Elnur AbbasovDetecting AnyDesk UsageToday I’m going to show you a simple but effective detection logic / threat hunting technique for AnyDesk.Jul 10Jul 10
Elnur AbbasovLetsdefend.io EventID 120The attacker is trying to read the /etc/passwd file. Passwd file is used to keep track of every registered user that has access to a…May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 119We have medium severity alert about IDOR. IDOR stands for insecure direct object reference. It is one example of many access control…May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 118We have an alert about an incoming HTTP request containing “whoami” command in the request body. Source IP address is 61.177.172.87 and web…May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 117This alert is about “ls” command in requested URL. “ls” command is used in linux to list files.May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 116The alert with EventID 116 shows that Javascript code is detected in URL.May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 115The alert with EventID 115 shows that a SQL injection payload is detected. If we check requested URL we can see that there is URL encoded…May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 114An alert is raised due to mshta.exe executing a low reputation file Ps1.hta.May 26, 2022May 26, 2022
Elnur AbbasovLetsdefend.io EventID 113The alert is about suspicious certutil.exe usage. The alert type is LOLBin. LOLBin stands for living off the land binaries. Attackers can…May 24, 2022May 24, 2022
Elnur AbbasovLetsdefend.io EventID 94There is an alert about SSH scan activity in our network. Source hostname is PentestMachine and the file name is nmap. It seems our…May 24, 2022May 24, 2022