Scenario The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this a...
This time we have a quick alert (oops, did I already give away the final answer?) to check out, so without any further ado, let’s get defending. Understand Why the Alert Was Triggered The SIEM a...
Overpass 2 - Hacked is a great blue team room on TryHackMe, and in this write-up we’re going to dig into clearing it and answering all the questions the room throws at us. Forensics - Analyse the ...
In SOC143 we’re informed of a potential password stealing file having been detected in the email system, so let’s get to the bottom of this. Alert The SIEM alert we receive includes all the relev...
The following write-up covers the SOC146 - Phishing Mail Detected - Excel 4.0 Macros task on LetsDefend. Alert We receive an alter that a phishing attack has been detected, and that iit carries a...
This time we have a quick little task to deal with in the form of someone possibly trying to access the passwd file on a webhost with a local file inclusion attack technique. So let’s start our pla...
In this event we’re tasked with investigating an alert relating to the rule SOC147 - SSH Scan Activity stemming from hostname PentestMachine using the IP address of 172.16.20.5. SIEM has caught a f...
In this alert we’re tasked with investigating suspicious usage of the Certutil executable on the “EricProd” host. Event type is marked as LOLBin (Living-off-the-land binary), a Microsoft-signed leg...
This is just a sample post for myself to know that it’s alive and working as intended.
A new version of content is available.
