by VirusTotal.
The IP is 209.197.3.8. Four months ago, this IP was a Microso… Continue reading Is it possible to attack using a CDN as a cover?
A security engineer told me that my computer must have a trojan horse, but it has not been found yet.
The security engineer captured and analyzed traffic pcap files with Wireshark, and said that there was a problem in the pcap file.
The se… Continue reading Does wireshark detect all unauthorized access?
In our SIEM, I saw the following event below.
From the image above here is what I’m observing:
Successful login noted via eventid 4624
Username used to login was Anonymous logon as indicated by SID S-1-5-7
The redacted Ip address in this… Continue reading Windows Event ID 4624 with Anonymous Logon. Is it safe?
I found this log on my VIVO router:
May 2 13:06:43
PowerBoxGVT
warn
kernel
nf_conntrack_sip: expect_rtp 0.0.0.0:0->74.50.90.134:8000 109
This IP address is reported on abuseipdb. So it is a dangerous IP address. But my worry is if my … Continue reading what means this log in my router nf_conntrack_sip: expect_rtp [closed]