⭕️ اسکریپتی با استفاده از پاورشل نوشته شده است و برای IR و Threat Hunting در ویندوز مناسب است.
با استفاده از این اسکریپت، میتوان به سرعت لیستی از موارد زیر را بررسی کرد:
#DFIR #ThreatHunting
@Engineer_Computer
با استفاده از این اسکریپت، میتوان به سرعت لیستی از موارد زیر را بررسی کرد:
General information
Accountand group information
Network
Process Information
OS Build and HOTFIXE
Persistence
HARDWARE Information
Encryption information
FIREWALL INFORMATION
Services
History
SMB Queries
Remoting queries
REGISTRY Analysis
LOG queries
Instllation of Software
User activity
بعلاوه، با استفاده از کوئریهای پیشرفته، موارد زیر نیز قابل بررسی هستند:
Prefetch file information
DLL List
WMI filters and consumers
#DFIR #ThreatHunting
@Engineer_Computer
GitHub
GitHub - emrekybs/Douglas-042: Powershell script to help Speed up Threat hunting incident response processes
Powershell script to help Speed up Threat hunting incident response processes - emrekybs/Douglas-042
📚👩🏼💻#DFIR Regular Expressions
List of #regex for searching and extracting:
- ip adresses
- nicknames
- passwords
- phone numbers
- emails
- filenames
- URLs
and more.
https://github.com/joshbrunty/DFIR-Regular-Expressions
@Engineer_Computer
List of #regex for searching and extracting:
- ip adresses
- nicknames
- passwords
- phone numbers
- emails
- filenames
- URLs
and more.
https://github.com/joshbrunty/DFIR-Regular-Expressions
@Engineer_Computer
1764146008730.pdf
4.5 MB
🧠 Log Analysis + Wazuh Integration — Hands-On Mini Lab for Blue Teamers 🚀
Just finished going through this practical guide on Linux & Windows log analysis with Wazuh and it’s one of the clearest step-by-step walkthroughs I’ve seen for juniors and SOC beginners.
Here’s what you’ll practice inside the PDF:
🔹 Linux Log Analysis
Exploring key log files under /var/log (boot, cron, secure, mail, httpd, messages)
Verifying package installation logs via apt
Reviewing firewall activity with UFW logs
🔹 Windows Event Log Analysis
Enabling audit policies via Local Security Policy
Using Event Viewer to track security events (e.g. 4625, 4776)
Simulating RDP brute-force attempts and interpreting the resulting logs
🔹 Wazuh Integration (SIEM)
Configuring ossec.conf for Linux & Windows log collection
Validating events in the Wazuh dashboard (Threat Hunting & Discover views)
Correlating firewall, package, and authentication events across hosts
🎯 Great for:
Students, SOC interns, junior analysts, and anyone who wants a lab-style intro to log analysis + Wazuh without getting lost in theory.
📘 I’ve attached the PDF — worth saving if you’re building your Blue Team fundamentals or preparing for SOC roles.
What other SIEM or log analysis topics would you like to see broken down like this?
#Wazuh #SIEM #LogAnalysis #SOCAnalyst #BlueTeam #DFIR #Linux #WindowsSecurity #CyberSecurity #ThreatHunting
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Just finished going through this practical guide on Linux & Windows log analysis with Wazuh and it’s one of the clearest step-by-step walkthroughs I’ve seen for juniors and SOC beginners.
Here’s what you’ll practice inside the PDF:
🔹 Linux Log Analysis
Exploring key log files under /var/log (boot, cron, secure, mail, httpd, messages)
Verifying package installation logs via apt
Reviewing firewall activity with UFW logs
🔹 Windows Event Log Analysis
Enabling audit policies via Local Security Policy
Using Event Viewer to track security events (e.g. 4625, 4776)
Simulating RDP brute-force attempts and interpreting the resulting logs
🔹 Wazuh Integration (SIEM)
Configuring ossec.conf for Linux & Windows log collection
Validating events in the Wazuh dashboard (Threat Hunting & Discover views)
Correlating firewall, package, and authentication events across hosts
🎯 Great for:
Students, SOC interns, junior analysts, and anyone who wants a lab-style intro to log analysis + Wazuh without getting lost in theory.
📘 I’ve attached the PDF — worth saving if you’re building your Blue Team fundamentals or preparing for SOC roles.
What other SIEM or log analysis topics would you like to see broken down like this?
#Wazuh #SIEM #LogAnalysis #SOCAnalyst #BlueTeam #DFIR #Linux #WindowsSecurity #CyberSecurity #ThreatHunting
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3❤2❤🔥1🔥1
Network Security Channel
Photo
🚨🔴 DARK WEB ≠ “MYSTERY LAND” — It’s an OSINT surface you can monitor (safely).
Not everything “dark web” is shady hacking content. For defenders, it’s mainly early signals: leaked creds, brand mentions, data dumps, threat actor chatter, and infrastructure breadcrumbs.
This graphic is a quick snapshot of dark web search + breach-intel tooling — useful for CTI, SOC, and incident response workflows:
🧭 Discovery & Search (Onion indexing)
Tools like Ahmia / Torch / Haystak / Tor66 / Onion Engine can help discover onion content and references.
🕵️ Leak & Breach Intelligence
Have I Been Pwned, DeHashed, Telemetry, Library of Leaks → fast checks for exposed accounts/domains and leaked datasets.
📌 CTI Collection
Sources like DeepDark CTI can support threat intel enrichment (always validate + cross-check).
🔗 Directories & Link Hubs
Pages like Onion.live / Tor.link / DarkwebDaily often act as link lists (high churn, high risk — treat as untrusted).
🔐 Crypto Hygiene
PGP tools matter for verification when you’re handling sensitive comms / proofs.
🛡 How defenders use this (legally + safely):
Brand monitoring (company name, domains, exec emails)
Credential exposure triage → force resets, MFA enforcement, conditional access
Ransomware leak-site monitoring (signals before PR/legal fire drills)
IR enrichment (match IOCs, victimology, TTP patterns)
⚠️ Safety note: If you’re doing this seriously, use isolated VM, tight OPSEC, and a clear legal policy. Most value comes from breach intel + monitoring, not browsing random onion links.
📩 Want a defender-only “Dark Web Monitoring Playbook” checklist (what to track, queries, and response steps)?
Comment “PLAYBOOK” or drop a 🔴 and I’ll share it.
#CyberSecurity #OSINT #ThreatIntelligence #CTI #BlueTeam #SOC #DFIR #IncidentResponse #BreachMonitoring #IdentitySecurity #SecurityOperations
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Not everything “dark web” is shady hacking content. For defenders, it’s mainly early signals: leaked creds, brand mentions, data dumps, threat actor chatter, and infrastructure breadcrumbs.
This graphic is a quick snapshot of dark web search + breach-intel tooling — useful for CTI, SOC, and incident response workflows:
🧭 Discovery & Search (Onion indexing)
Tools like Ahmia / Torch / Haystak / Tor66 / Onion Engine can help discover onion content and references.
🕵️ Leak & Breach Intelligence
Have I Been Pwned, DeHashed, Telemetry, Library of Leaks → fast checks for exposed accounts/domains and leaked datasets.
📌 CTI Collection
Sources like DeepDark CTI can support threat intel enrichment (always validate + cross-check).
🔗 Directories & Link Hubs
Pages like Onion.live / Tor.link / DarkwebDaily often act as link lists (high churn, high risk — treat as untrusted).
🔐 Crypto Hygiene
PGP tools matter for verification when you’re handling sensitive comms / proofs.
🛡 How defenders use this (legally + safely):
Brand monitoring (company name, domains, exec emails)
Credential exposure triage → force resets, MFA enforcement, conditional access
Ransomware leak-site monitoring (signals before PR/legal fire drills)
IR enrichment (match IOCs, victimology, TTP patterns)
⚠️ Safety note: If you’re doing this seriously, use isolated VM, tight OPSEC, and a clear legal policy. Most value comes from breach intel + monitoring, not browsing random onion links.
📩 Want a defender-only “Dark Web Monitoring Playbook” checklist (what to track, queries, and response steps)?
Comment “PLAYBOOK” or drop a 🔴 and I’ll share it.
#CyberSecurity #OSINT #ThreatIntelligence #CTI #BlueTeam #SOC #DFIR #IncidentResponse #BreachMonitoring #IdentitySecurity #SecurityOperations
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1👏1
Network Security Channel
SOC Analyst Technical Assessment.pdf
🚨 A real SOC Analyst does not just close alerts.
They investigate, correlate, contain, and communicate.
I’ve been reviewing a SOC Analyst Technical Assessment, and it highlights something many people still misunderstand about the role:
Being a SOC Analyst is not just about staring at dashboards.
It is about making the right judgment under pressure.
What stood out to me most is how realistic the assessment is.
It tests the exact skills that matter in the real world:
✅ SIEM alert triage
• separating true positives from false positives
• prioritizing incidents correctly
• recognizing brute force, phishing, malware, and benign IT activity
✅ Log analysis and threat hunting
• identifying suspicious RDP activity
• spotting privilege escalation
• noticing command-line abuse
• correlating firewall, Windows, EDR, and SMB-related events
✅ Attack chain thinking
• mapping activity to the MITRE ATT&CK stages
• understanding initial access, execution, persistence, privilege escalation, defense evasion, and exfiltration
✅ Incident response under pressure
• isolating affected systems
• blocking SMB spread
• identifying IOCs
• building timelines
• recommending containment and remediation actions
✅ Written communication
• turning technical findings into an executive summary
• explaining business impact
• giving clear next steps after a ransomware incident
That is the part I like most:
A strong SOC Analyst is not just technical.
They must also be able to:
• think critically,
• connect small signals,
• understand attacker behavior,
• write clearly,
• and explain risk in a way the business can act on.
The uncomfortable truth?
A lot of people think SOC work is repetitive.
But real SOC work is where:
• false positives waste time,
• missed signals become breaches,
• and one bad decision can change the impact of an incident.
This assessment proves something important:
SOC is not about tools alone.
It is about analysis quality.
👇 Don’t just like comment:
What do you think is the most important SOC Analyst skill today?
A) Alert triage
B) Log correlation
C) Threat hunting
D) Incident response
E) Reporting and communication
Comment A / B / C / D / E I’m curious what security professionals value most in real environments.
#SOC #SOCAnalyst #CyberSecurity #SIEM #ThreatHunting #IncidentResponse #LogAnalysis #BlueTeam #ThreatDetection #MITREATTACK #Ransomware #EDR #SecurityOperations #InfoSec #CyberDefense #DFIR #DetectionEngineering #SecurityMonitoring #AnalystMindset #CyberCareer
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
They investigate, correlate, contain, and communicate.
I’ve been reviewing a SOC Analyst Technical Assessment, and it highlights something many people still misunderstand about the role:
Being a SOC Analyst is not just about staring at dashboards.
It is about making the right judgment under pressure.
What stood out to me most is how realistic the assessment is.
It tests the exact skills that matter in the real world:
✅ SIEM alert triage
• separating true positives from false positives
• prioritizing incidents correctly
• recognizing brute force, phishing, malware, and benign IT activity
✅ Log analysis and threat hunting
• identifying suspicious RDP activity
• spotting privilege escalation
• noticing command-line abuse
• correlating firewall, Windows, EDR, and SMB-related events
✅ Attack chain thinking
• mapping activity to the MITRE ATT&CK stages
• understanding initial access, execution, persistence, privilege escalation, defense evasion, and exfiltration
✅ Incident response under pressure
• isolating affected systems
• blocking SMB spread
• identifying IOCs
• building timelines
• recommending containment and remediation actions
✅ Written communication
• turning technical findings into an executive summary
• explaining business impact
• giving clear next steps after a ransomware incident
That is the part I like most:
A strong SOC Analyst is not just technical.
They must also be able to:
• think critically,
• connect small signals,
• understand attacker behavior,
• write clearly,
• and explain risk in a way the business can act on.
The uncomfortable truth?
A lot of people think SOC work is repetitive.
But real SOC work is where:
• false positives waste time,
• missed signals become breaches,
• and one bad decision can change the impact of an incident.
This assessment proves something important:
SOC is not about tools alone.
It is about analysis quality.
👇 Don’t just like comment:
What do you think is the most important SOC Analyst skill today?
A) Alert triage
B) Log correlation
C) Threat hunting
D) Incident response
E) Reporting and communication
Comment A / B / C / D / E I’m curious what security professionals value most in real environments.
#SOC #SOCAnalyst #CyberSecurity #SIEM #ThreatHunting #IncidentResponse #LogAnalysis #BlueTeam #ThreatDetection #MITREATTACK #Ransomware #EDR #SecurityOperations #InfoSec #CyberDefense #DFIR #DetectionEngineering #SecurityMonitoring #AnalystMindset #CyberCareer
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
❤1👍1
Network Security Channel
The 2026 SOC Playbook.pdf
🛡 Book Review: "The 2026 SOC Playbook — Analysing Incidents Through Attacker Thinking" by Izzmier Izzuddin
Just finished one of the most practical SOC references I've come across this year. 193 pages, 10 end-to-end playbooks built around real 2026 attack patterns — no marketing fluff, just operational gold.
🔹 What makes this different:
Most SOC material stops at the first alert. This one assumes the attacker is successful at every stage and forces the analyst to reconstruct the entire chain, ask the right questions, validate evidence, and complete containment, eradication and recovery. That mindset shift alone is worth the read.
🔹 The 10 playbooks cover what's actually landing in SOC queues right now:
✅ OAuth Consent Abuse & Payment Fraud
✅ AiTM Phishing, Token Replay & Ransomware Staging
✅ Cloud API Token Compromise & SaaS Exfiltration
✅ API Credential Stuffing & Business Logic Abuse
✅ RMM Tool Abuse & Ransomware Deployment Prep
✅ Business Email Compromise & Vendor Payment Manipulation
✅ Teams/OneDrive Phishing, Fileless PowerShell, HTTPS C2
✅ DNS Tunnelling & Covert Exfiltration
✅ Kerberos Abuse & Domain Escalation
✅ Insider Threat & Personal Cloud Exfiltration
Each playbook ships with: attacker thinking, MITRE ATT&CK mapping, simulated evidence, the right investigative questions, log sources, detection logic, and full response workflow.
🔹 Three lessons I'm taking back to my own work:
1️⃣ MFA success ≠ benign activity. The book hammers this — exactly the assumption that lets AiTM and consent-abuse attacks succeed.
2️⃣ Build the chain, not the alert. A single signal is one frame of a longer movie. SOC maturity = stitching frames together fast.
3️⃣ Backup tampering is the new ransomware tell. If your stack ignores backup-system telemetry, you're blind to the deadliest 5 minutes of an incident.
#SOC #BlueTeam #IncidentResponse #ThreatHunting #MITREATTACK #CyberSecurity #InfoSec #DetectionEngineering #DFIR #SIEM #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer
Just finished one of the most practical SOC references I've come across this year. 193 pages, 10 end-to-end playbooks built around real 2026 attack patterns — no marketing fluff, just operational gold.
🔹 What makes this different:
Most SOC material stops at the first alert. This one assumes the attacker is successful at every stage and forces the analyst to reconstruct the entire chain, ask the right questions, validate evidence, and complete containment, eradication and recovery. That mindset shift alone is worth the read.
🔹 The 10 playbooks cover what's actually landing in SOC queues right now:
✅ OAuth Consent Abuse & Payment Fraud
✅ AiTM Phishing, Token Replay & Ransomware Staging
✅ Cloud API Token Compromise & SaaS Exfiltration
✅ API Credential Stuffing & Business Logic Abuse
✅ RMM Tool Abuse & Ransomware Deployment Prep
✅ Business Email Compromise & Vendor Payment Manipulation
✅ Teams/OneDrive Phishing, Fileless PowerShell, HTTPS C2
✅ DNS Tunnelling & Covert Exfiltration
✅ Kerberos Abuse & Domain Escalation
✅ Insider Threat & Personal Cloud Exfiltration
Each playbook ships with: attacker thinking, MITRE ATT&CK mapping, simulated evidence, the right investigative questions, log sources, detection logic, and full response workflow.
🔹 Three lessons I'm taking back to my own work:
1️⃣ MFA success ≠ benign activity. The book hammers this — exactly the assumption that lets AiTM and consent-abuse attacks succeed.
2️⃣ Build the chain, not the alert. A single signal is one frame of a longer movie. SOC maturity = stitching frames together fast.
3️⃣ Backup tampering is the new ransomware tell. If your stack ignores backup-system telemetry, you're blind to the deadliest 5 minutes of an incident.
#SOC #BlueTeam #IncidentResponse #ThreatHunting #MITREATTACK #CyberSecurity #InfoSec #DetectionEngineering #DFIR #SIEM #OpenToWork
🔹 Share & Support Us 🔹
📱 Channel : @Engineer_Computer