Sysmon: How to install, upgrade, and uninstall

Introduction Helpful Links Install Upgrade Uninstall The Problem The Investigation The Solution IntroductionIf you’re on this page you probably don’t need me to explain much about what Sysmon is or why it is an excellent tool for security monitoring. In short: It’s part of Microsoft’s Sysinternals Suite So it should play nice with Windows It can monitor almost anything that happens on a Windows host So it can detect all the most common MITRE ATT&CKs It logs using Windows Event Logs So it’s easy to export to a SIEM etc for analysis However, if you’ve tried rolling Sysmon out to a large number of machines, and then removing or updating it, you may have experienced some issues.

Hammered (Log Analysis)

https://cyberdefenders.org/labs/42 Contents Initial Analysis Initial Findings Manipulating the Logs auth.log - sorted by command then time auth.log - all unique lines sorted by command (excluding timestamp) auth.log - extract commands auth.log - extract IPs www-access.log - extract IPs www-access.log - extract user agents Questions #1 Which service did the attackers use to gain access to the system? #2 What is the operating system version of the targeted system? (one word) #3 What is the name of the compromised account #4 #5 Consider that each unique IP represents a different attacker.

Malicious PowerShell Analysis

https://blueteamlabs.online/home/challenge/7 Open the file Decode the file Deobfuscating the script Spacing Fillers Chars Variables Format Strings Replaces Splits Questions What security protocol is being used for the communication with a malicious domain? What directory does the obfuscated PowerShell create? (Starting from \HOME) What file is being downloaded (full name)? What is used to execute the downloaded file? What is the domain name of the URI ending in ‘/6F2gd/’ Based on the analysis of the obfuscated code, what is the name of the malware?

MalDoc101 (Document Analysis)

https://cyberdefenders.org/labs/51 Contents Tools Used 1. Multiple streams contain macros in this document. Provide the number of highest one. 2. What event is used to begin the execution of the macros? 3. What malware family was this maldoc attempting to drop? 4. What stream is responsible for the storage of the base64-encoded string? 5. This document contains a user-form. Provide the name? 6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

SANS April 2021 Forensic Quiz

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/ Introduction Artifacts Excel-related Executables and DLLs Scheduled Task Pcaps Export objects Traffic Summary SHAs IntroductionWe’re provided with a .pcap and a bunch of artifacts (files). The AD, we’re told, is as follows: LAN segment range: ( through Domain: clockwater.net Domain Controller: - Clockwater-DC LAN segment gateway: LAN segment broadcast address: ArtifactsFirst, let’s inspect the artifacts. $ find . -type f -exec ls -l -- {} + 242176 Mar 29 23:22 .

Security Blue Team's Blue Team Level 1 Review

Tl;dr Would I recommend BTL1? 100% yes! Will it help you get your first job in cyber security? 100% yes! Is it worth taking if you already work in cyber security? If you have less than a couple years, it probably is worth it, yes! Ntl;wr BackgroundIn 2020 I decided to embark upon a career in cyber security. My background was in electrical engineering and IT sales, among other things, so while I was computer-proficient, I didn’t have specific sysadmin or security skills.


The Linux unzip command unzips files to the same directory as the .zip file, or to a defined one. You can’t batch unzip. This script unzips all .zip files within a directory in a single command. If the .zip contains a single file, it is unzipped to the base directory. If the .zip contains multiple files, it is unzipped to a directory of the same name as the .zip. The .


Tools and Commands nmap searchsploit python netcat ReconStart with an nmap scan: $ sudo nmap -A -oA nmap The only open port is 80, a Apache/2.4.18 web server. View the web page in a browser and we find it’s the default page for FUEL CMS 1.4, which also gives us some basic info about the CMS. A quick Gobuster scan gives us nothing particularly useful: $ gobuster dir -u http://10.

Advent of Cyber 2

The first 23 days are simple bullet points describing how to do the task. Day 24 is a more complete write-up, as it was a more complete challenge! Table of Contents [Day 1] Web Exploitation: A Christmas Crisis [encoding] [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] [Day 3] Web Exploitation: Christmas Chaos [brute force] [Day 4] Web Exploitation: Santas watching [brute force / fuzzing] [Day 5] Web Exploitation: Someone stole Santas gift list!

Splunk BOTSv3 Write-Up

Splunk have several “Boss of the SOC” datasets, simulating a security incident - think of it as a Blue Team/SIEM-based CTF. This is my write-up for BOTSv3, at the time of writing the most recent dataset available. It seems that Taedonggang, a North Korean group, have attacked Frothly, a beer maker… The official BOTSv3 page is here: https://github.com/splunk/botsv3 I wrote this on Notion, and it is best viewed there, as it is always up-to-date and is visually best.

Seek.com.au Job Scraper

Which terms are popular in job descriptions? Where are the jobs? Enter your search term and find out. Click Run ► Drag the separator between the code and the output to the top to maximise output

Australian Specified Work Postcode Checker

In Australia on a working holiday visa? Want to know if the place offering you work is in a regional area? Put in the postcode and find out here. And yes, it’s ugly - it’s a 5 minute GUI built with Flask (my first Flask project!) View on PythonAnywhere (external link)