CyberSec_Blog

  This is another challenge for the Blue Team, but the level here is hard. Once the machine starts, we will receive credentials that allow us to dig into the logs directly. By exploring the attacker’s footsteps, we will identify which pages of the web application they accessed. Additionally, we have full access to the backend code of the running application once we log in via SSH. So I am not running any directory fuzzing tool. All Details are in the video  Thank you for watching 

  Threat Hunt Walkthrough The "Typo Snare" scenario on TryHackMe is a fantastic real-world simulation of a sophisticated, multi-stage attack. It starts with a simple mistake and escalates to a full domain compromise, culminating in ransomware. This post will walk you through the entire attack chain, phase by phase, showing you how to find each piece of evidence using Elastic KQL queries. Phase 1: Initial Access & Execution What Happened: The attack began when the user perry.parsons on workstation WKSTN-03 needed a 7-Zip tool. He googled it, clicked a typosquatted link ( 7zipp.org ), and downloaded a trojanized installer. This installer executed a PowerShell script ( 7z.ps1 ) directly from the attacker's server to establish the initial foothold. How to Find It: You are looking for a PowerShell process that was likely spawned by a browser and contains a command to download and execute a script ( iwr for Invoke-WebRequest and iex for Invoke-Expression ). KQL Query...

  This guide explains how to install, configure, and automate Suricata intrusion detection alerts to be sent directly to Telegram using a simple Bash script. The setup uses the af-packet capture mode and monitors the Suricata eve.json log file for new alerts. 🛠️ 1. Installing Suricata and Dependencies Start by installing Suricata and the required tools for the notification script: sudo apt update sudo apt install -y suricata jq curl Suricata – intrusion detection system jq – parses JSON logs curl – sends messages to Telegram via API ⚙️ 2. Configure Suricata (suricata.yaml) Edit the main configuration file: sudo nano /etc/suricata/suricata.yaml Replace its content (or relevant parts) with the minimal working configuration below: %YAML 1.1 --- # =============================== # Suricata minimal config # =============================== vars: address-groups: HOME_NET: "[192.168.0.0/16]" EXTERNAL_NET: "!$HOME_NET" port-groups: HTTP_PORT...

  One of your junior system administrators forgot to deactivate two accounts from a pair of recently fired employees. We believe these employees used the credentials they were given in order to access some of the many private files from our server, but we need concrete proof. The junior system administrator only has a small network capture of the incident and a memory dump of the Local Security Authority Subsystem Service process. Fortunately, for your company, that is all you need. The step which is required to decrypting the captured packet file (with chatGPT help) :  import hashlib import hmac import argparse # stolen from impacket. Thank you all for your wonderful contributions to the community try : from Cryptodome.Cipher import ARC4 from Cryptodome.Cipher import DES from Cryptodome.Hash import MD4 except Exception: print ( "Warning: You don't have any crypto installed. You need pycryptodomex" ) print ( "See https://pypi.org/project...