Collaborate Disseminate
Road to Detection: YARA-L Examples — Part 4 of 3
Upon reading all of Part 1, Part 2 and Part 3 of my blog series that revealed our (Chronicle) approach to detection, many of you asked for more YARA-L detection language examples.
… Continue reading Road to Detection: YARA-L Examples — Part 4 of 3
I am currently developing an IRP that responds to system hacks.
I have attacked the Windows 10 myself (victim machine), using Metasploit on Kali Linux, where I managed to gain access via SSH port 22. From there I have modified file exten… Continue reading What forensics should be collected as part of an incident response plan on Windows 10?
I am in the process of creating an IRP that responds to system hacks.
I have attacked the Windows 10 myself (victim machine), using Metasploit on Kali Linux, where I managed to gain access via SSH port 22. From there I have modified file… Continue reading What forensics should be collected as part of an incident response plan on Windows 10?
In NGFW logs of my customer, I noticed requests to [REDACTED]/wpad.dat being made. Destination domain is registered on an external IP not related to the customer and user agent suggests that Windows AutoProxy is used.
I was able to downlo… Continue reading Why is a host making requests for WPAD file from external location?
We all know David Bianco Pyramid of Pain, a classic from 2013. The focus of this famous visual is on indicators that you “latch onto” in your detection activities. This post will reveal a related mystery connected to SIEM detection evolutio… Continue reading Security Correlation Then and Now: A Sad Truth About SIEM
What are the most common Event ID numbers that help identify a potentially attacked system??
Continue reading Spotting an Intrusion using Windows Event ID – (Windows 10)
I realized my system Ubuntu and windows dual boot might have been compromised. So, I installed OSSEC HIDS to try to look for issues.
When I ran dmesg, i found the following trace:
————[ cut here ]————
[ 3… Continue reading Help in understnading HIDS OSSEC traces
I am in preparation of developing an Incident Response Plan for a computer that has been hacked (no malware installed, just a system hack). My plan is to analyse through Windows Event Viewer to try and detect some unusual beh… Continue reading Alternative routes for Incident Response approach other than Windows Event Viewer?
Just doing some reading surrounding analysing intrusions, I’ve read that Windows Event Logs can be modified by an attacker to cover their tracks, how accurate is this and what are the alternative for a systems analyst?
I am trying to write a manual for the intern on how to deal with some threats. What investigation steps could be done to detect Unusual Port Activity? What kind of logs could be found to ensure that there are unusual activiti… Continue reading how can i detect Unusual Port Activity [on hold]