In this post, I will be conducting an SOC analysis / investigation on an alert generated on a SIEM (Using letsdefend.io) to determine if a suspicious attachment in an email […]
Setting up Elastic Defend: this is the EDR (Endpint detection and response) and generate some telemetry. ES > management > integrations > Elastic Defend Add elastic defend Select existing host […]
Investigating the things to look for in a brute force attack Go to ES > Security > alerts We look to investigate the following when we investigate an Alert and […]
Investigating the things to look for in a brute force attack Go to ES > Security > alerts We look to investigate the following when we investigate an Alert and […]
Helps keep track of the task at hand, provide an audit trail and accountability. From a SOC perspective, a ticketing system is essential in fulfilling the AAA triad (AAA Framework) […]
Investigating our recent mythic activity, we return to ES > Discover. Here we search for “svchost-ifebamba.exe” which is our payload, we get some log information below: – we can see […]
Setup a Kali Linux on your local system (Not cloud). This will be our attack machine for the Command and Control Operation. Mythic server requires a minimum of 2 vCPUs […]
Elasticsearch > Analytics > Maps … the you can compose your query: event.code: 4625 and agent.name: IfeBamba-WINSERVER Add Layer > Select Choropeth: Use the Add layer options as seen in […]
Understanding RDP Used for communication between the Terminal Server and the terminal server client; it is encapsulated within TCP; uses port 3389. RDP can be exploited through the exposure of […]
Events generated for our Linux Agent is seen below, we have a total of 387 events. In creating our dashboards, we will be focusing on the following fields: We click […]