13reak - Network

I used Game of Active Directory (GOAD) today. There's an extension with Wazuh, so it is also useful for blue teamers.It is really easy to...

I used Game of Active Directory (GOAD) today. There's an extension with Wazuh, so it is also useful for blue teamers.

It is really easy to setup. One command and Wazuh is added:
install_extension wazuh

https://github.com/Orange-Cyberdefense/GOAD

#pentesting #wazuh #blueteam #SOC #SIEM

https://www.golem.de/news/elon-musk-telekom-chef-will-doge-fuer-europa-2503-193941.htmlNa dann Prost Mahlzeit, jetzt kommen die Oligarchen...

https://www.golem.de/news/elon-musk-telekom-chef-will-doge-fuer-europa-2503-193941.html

Na dann Prost Mahlzeit, jetzt kommen die Oligarchen auch bei uns in Europa aus den Löchern. Ich hätte gerne einen neuen Telekom Chef, vielleicht gibt's dann ja Mal Glasfaser in Deutschland...

#doge #europa #telekom

How to filter zeek logs:cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and...

How to filter zeek logs:

cat conn.log | zeek-cut <columns> | column -t | less -S

(column and less display the columns aligned and readable)

#DFIR #knowledgedrop #NIDS #zeek

What don't oligarchs buy? #jamesbond

What don't oligarchs buy? #jamesbond

Anyone ever used https://opendesk.eu/en/ ? Does it work well or is it still a bit buggy?#office #alternative #opensource #foss

Anyone ever used https://opendesk.eu/en/ ? Does it work well or is it still a bit buggy?

#office #alternative #opensource #foss

I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the...

I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the attackers and that they uploaded a webshell.

grep is an awesome tool for that. Looking for successful (code 200) uploads (POST requests) from IP:

grep -e "666.666.666.... POST 200" firewall.log > attack.txt

To find the script I searched for the longest request since most legitimate requests were rather short. Word count can give us that with -L:

cat attack.txt | wc -L
1337

And let's extract that longest line with grep:

grep -e "^.{1337}$" attack.txt

Hex requests could then be parsed easily with Cyerchef's From Hex.

Hope that helps someone! Adjust to your needs.

#dfir #knowledgedrop #firewall #bash

(sorry, job posting only in German, but still maybe interesting for some)SEC Consult sucht einen Teamleiter und Incident Manager in...

(sorry, job posting only in German, but still maybe interesting for some)

SEC Consult sucht einen Teamleiter und Incident Manager in Deutschland:

https://sec-consult.com/de/karriere/detail/teamlead-f-m-d-cyber-defense-incident-response/

#getfedihired #jobalert #jobsearch #hiring #dfir #IncidentManagement #teamleiter

Has anyone here used CalyxOS?How easy is it to install? Do all Apps still work?(I'm mostly concerned about 2FA banking apps, if they don't...

Has anyone here used CalyxOS?

How easy is it to install? Do all Apps still work?
(I'm mostly concerned about 2FA banking apps, if they don't work, I have a problem )

#calyxos #android #alternative #degoogle

@Daojoan asked what we are going to do about the richest person on earth being a Nazi.A) I quit X/Twitter (a while ago)B) I just quit my...

@Daojoan asked what we are going to do about the richest person on earth being a Nazi.

A) I quit X/Twitter (a while ago)
B) I just quit my PayPal
C) I quit Facebook (a while ago)
D) I just quit my proton mail

We're the customers who make these people rich.

#ThinkAboutIt

Pineapple pizza is not pizza.And for my British friends: this also counts for banana pizza or similar.(before some Italians intervene with...

Pineapple pizza is not pizza.

And for my British friends: this also counts for banana pizza or similar.
(before some Italians intervene with Nutella pizza: Brits put banana on top of passata and mozzarella 🤌)

#HashtagGames #petpeeveafood

Trans-o-flex: collect your parcels yourself.Trans-o-flex: we make it disappear.Trans-o-flex: better call the suicide hotline than...

Trans-o-flex: collect your parcels yourself.

Trans-o-flex: we make it disappear.

Trans-o-flex: better call the suicide hotline than us.

#badadvertisements #HashtagGames

Seems like there's quite an influx of new users these days. Spike of 1 million in December 2024 / January 2025? To the new users: welcome!

Seems like there's quite an influx of new users these days. Spike of 1 million in December 2024 / January 2025?

To the new users: welcome!

Detected a C2 framework in RAM today with velociraptor. Dumped the process memory with velo, created a zignature with radare2.Never thought...

Detected a C2 framework in RAM today with velociraptor. Dumped the process memory with velo, created a zignature with radare2.

Never thought I'd ever reach that level...

Blogpost and velo artifact incoming

#velociraptor #radare2 #detection #c2 #MemoryForensics #DFIR

The local model took a while but very impressive still. Expected to get better with training and new hardware.

The local model took a while but very impressive still. Expected to get better with training and new hardware.

Tried the AI feature of radare2, it's really easy to use.Setup:r2pm -r r2ai> -M # list all AI models> -m <AI model> # select...

Tried the AI feature of radare2, it's really easy to use.

Setup:

r2pm -r r2ai
> -M # list all AI models
> -m <AI model> # select model
> -w # run

Usage inside R2:

(Go to function)
> decai -d # decompile with AI

#radare2 #ai #reversing

New year, new firmware!Don't forget to update your writeblocker, bring it to a pokémon center and give it some cuddles.#dfir #writeblocker...

New year, new firmware!

Don't forget to update your writeblocker, bring it to a pokémon center and give it some cuddles.

#dfir #writeblocker #updates

One can see Mars with the naked eye today - even from a city with all the lights tuned on! The little red dot on the lower left in the...

One can see Mars with the naked eye today - even from a city with all the lights tuned on!

The little red dot on the lower left in the picture is Mars. (Depending on where you are in the world, it might be somewhere else around the moon)

PS: try binoculars, if you have some.

#mars #moon

I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:1) try to understand the alarm...

I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:

1) try to understand the alarm itself and at which point in the attack this would happen: phishing email = early, credential access (especially admin credentials) or suspicious C2 IPs = middle, ransomware/data upload = late.

2) what should be the attackers previous and next step then? (just look at 1 again: early/middle/late)

3) can you see this previous/next step in the logs? Look especially for evidence of execution. Attackers want to "do" something. Executables, scripts, PowerShell, command line, services, scheduled tasks?

If you cannot see any previous or any next steps, ask yourself if you're blind (are your logs empty? Timeframe not available?) or if there really aren't any. If there aren't any, it's likely a false positive. If there are, escalate.

Happy hunting!

#DFIR #knowledgedrop #microsoftdefender #antivirus

Ivanti vulnerability CVE-2025-0282 is actively being exploited by attackers.Cases are rising.Details from Ivanti:...

Ivanti vulnerability CVE-2025-0282 is actively being exploited by attackers.

Cases are rising.

Details from Ivanti: https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

Has anyone ever tried Kagi search engine? #searchengine #Kagi

Has anyone ever tried Kagi search engine?

#searchengine #Kagi