Investigation scenario:
We just received three notifications with alerts from #Suricata #IDS

1) GPL SMTP vrfy root, from unknown IP to our mailserver

Shortly after that, two more alerts appeared:

2) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response; from the same unknown IP to Windows computer in our network
3) ET MALWARE Possible Metasploit Payload Common Construct Bind_API, again from the same unknown IP to the same Windows computer

What happened?
What to do? How to analyze network traffic and investigate those alerts?

We do not have any EDR or XDR installed on that Windows computer. Right now,we have only Suricata eve.json logs ingested to the #OpenObserve #SIEM

If you would like to see more, you are welcome to attend my @suricata webinar on March 11.
Register here: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ

Yesterday I led a half-day workshop for a group of high school students. The content was purely practical: a lot of labs and hands-on exercises and challenges about computer networks, #networktrafficanalysis and #cybersecurity.

Girls made their own Ethernet cables to connect to our lab network. Then they analyzed common network protocols and their privacy issues and how the browser settings can affect the amount of sensitive information in the network traffic.

Pro tip: together with HTTPS-Only Mode in all windows, also enable DNS over HTTPS using Increased Protection or Max Protection.
Pro tip 2: even with those hardened settings, it is often possible to see which websites the user visits, because of TLS SNI or TLS Certificates

After that, the girls had the opportunity to try CTF-like activity in the lab network full of old #MikroTik and #Ubiquiti devices and virtual machines with various services exposed.

A little bit off-topic: This was the first workshop I completely led using my old #ThinkPad with #FreeBSD

#MayTheSourceBeWithYou
#PCAPorItDidntHappen

#education #womeninstem #womenintech #SecurityGirl #AjTyvIT #wireshark #CTF #handsonlearning #learningbydoing

Seeing posts like this on #moltbook, I am thinking about recent #threats emerging from the heavy usage of #AI agents without any security guardrails or proper controls.

This time, it is "only" a command to send an innocent email. But this could be the measurement of the potential botnet size and fingerprinting of bots and their capabilities. Next time, it might be #DDoS, #malware distribution, or #dataleak if AI agents will follow the commands to do something harmful to their humans.

Last week I participated in #SANS Veterans Day #CTF🚩

After two days of competition, I solved 43 of 45 challenges and luckily won this contest.

As a #network analyst, I especially enjoyed the challenge fx01 (File analysis eXtreme level): a PCAP with a custom protocol

https://www.sans.org/mlp/veterans-day-ctf

#cybersecurity #blueteam #dfir #pentest #reverseengineering #exploitation #networkanalysis

Introduction to Network Threat Detection with @suricata by Lukas Sismis at @openalt in Brno.

Perfect start of the conference day with analysis of #pcap from #anyrun and @malware_traffic

#weekend #education #networkforensics #BlueTeam

Highlights from the #LinuxDays conference in Prague. Thanks for this great community event and opportunity to give a talk about #Linux #Malware.

#LinuxDays2025 @linuxdays

Yesterday I had a talk about #Linux #malware at #LinuxDays conference in Prague. It covered the history of Linux malware and then we discussed more in depth some specific families, their goals, victims and highlights from the code and features. And the examples of the detection, the host artifacts and network traffic, too. #ebury #mirai #ech0raix #k0ske.

Thanks to @linuxdays for a wonderful and very enjoyable community event.

Credit for the 2nd photo to @rootcz

Analysis of #Koske #miner.

It is an AI-generated #Linux #malware which was hidden in images with pandas. It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, #rootkit #hideproc, tries to hide the Koske miner from file listings and processes.

https://malwarelab.eu/posts/koske-panda-ai/

Video from #anyrun analysis:

https://www.youtube.com/watch?v=1OSPp996XQ4

#koskeminer #coinminer #blueteam #cybersecurity #dfir #malwareanalysis #infosec #reverseengineering

Yesterday I attended #SOC #DetectionEngineering Crash Course with Hayden Covington by @Antisy_Training

https://www.antisyphontraining.com/product/workshop-soc-detection-engineering-crash-course-with-hayden-covington/

5 hours workshop (1 hour lab setup with instructor available on Zoom and 4 hours of workshop itself). Pay what you can with pricing starting from $0. Course materials such as setup guide and excellent lab instructions delivered in advance, two days before workshop.

All you need for the workshop is just the web browser - we use #MetaCTF Cloud Windows VM (credits provided by the instructor) and Elastic Security (free trial available for 14 days).
Fun fact: I test #FreeBSD as my host OS and was able to do all of the labs in FreeBSD without any issues

The content was useful, really Crash course. We started with Windows VM with Sysmon and empty Elastic. After the course, we had Elastic Agent on VM, logs in Elastic, detection rule for @mitreattack Account Discovery: Local Account (T1087.001), suppression of the alerts for particular user. We also tested the detection with Atomic Red Team test.

In overall, it was very good workshop and I am happy for opportunity to attend it. The usage of "free" cloud infrastructure is inspiring, I will consider it during my next trainings for larger group of students (instead of hosting all of the VMs in our cloud infrastructure) - this way, lot of things can students do again after the training for better understanding of the topic.

#infosec #education #training #antisyphon #soc #siem #detections #blueteam

Yesterday, it was a #FreeBSDday.

I finally took one of my old laptops and a spare SSD, and I tried to install #FreeBSD on it... However, things were not so smooth. My first attempt with the #ThinkPad X200 was not successful, the #FreeBSD installer hung several times during boot. However, when I changed X200 to X230i, the installation went very smoothly.

I remember that a year and a half ago, I followed @dwarmstrong and his #30DaysOfFreeBSD. It was inspirational to read about his journey, and I wanted to do sometimes somethnig similar - just test the new system and familiarize with it. Maybe now it is the right time to do it ;-)