Trigger Rule: SOC102 — Proxy — Suspicious URL Detected — EventID: 5 Event Time: Aug. 29, 2020, 10:50 P.M Level: Security Analyst Source Address: 172.16.17.14 Source Hostname: MikeComputer Destination Address: 198.100.45.154 Destination Hostname: qstride.com Username: Mike01 Request URL: http[:]//qstride[.]com/img/0/ User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

SOC112 — Traffic to Blacklisted IP Alert Time: Jan, 31, 2021, 11:02 AM Alert Source IP: 172.16.17.21 Alert URL: http://193.239.147.32/OBBBOP.exe Alert Action: Allowed Event Type: Proxy Before we begin the playbook let’s first gather information about the trigger URL. Since the rule name states that the alert was caused to…

Scenario/Challenge Details An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts. Tools used Wireshark Brim VirusTotal First we need to load the PCAP file into Wireshark…

Overpass is a vulnerable VM hosted on TryHackMe created by NinjaJc01. …

“VulNet: dotjar” is a new CTF challenge hosted in TryHackMe created by TheCyb3rW0lf. It’s a pretty easy box and has got different ways to get root. Scanning the box and Initial recon First we need to discover what services are running and what ports are open. For that we can use nmap Aggressive scanning, that scans…