Questions tagged [incident-analysis]
Analyzing what caused an event to be flagged as an incident
35 questions
1 vote
0 answers
160 views
Is someone accessing my win10 computer?
I have been wondering if someone is accessing my system and after doing using some basic assessment tools like netstat and event viewer, found some unusual open ports(12345) and special Logon! below ...
- 11
1 vote
1 answer
604 views
Repeated DUP ACK and RST to same TCP SEQ and ACK
I started noticing this behaviour for more than a month. Whenever I connect my laptop to the WiFi router there are lots of RST and DUP ACKs up to the same TCP sequence, as given in the example below, ...
- 11
0 votes
1 answer
428 views
How to secure Laravel website against the ongoing massive exploitation
My website built upon Laravel is currently under attack. Only the index.php file was changed, and by that I mean that every line of code is inserted above the original Laravel code. So this code ...
0 votes
2 answers
621 views
Why are there so many special characters in this phishing link?
I recently looked at a spam mail I received. Generally, I'd say it was a fairly standard phishing attempt, but one thing struck me as odd: The link that victims are supposed to click looks very weird ...
- 101
1 vote
2 answers
2k views
Clonezilla for forensic disk image
I was wondering if it's reasonable and forensically correct to use Clonezilla for the image of an attacked machine. Since some of the commercial products are very expensive I'm turning to open source ...
- 11
2 votes
1 answer
442 views
Based on these HTTPS requests what type of attack is this?
I'm seeing over 1000 attempts to hit my API endpoints with many 500 responses. It seems clear that the would-be attacker is attempting to poke around the APIs, but it isn't clear to me what type of ...
- 438
21 votes
7 answers
7k views
Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords
For the second time my website seems to be the target of a large automated attack. It seems complex enough and very well executed. I have the following systems in place: Captcha on 3rd failed login ...
- 323
0 votes
0 answers
220 views
Has this PC been hacked? What's going on?
I'm reasonably technically competent, but I don't know how to interpret this PC issue. As its a real-world incident, there's some back-story. I'm in the UK. The suspect PC runs Win8.1 up to date, ...
- 1,694
2 votes
2 answers
4k views
Suspicious calls to testgvbgjbhjb.com
On the last few days, one of our endpoints calls to testgvbgjbhjb.com the calls came from google chrome outside. I used TCPView to find suspicious connections and check if there any unknown ...
- 151
0 votes
3 answers
1k views
Under which conditions can dllhost.exe spawn child process? | MITRE ATT&CK T1191
I was looking for conditions/circumstances under which Dllhost.exe can spawn a child process. I examined a huge quantity of event logs from various Windows system and didn't come across any event in ...
- 1
0 votes
1 answer
193 views
Tools for reverse engineering malicious executables? [closed]
Are there any tools that one can reliably use for decompiling malicious executables in order to understand the inner workings of the same? Or any other reliable tool/way to quickly derive the code?
1 vote
3 answers
428 views
What use to automate incident response? [closed]
I am now read about TheHive Project - open source incident response platform. Today i asked developers about automatization of incidents, and find, that TheHive can't do this. Main feature for me is ...
- 121
0 votes
1 answer
3k views
read raw dump with WinDBG
Is it possible to convert a full raw dump memory and open it in WinDBG ? In order to inspect if they are no malwares, filter process who call particular API, dump each process in memory etc...
4 votes
5 answers
953 views
Incident response and recovery from a security breach with unknown attack vector
Security breaches, hacks, “cyber” attacks or server compromises happen quite frequently, unfortunately, such as Quora in December 2018, Facebook in September 2018, Equifax in September 2017, Exactis ...
- 239
3 votes
2 answers
516 views
Malware Author's Mindset
I'm studying common malware characteristics, and I'm having a bit of difficulty understanding the design choices the malware authors make. Many of said choices seem to revolve around making life ...
