🔒 Israeli Court to Hear US Extradition Request for Alleged LockBit Developer

https://undercodenews.com/israeli-court-to-hear-us-extradition-request-for-alleged-lockbit-developer/

@Undercode_News

🦑105 Windows Event IDs For SIEM Monitoring

1.Failed Login Attempts - Event ID: 4625
2.Account Lockouts - Event ID: 4740
3.Successful Login Outside Business Hours - Event ID: 4624
4.New User Creation - Event ID: 4720
5.Privileged Account Usage - Event ID: 4672
6.User Account Changes - Event IDs: 4722, 4723, 4724, 4725, 4726
7.Logon from Unusual Locations - Event ID: 4624 (with geolocation analysis)
8.Password Changes - Event ID: 4723 (change attempt), 4724 (successful reset)
9.Group Membership Changes - Event IDs: 4727, 4731, 4735, 4737
10.Suspicious Logon Patterns - Event ID: 4624 (anomalous logons)
11.Excessive Logon Failures - Event ID: 4625
12.Disabled Account Activity - Event ID: 4725
13.Dormant Account Usage - Event ID: 4624 (rarely used accounts)
14.Service Account Activity - Event IDs: 4624, 4672
15.RDP Access Monitoring - Event ID: 4624 (with RDP-specific filtering)
16.Lateral Movement Detection - Event ID: 4648 (network logons)
17.File and Folder Access - Event ID: 4663
18.Unauthorised File Sharing - Event IDs: 5140, 5145
19.Registry Changes - Event IDs: 4657
20.Application Installation and Removal - Event IDs: 11707, 1033
21.USB Device Usage - Event IDs: 20001, 20003 (from Device Management logs)
22.Windows Firewall Changes - Event IDs: 4946, 4947, 4950, 4951
23.Scheduled Task Creation - Event ID: 4698
24.Process Execution Monitoring - Event ID: 4688
25.System Restart or Shutdown - Event IDs: 6005, 6006, 1074
26.Event Log Clearing - Event ID: 1102
27.Malware Execution or Indicators - Event IDs: 4688, 1116 (from Windows Defender)
28.Active Directory Changes - Event IDs: 5136, 5141
29.Shadow Copy Deletion - Event ID: 524 (with VSSAdmin logs)
30.Network Configuration Changes - Event IDs: 4254, 4255, 10400
31.Execution of Suspicious Scripts - Event ID: 4688 (process creation with script interpreter)
32.Service Installation or Modification - Event ID: 4697
33.Clearing of Audit Logs - Event ID: 1102
34.Software Restriction Policy Violation - Event ID: 865
35.Excessive Account Enumeration - Event IDs: 4625, 4776
36.Attempt to Access Sensitive Files - Event ID: 4663
37.Unusual Process Injection - Event ID: 4688 (with EDR or Sysmon data)
38.Driver Installation - Event IDs: 7045 (Service Control Manager)
39.Modification of Scheduled Tasks - Event ID: 4699
40.Unauthorised GPO Changes - Event ID: 5136
41.Suspicious PowerShell Activity - Event ID: 4104 (from PowerShell logs)
42.Unusual Network Connections - Event ID: 5156 (network filtering platform)
43.Unauthorised Access to Shared Files - Event ID: 5145
44.DNS Query for Malicious Domains - Event ID: 5158 (DNS logs required)
45.LDAP Search Abuse - Event ID: 4662
46.Process Termination Monitoring - Event ID: 4689
47.Failed Attempts to Start a Service - Event ID: 7041
48.Audit Policy Changes - Event IDs: 4719, 1102
49.Time Change Monitoring - Event IDs: 4616, 520
50.BitLocker Encryption Key Changes - Event ID: 5379

Ref: Izzmier Izzuddin ZulkepliIzzmier Izzuddin Zulkepli
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🔴 OpenShift Must Gather Operator, Improper Input Validation (Snyk-GOLANG-GITHUBCOMOPENSHIFTMUSTGATHEROPERATORCONTROLLERSMUSTGATHER-7278175) - High

https://dailycve.com/openshift-must-gather-operator-improper-input-validation-snyk-golang-githubcomopenshiftmustgatheroperatorcontrollersmustgather-7278175-high/

@Daily_CVE

🔴 Spring Framework, Path Traversal, #CVE-XXXX-XXXX (High)

https://dailycve.com/spring-framework-path-traversal-cve-xxxx-xxxx-high/

@DailyCVE

🟠 Logback-core Expression Language Injection Vulnerability (#CVE-TBD) - Moderate

https://dailycve.com/logback-core-expression-language-injection-vulnerability-cve-tbd-moderate/

@Daily_CVE

🔵 QOSch logback-core, Server-Side Request Forgery (SSRF), #CVE-2024-12801 (Low)

https://dailycve.com/qosch-logback-core-server-side-request-forgery-ssrf-cve-2024-12801-low/

@Daily_CVE

🧠 Intelligence Potentiation: Evolving #AI Agents

https://undercodenews.com/intelligence-potentiation-evolving-ai-agents/

@Undercode_News

🛡️ A Significant Uptick in Cybersecurity Disclosures

https://undercodenews.com/a-significant-uptick-in-cybersecurity-disclosures/

@Undercode_News

🦑🤺 Threat modeling GenAI Workloads: Don't Skip This ⚡️

Threat modeling is one of the oldest aspects of cybersecurity, as early as 1977 some form of threat models were leveraged to understand the risks against systems.

🤔 However, threat modeling is not commonly practiced because it is manual and time-intensive. But is it worth the time, effort & resources? Hell YES. The value of threat modeling continually increases as our systems become more complex.

Yes, your GenAI workloads aren't exempted ! 🙌

🎊 GOOD NEWS -> There are abundant resources that help streamline threat modeling by automating several steps.

The Threat Composer tool from Amazon Web Services (AWS) is one of such tools.

🌩 A recent AWS blog post, provides a recommended approach for threat modeling GenAI workloads using Threat Composer. Adam Shostack's four question framework is used as a guide.

👉 Check out the blog post here - https://lnkd.in/g6i4zSpN

Here is a quick summary:

1️⃣ What are we working on?
Aims to get a detailed understanding of your business context & application architecture. Example outcomes are Data Flow Diagrams, assumptions, and key design decisions.

2️⃣ What can go wrong?
Identify possible threats to your application using the context & information gathered from the previous question. Leverage info sources e.g. OWASP Top 10 For Large Language Model Applications & Generative AI, MITRE ATLAS

3️⃣ What are we going to do about it?
Consider which controls would be appropriate to mitigate the risks associated with the threats identified in the previous question. Some info sources (per previous question) have sections for mitigations which could be super useful.

4️⃣ Did we do a good enough job?
Contrary to popular opinions, threat modeling exercises do not end after the actual activity ! Its important to verify the effectiveness of the implemented mitigations to determine if the identified risks have been addressed. Use penetration testing, adversary emulation etc to proactively evaluate the effectiveness of implemented mitigations.

Ref: Kennedy T
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🚨 Industrial Workstations Under Cyber Siege: A Growing Threat

https://undercodenews.com/industrial-workstations-under-cyber-siege-a-growing-threat/

@Undercode_News

⚡️ #WhatsApp Beta Gets a New Feature: Adjustable Video Playback Speed

https://undercodenews.com/whatsapp-beta-gets-a-new-feature-adjustable-video-playback-speed/

@Undercode_News

🦑Understanding HTML Injection 💉

HTML injection is a type of attack where malicious HTML code is inserted into a website. This can lead to a variety of issues, from minor website defacement to serious data breaches. Unlike other web vulnerabilities, HTML injection targets the markup language that forms the backbone of most websites.
This attack differs from other web vulnerabilities that exploit server or database weaknesses because it focuses on manipulating the structure and content of a webpage

Ref: Mehedi Hasan Babu
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

📱 Level Up Your Workflow: #ChatGPT Mac App Gets a Boost with Voice Commands and App Integration

https://undercodenews.com/level-up-your-workflow-chatgpt-mac-app-gets-a-boost-with-voice-commands-and-app-integration/

@Undercode_News

#AI-First India: A Skills Revolution

https://undercodenews.com/ai-first-india-a-skills-revolution/

@Undercode_News

🦑IAM vs. PAM: Understanding the Key Differences 🔒

In today’s rapidly evolving cybersecurity landscape, managing access and securing sensitive data is more critical than ever. Two foundational tools in this effort are Identity and Access Management (IAM) and Privileged Access Management (PAM). While both are essential, they serve distinct purposes:

🔑 Identity and Access Management (IAM)

🔻 Focus: Managing identities and access rights for all users.
🔻 Scope: Broader, covering employees, contractors, partners, and even devices.
🔻 Key Functions: Authentication, Single Sign-On (SSO), user provisioning/de-provisioning, governance, and compliance reporting.
🔻 Goal: Streamlining access across the IT ecosystem while improving operational efficiency and ensuring compliance.

🔒 Privileged Access Management (PAM)

🔻 Focus: Securing and controlling access to privileged accounts with elevated permissions.
🔻 Scope: Narrower, targeting administrators, IT staff, service accounts, and third-party vendors.
🔻 Key Functions: Credential vaulting, session monitoring, least privilege enforcement, and just-in-time access.
🔻 Goal: Protecting critical systems and sensitive data from breaches or abuse of high-risk accounts.

Implementing both IAM and PAM creates a layered security approach. IAM ensures proper access for all users, while PAM locks down high-risk areas, minimizing vulnerabilities and adhering to the Zero Trust framework.

📊 This visual summary (attached) simplifies the key differences and highlights how these tools work together to strengthen cybersecurity.

Ref: Fadi Kazdar
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

⚡️ Rida Nigeria Shakes Up Ride-Hailing with Unique Negotiation Feature and App Upgrade

https://undercodenews.com/rida-nigeria-shakes-up-ride-hailing-with-unique-negotiation-feature-and-app-upgrade/

@Undercode_News

📱 NetApp's India Innovation Hub: Revolutionizing Data Storage and #AI

https://undercodenews.com/netapps-india-innovation-hub-revolutionizing-data-storage-and-ai/

@Undercode_News