xknow_infosec – Medium

Mar 24, 2020

Detecting LDAPFragger — A newly released Cobalt Strike Beacon using LDAP for C2 communication (blueteamers approach)

Goals: trying to understand how the tool works trying to find further detections as blueteamer for an newly released tool find an efficient detection rule which can be implemented in large scale environment quickly After LDAPFragger (introduction blogpost) has been at Github (03–19–2020) I immediately took some views into its…

Threat Hunting

14 min read

Detecting LDAPFragger — A newly released Cobalt Strike Beacon using LDAP for C2 communication…

Threat Hunting

14 min read

Mar 18, 2020

Windows Event ID 4649 “A replay attack was detected “ — Oh really? Are we under ATTACK? Should we do Incident Response?

gathered and collected all available knowledge about Event ID 4649 is it a low or high noise signal? a cyber-attack by hackers — or just an badly programmed/crashed piece of software causing this event? key question: put on alert/detection for your SOC/CSIRT yes/no? As Blueteamer you might have heard of…

Threat Hunting

8 min read

Windows Event ID 4649 — A replay attack was detected

Threat Hunting

8 min read