(Writeup) LetsDefend Challenge - Brute Force Attacks
Analyzing a PCAP and Linux auth.log to investigate HTTP, RDP, and SSH brute-force activity, identifying successful credential compromise, and quantifying failed login attempts.
LetsDefend
(Writeup) LetsDefend EventID: 76 - [SOC137 - Malicious File/Script Download Attempt]
Investigating a malicious DOCM download attempt, validating the file hash via VirusTotal, confirming no execution or C2 communication occurred, and verifying the threat was successfully blocked before impact.
(Writeup) LetsDefend EventID: 75 - [SOC105 - Requested T.I. URL address]
Investigating a threat intelligence alert triggered by a bit.ly URL, expanding the shortened link to its final destination, validating reputation across VirusTotal, and confirming the traffic was legitimate mobile application activity before closing as a false positive.
(Writeup) LetsDefend EventID: 28 - [SOC105 - Requested T.I. URL address]
Investigating a threat intelligence alert tied to a known malicious URL, validating indicators across external and internal TI sources, correlating proxy and endpoint logs, and determining the activity was part of an authorized internal firewall test.
(Writeup) LetsDefend EventID: 20 - [SOC105 - Requested T.I. URL address]
Investigating a threat intelligence alert after a server connected to a flagged URL, validating the IP, domain, and repository source, confirming legitimate GitHub activity, and closing the case as a false positive.
(Writeup) LetsDefend EventID: 16 - [SOC105 - Requested T.I. URL address]
Investigating a threat intelligence alert after an endpoint connected to a known malicious domain, correlating firewall logs to a macro-enabled Excel file execution, validating the malware through VirusTotal, and initiating containment following confirmed C2 communication.
(Writeup) LetsDefend Challenge - Disclose The Agent
Analyzing an SMTP PCAP to identify leaked credentials, decode Base64 authentication data, extract and reconstruct an email attachment from network traffic, and verify file integrity through hashing.
(Writeup) LetsDefend EventID: 77 - [SOC138 - Detected Suspicious Xls File]
Investigating a suspicious Excel macro alert after a malicious XLSM file executed on an endpoint, validating malware through VirusTotal and Hybrid Analysis, correlating outbound encrypted traffic to a confirmed C2 server, and initiating containment following confirmed compromise.
(Writeup) LetsDefend Challenge - Investigate Web Attack
Analyzing raw Apache access logs with Bash tools to identify reconnaissance with Nikto, forced browsing, successful login brute force activity, and command injection leading to account creation on the target system.
(Writeup) LetsDefend Challenge - Http Basic Auth.
Analyzing a PCAP file to identify HTTP GET requests, enumerate server and client details from HTTP headers, and decode Basic Authentication credentials using Wireshark and CyberChef.
(Writeup) LetsDefend EventID: 120 - [SOC170 - Passwd Found in Requested URL - Possible LFI Attack]
Investigating a suspected local file inclusion alert after a directory traversal attempt targeted /etc/passwd, reviewing SIEM HTTP logs, and confirming the attack failed based on a 500 server response with no returned content.
(Writeup) LetsDefend EventID: 119 - [SOC169 - Possible IDOR Attack Detected]
Investigating an IDOR alert after repeated POST requests incremented a user ID parameter, reviewing HTTP logs and response behavior, and confirming successful data exposure based on varying response sizes and consistent 200 status codes before escalating the case.
(Writeup) LetsDefend EventID: 118 - [SOC168 - Whoami Command Detected in Request Body]
Investigating a command injection alert after POST requests containing system commands targeted a web endpoint, validating attacker IP reputation and analyzing HTTP response behavior, confirming successful command execution through response size variation, and initiating containment and escalation due to a confirmed web shell.
(Writeup) LetsDefend EventID: 117 - [SOC167 - LS Command Detected in Requested URL]
Investigating a command-injection alert after a URL triggered on the string “ls,” reviewing SIEM logs and threat intelligence data, and determining the activity was normal user browsing traffic that resulted in a false positive.
(Writeup) LetsDefend EventID: 116 - [SOC166 - Javascript Code Detected in Requested URL]
Investigating an XSS alert after multiple JavaScript payloads were sent to a web application, validating the attacker IP reputation and reviewing HTTP response behavior, and confirming the attempts failed based on consistent 302 redirects and clean endpoint verification.
(Writeup) LetsDefend EventID: 115 - [SOC165 - Possible SQL Injection Payload Detected]
Investigating a SQL injection alert after repeated crafted payloads targeted a web server, decoding and validating the requests through log analysis, reviewing source IP reputation across multiple threat intelligence sources, and confirming the attack was unsuccessful based on server responses and endpoint verification.
(Writeup) LetsDefend Challenge - Phishing Email
Analyzing a suspicious PayPal-themed email by reviewing headers, identifying a deceptive return path, extracting a URL hosted on a trusted platform, validating domain reputation, and confirming phishing activity leveraging living-off-trusted-sites techniques.
(Writeup) LetsDefend EventID: 86 - [SOC141 - Phishing URL Detected]
Investigating a phishing URL alert after an endpoint connected to a malicious domain, validating reputation across multiple threat intelligence sources, identifying anomalous EDR logging, and initiating containment due to potential compromise.
(Writeup) LetsDefend EventID: 82 - [SOC140 - Phishing Mail Detected - Suspicious Task Scheduler]
Investigating a blocked phishing email with a malicious password-protected attachment, validating indicators through VirusTotal, Talos Intelligence, AbuseIPDB, and Hybrid Analysis, and confirming a true positive without endpoint impact.
(Writeup) LetsDefend EventID: 52 - [SOC120 - Phishing Mail Detected - Internal to Internal]
Investigating an internal phishing detection, reviewing email details, validating absence of attachments or malicious content, and determining a false positive.
(Writeup) LetsDefend EventID: 45 - [SOC114 - Malicious Attachment Detected - Phishing Alert]
Investigating a malicious email attachment, validating malware in VirusTotal, identifying C2 communication in logs, deleting the phishing email, and initiating endpoint containment.
(Writeup) LetsDefend EventID: 93 - [SOC146 - Phishing Mail Detected - Excel 4.0 Macros]
Investigating a malware detection alert, analyzing a phishing email with malicious Excel attachment, validating indicators in VirusTotal, confirming C2 communication, and initiating endpoint containment.
(Writeup) LetsDefend Challenge - Shellshock Attack
Analyzing Shellshock attack activity in a PCAP file using Wireshark, identifying the target server details and the injected command.
(Writeup) LetsDefend Challenge - Port Scan Activity
Analyzing port scan activity in a PCAP file using Wireshark, identifying the scanning host, discovered systems, and network indicators.
(Writeup) LetsDefend Challenge - MSHTML
Analyzing malicious Office documents exploiting MSHTML (CVE-2021-40444), using oletools to extract indicators, identify malicious domains and IPs, and investigate document-based exploitation.
(Writeup) LetsDefend Challenge - Excel 4.0 Macros
Analyzing a malicious Excel 4.0 (XLM) macro document using XLMMacroDeobfuscator and oletools to identify process execution, regsvr32 abuse, and DLL payload behavior.
(Writeup) LetsDefend Challenge - Malicious Doc
Analyzing a malicious Word document using VirusTotal to identify RTF exploit behavior, CVE-2017-11882 abuse, payload delivery, and network communication.
(Writeup) LetsDefend Challenge - Remote Working
Analyzing a malicious XLS file using VirusTotal to identify detection signatures, dropped files, spyware download URLs, and file intelligence indicators.
(Writeup) LetsDefend Challenge - Malicious VBA
Analyzing a malicious VBA macro document, decoding obfuscated hex strings, identifying payload delivery, and investigating HTTP communication and WMI execution techniques.
(Writeup) LetsDefend Challenge - Learn Sigma
Analyzing a Sigma rule for detecting bitsadmin.exe abuse, explaining rule structure, detection logic, and ransomware-related process_creation monitoring.
(Writeup) LetsDefend EventID: 84 - [SOC104 - Malware Detected]
Investigating a malware detection alert, validating the WinRAR installer hash using VirusTotal and Hybrid Analysis, reviewing SIEM logs, and determining a false positive.
(Writeup) LetsDefend EventID: 257 - [SOC282 - Phishing Alert - Deceptive Mail Detected]
Investigating a deceptive email alert, analyzing a malicious ZIP attachment in VirusTotal, identifying C2 communication, correlating SIEM logs, and initiating endpoint containment.
(Writeup) LetsDefend EventID: 92 - [SOC145 - Ransomware Detected]
Investigating a true positive malware detection alert, validating Avaddon ransomware via VirusTotal and Hybrid Analysis, identifying EDR removal, and initiating endpoint containment from a SOC analyst perspective.
(Writeup) LetsDefend EventID: 85 - [SOC109 - Emotet Malware Detected]
Investigating an Emotet malware detection alert, validating the hash in VirusTotal, reviewing SIEM and endpoint logs, and confirming a true positive successfully quarantined by EDR.
(Writeup) LetsDefend EventID: 36 - [SOC104 - Malware Detected]
Investigating a malware detection alert, confirming Maze ransomware via VirusTotal and Hybrid Analysis, identifying C2 communication, and initiating containment.
(Writeup) LetsDefend EventID: 83 - [SOC119 - Proxy - Malicious Executable File Detected]
Investigating a malicious executable detection alert, validating URL, domain, and IP reputation using VirusTotal and log analysis, and determining a false positive.
(Writeup) LetsDefend EventID: 14 - [SOC104 - Malware Detected]
Investigating a malware detection alert, validating file reputation in VirusTotal, reviewing endpoint and log data, and determining a false positive.