Network Traffic Analysis using ZEEK and RITA

August 3, 2023 0 Comments

This is another lab while taking the “intro to SOC” class offered by antisyphon training. The goal of the lab is to be able to detect C2 activity on a given network using a free tool developed by BHIS called RITA. Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication …

Memory Analysis

August 2, 2023 0 Comments

I am going to do a lab offered by Anti-Syphon training through their “intro to SOC” class: The tool I am going to use in this lab is Volatility and I am going to use it to analyse a memory dump of a compromised system. The first step is to extract the dump file: I …

Windows CLI

July 28, 2023 0 Comments

Following my post regarding Windows critical process and the use of GUI tools like Task Manager, I am going to explore in this post the command-line equivalent of obtaining information about the running processes on a Windows system with command like tasklist, Get-Process or ps (PowerShell), and wmic. To do this, I am going to do a lab offered by …

Core Windows processes

July 27, 2023 0 Comments

The goal of this article is to gain an understanding of the fundamental processes within a Windows operating system and familiarize myself with its standard behaviour. This essential knowledge will enable me to recognize any potentially harmful processes running on an endpoint. I will use three different tools to do this: Task Manager, Process Explorer …

Setting up a home lab (part 4)

July 26, 2023 0 Comments

Blocking Attacks In the last part we learned how to create custom detection rules to pinpoint the moment a threat occurs on our Windows system. wouldn’t it be even better if we could actively block the threat instead of merely generating an alert. This is what we are going to cover in this article. Before …

Setting up a home lab (part 3)

July 26, 2023 0 Comments

Let’s go back to our Sliver C2 session from Part 2 and perform some suspicious activities that we should be capable of detecting. Let’s carry out an action that adversaries commonly employ to steal credentials from a system – dumping the lsass.exe process from memory. Attackers often employ this technique because the LSASS process can …

Setting up a home lab (Part 2)

July 24, 2023 0 Comments

In part 1, I succesfully set up two vms for my lab: an attacker (ubuntu vm) and a victim(windows vm). In this part , I am going to start with setting up sysmon and limacharlie on my windows vm so that I can have telemetry on the windows vm endpoint of all sorts of interesting …

Setting up a home lab (Part 1)

July 22, 2023 0 Comments

The goal of this post is two set up two VMs: a Windows VM that will be the victim system and an Ubuntu VM that will be the attacker in my home lab. To set up this environment, I am going to follow the steps given in this blog post: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro?sd=pf: I start by downloading …

Analyzing network traffic with TCPdump

July 20, 2023 0 Comments

TCPdump is a powerful command-line network packet analyzer tool used for capturing and analyzing network traffic in real-time. It is available on various Unix-like operating systems. TCPdump allows you to inspect the packets transmitted and received over a network interface, which can help in troubleshooting network issues, monitoring network activity, and security analysis. Project goal: …

Create your own self-hosted website

July 5, 2023 0 Comments

To set up my cybersecurity projects portfolio, I needed to create a website and find a cost-effective way to make it accessible online. Rather than outsourcing the task, I saw this as an opportunity to learn and take on the challenge myself. Additionally, I wanted to share my experience with others who might be interested …