CyberSec_Blog

        Dive into the heat of a live phishing attack as it unfolds within the corporate network. In this high-pressure scenario, your role is to meticulously analyze and document each phase of the breach as it happens. First I let all the alert to come to correlate them together. You start from the CRITICAL ones (0 alert) - HIGH - MEDIUM - LOW. I check all dns alert , all of them was false positive , nothing suspicious . On the Process ones you must to check on splunk , search on google if you don't know the specific process . I make one mistake , with the attashments invoice.pdf.ink , apparently it was true positive , but I check the SHA-256 on VirusTotal , nothing suspicious..  I realy enjoy with this SIM , Have Fun !! 

      Hey all, welcome to my walkthrough series on TryHackMe’s SOC Level 1 path which covers the seventh and final room in this module on Security Information and Event Management, where we will come to understand how SIEM works and get comfortable creating simple and advanced search queries to look for specific answers from the ingested logs. Imposter Alert: There seems to be an imposter account observed in the logs, what is the name of that user? Answer: Amel1a Which user from the HR department executed a system process (LOLBIN) to download a payload from a file-sharing host. Answer: haroon To bypass the security controls, which system process (lolbin) was used to download a payload from the internet? Answer: certutil.exe What was the date that this binary was executed by the infected host? format (YYYY-MM-DD)? Answer: 2022–03–04 Which third-party site was accessed to download the malicious payload? Answer: controlc.com What is the name of the file that was saved on the...

               This room by TryHackMe explores the process of investigating a compromised web server using Splunk SIEM. It focuses on analyzing various Windows data sources such as Sysmon, PowerShell, and event logs to identify indicators of compromise (IOCs). By correlating events, analyzing fields, and pivoting data, anomalies can be detected and the attacker’s actions can be reconstructed. This exercise aims to improve log analysis skills for efficient threat detection and response.         SOC Analyst Johny has observed some anomalous behaviours in the logs of a few windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoor. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC Analyst is to examine the logs and identify the anomalies. On one of the infected hosts, the adversary was...

                   This  project  demonstrated  the  fundamental  principles  of  ARP  spoofing   and  passive  DNS  sniffing.  Even  though  the  attacker’s  IP  doesn't  show  up  in  traffic  logs,  the  MAC- level  manipulation   allows  full  interception  of  packets —  enabling  analysis,  logging,  or  further  attack  stages ( e. g.,  HTTPS  interception  using  mitmproxy ). Lab Setup Attacker machine: Kali Linux ( 192.168.0.163 ) Victim machine: Windows 10 ( 192.168.0.164 ) Tools Used bettercap Wireshark apache2 server on  splunk A small advice for your protection , use VPN for encrypted traffic.

      On this project we will learn how to enabled port 22 on windows machine (victim) and how to make a brute force attack with "Hydra" to find the password , and after we will see how to find this type of attacks.  Lab  Setup Attacker  machine:   Kali  Linux ( 192.168.0.163 ) Victim  machine:   Windows  10 ( 192.168.0.164 ) Tools  Hydra  Splunk