Posts for: #Blue-Team

SOC326 Case Study: Impersonating Domain MX Record Change Leading to Active Phishing Campaign

Event ID: 304 Rule Name: SOC326 – Impersonating Domain MX Record Change Detected Severity: HIGH Category: Brand Protection / Phishing Event Time: September 17, 2024 – 12:05 PM Impacted Asset: LETSDEFEND Background Sometimes attackers don’t kick the door down — they quietly make a copy of your house key first. In this case, the threat actor registered a look-alike domain and configured email infrastructure before launching a phishing campaign. What initially appeared to be an early warning quickly escalated into active exploitation, resulting in a user clicking a malicious link and communicating with attacker-controlled infrastructure.
[Read more]

SOC153 Case Study: Malicious PowerShell Execution Leading to Active Malware Infection

Event ID: 238 Rule Name: SOC153 – Suspicious PowerShell Script Executed Severity: HIGH Category: Endpoint Compromise / Malware Event Time: March 14, 2024 – 05:23 PM Compromised Host: Tony (172.16.17.206) Tony at work opened a suspicious file they probably shouldn’t have. It was like finding a strange USB drive in the parking lot and plugging it into your computer you don’t know what’s on it, but it starts doing things automatically.
[Read more]

How Password Storage Fails: A Security Timeline Every Defender Should Know

Storing passwords safely is a really important part of running any website or app where people create accounts. When this is done badly, it has led to some of the biggest data leaks ever. Even years later, stolen passwords are still being reused by attackers to break into other accounts. Below are six common ways passwords have been handled over time, starting with the worst ideas and moving toward safer ones, explained in a simple way.
[Read more]

SOC127 Case Study: Successful SQL Injection Attack via Automated Tooling

Alert Name: SOC127 – SQL Injection Detected Severity: High Event ID: 235 Event Time: Mar 07, 2024 – 12:51 PM Category: Web Application Attack Platform: LetsDefend SOC This incident shows how someone on the internet tried to trick a website into giving out information it wasn’t supposed to. Instead of breaking in directly, the attacker sent specially crafted messages to the website to see how it would respond. Even though the website replied with “everything is OK,” it was actually doing things it shouldn’t have in the background.
[Read more]