Welcome back, aspiring DFIR defenders!

Welcome to the start of a new series dedicated to PowerShell for Defenders.

Many of you already know PowerShell as a tool of hackers. In our earlier PowerShell for Hackers series, we demonstrated just how much damage a skilled hacker can cause with it by taking over the entire organization with just one terminal window. In this new series, we flip the perspective. We are going to learn how to use it properly as defenders. There is far more to PowerShell than automation scripts and administrative shortcuts. For blue team operations, incident response, and digital forensics, PowerShell can become one of your most effective investigative instruments. It allows you to quickly process logs, extract indicators of compromise, and make sense of attacker behavior without waiting for heavy platforms.

Today, we will go through two PowerShell-based tools that are especially useful in defensive operations. The first one is DeepBlueCLI, developed by SANS, which helps defenders quickly analyze Windows event logs and highlight suspicious behavior. The second tool is WELA, a PowerShell script created by Yamato Security. WELA focuses on auditing and hardening Windows systems based on predefined security baselines. While both tools are PowerShell scripts, they serve different but complementary purposes. One helps you understand what already happened. The other helps you reduce the chance of it happening again.

DeepBlueCLI

DeepBlueCLI is a PowerShell-based tool created to help defenders quickly identify suspicious behavior in Windows event logs. Its strength lies in simplicity. You do not need complex configurations, long rule files, or a deep understanding of Windows internals to get started. DeepBlueCLI takes common attack patterns and maps them directly to event log indicators, presenting the results in a way that is easy to read and easy to act upon.

There are two main ways to use DeepBlueCLI. The first approach is by analyzing exported event logs, which is very common during incident response or post-incident forensic analysis. The second approach is live analysis, where the tool queries logs directly from the system it is running on. Both approaches are useful depending on the situation. During a live incident, quick answers matter. During forensic work, accuracy and context matter more.

A very helpful feature of DeepBlueCLI is that it comes with example event logs provided by the developer. These are intentionally crafted logs that simulate real attack scenarios, making them perfect for learning and practice. You can experiment and learn how attacker activity appears in logs. The syntax is straightforward.

Example Event Logs

In the example below, we take a sample event log provided by the developer and run DeepBlueCLI against it:

PS > .\DeepBlue.ps1 -file .\evtx\sliver-security.evtx

Sliver is a modern command-and-control framework often used by red teamers and real attackers as well. In the output of this command, we can see several interesting indicators. There is cmd.exe accessing the ADMIN$ share, which is a classic sign of lateral movement or administrative access attempts. We also see cmd.exe being launched via WMI through C:\Windows\System32\wbem\WmiPrvSE.exe. This is especially important because WMI execution is commonly used to execute commands remotely while avoiding traditional process creation patterns. Above that, we also notice cmd.exe /Q /c JOINT_BALL.exe. This executable is a Sliver payload. Sliver often generates payloads with seemingly random names.

Another example focuses on PowerShell obfuscation, which is a very common technique used to evade detection:

PS > .\DeepBlue.ps1 -file .\evtx\Powershell-Invoke-Obfuscation-many.evtx

In the results, we see very long command lines with heavily modified command names. This often looks like iNVOke variants or strange combinations of characters that still execute correctly. These commands usually pass through an obfuscation framework or an argument obfuscator, making them harder to read and harder for simple detections to catch. Occasionally, DeepBlueCLI struggles to fully decode these commands, especially when the obfuscation is layered or intentionally complex. This is not a weakness of the tool but rather a reflection of the logic behind obfuscation itself. The goal of obfuscation is to slow down defenders, and even partial visibility is already a win for us during investigation.

It is also worth mentioning that during real forensic or incident response work, you can export logs from any Windows machine and analyze them in exactly the same way. You do not need to run the tool on the compromised system itself.

Live Analysis

In some cases, speed matters more than completeness. DeepBlueCLI allows us to perform a quick live analysis by running PowerShell as an administrator and querying logs directly:

PS > .\DeepBlue.ps1 -log security

In this scenario, the tool immediately highlights suspicious behavior. For example, we can clearly see that several user accounts were subjected to brute-force attempts. One very practical feature here is that DeepBlueCLI counts the total number of failed logon attempts for us. Instead of manually filtering event IDs and correlating timestamps, we get an immediate overview that helps us decide whether further action is required.

WELA

WELA is a PowerShell script developed by Yamato Security that focuses on auditing and hardening Windows systems. Unlike DeepBlueCLI, which looks primarily at what happened in the past, WELA helps you understand the current security posture of a system and guides you toward improving it. It audits system settings against a predefined baseline and highlights areas where the configuration does not meet expected security standards. Because WELA uses advanced PowerShell techniques and low-level system queries, it is often flagged by antivirus as potentially malicious. This does not mean the script is harmful. The script is legitimate and intended for defensive use.

To begin, we can view the help menu to see what functionality the developer has included:

PS > .\WELA.ps1 help

From the available options, we can see that WELA supports auditing system settings using baselines provided by Yamato Security. This audit runs in the terminal and saves results to CSV files, which is often the preferred format for documentation and further analysis. For those who prefer a graphical interface, a GUI version is also available. Another option allows you to analyze the size of log files, either before or after configuration changes, which can be useful when tuning logging policies.

Updating Rules

Before performing any audit, it is a good idea to update the rules. For this to work smoothly, you first need to create a directory named config in the folder where the script resides:

PS > mkdir config

PS > .\WELA.ps1 update-rules

This ensures that the script has a proper location to store updated configuration data and avoids unnecessary errors.

Auditing

Once the rules are up to date, we are ready to audit the system and see where it meets the baseline and where it falls short. Many defenders prefer starting with the terminal output, as it is faster to navigate:

PS > .\WELA.ps1 audit-settings -Baseline YamatoSecurity

At this stage, the script reviews the current system settings and compares them against the selected baseline. The results clearly show which settings match expectations and which ones require attention.

The audit can be performed using the graphical interface:

PS > .\WELA.ps1 audit-settings -Baseline ASD -OutType gui

This option is particularly useful for presentations and reports. 

Check

After auditing, we can perform a focused check related to log file sizes:

PS > .\WELA.ps1 audit-filesize -Baseline YamatoSecurity

The output shows that the system is not hardened enough. This is not uncommon and should be seen as an opportunity rather than a failure. The entire purpose of this step is to identify weaknesses before a hacker does.

Hardening

Finally, we move on to hardening the system:

PS > .\WELA.ps1 configure -Baseline YamatoSecurity

This process walks you through each setting step by step, allowing you to make informed decisions about what to apply. There is also an option to apply all settings in batch mode without prompts, which can be useful during large-scale deployments.

Summary

PowerShell remains one of the most decisive tools on a modern Windows system, and that reality applies just as much to defenders as it does to attackers. In this article, you saw two PowerShell-based tools that address different stages of defensive work but ultimately support the same goal of reducing uncertainty during incidents and improving the security baseline before an attacker can exploit it.

We are also preparing dedicated PowerShell training that will be valuable for both defenders and red teamers. This training will focus on practical, real-world PowerShell usage in both offensive and defensive security operations and will be available to Subscriber and Subscriber Pro students from March 10-12.

Welcome back, my aspiring cyberwarriors!

As we enter 2026, cybersecurity will be among the most important issues your organization, and our society, will face. Let’s take moment to review the most important issues we will be facing to help you better prepare.

Rather than leveling off or declining, cyber attacks continue at an unprecedented pace. Recent trends and technological developments can help to inform us as to the nature of attacks in 2026.

Let’s take a look.

AI as Both Weapon, Shield, and Force Multiplier

Artificial intelligence is changing the way all of us work and that applies to your cyber adversaries as well. Hackers are quickly adapting to the new AI environment, leveraging its speed and scale to enhance their attacks. At the same time, organizations are deploying AI to detect threats, predictive modelling, and automated responses. In both cases, Artificial Intelligence (AI) becomes a force-multiplier enabling both sides to do more with less.

In 2026, we will certainly see more AI generated threats and those organizations who refuse to use AI to defend their networks and assets will likely not be here to enjoy 2027.

SCADA/ICS/OT Vulnerabilities

Industrial systems (SCADA/ICS/OT) will continue to be key targets in 2026. These systems have benefited from security through obscurity for decades, but now that the attackers understand how poorly secured these systems are, the attacks will accelerate.

Some of the key issues identified by this industry include:

1. 47% SCADA/ICS/OT companies cite gaps in the skillsets and resources necessary to protect their systems.
2. 41% identify lack of network segmentation between OT/IIoT and IT environments as key challenges.

Critical infrastructure systems remain particularly vulnerable to sophisticated attacks. Over 200 proprietary protocols not found among the TCP/IP stack makes this field particularly challenging, while being among the most important to national security.

Internet of Things (IoT)

IoT is growing exponentially while the security of these devices is stuck in a crawl. In 2026, these devices will be increasingly used as a vector to compromise devices within the home network (phones, computers, other IoT) and as an element of a larger botnet, used to perpetuate the largest DDoS attacks in history (this is an easy prediction to make as IoT every year is responsible for the largest DDoS attacks in history). IoT increases every person’s attack surface and the greater the attack surface, the greater the probability of compromise.

Unless the IoT industry implements some basic standards of security, in 2026 the world will become a much more dangerous place.

Identity Management

Identity management is crucial in cybersecurity because it controls who has access to your systems and data.Without strong identity management, you’re essentially leaving the keys under the doormat—even the best perimeter security becomes ineffective when you can’t verify and control who’s inside your system. Artificial intelligence (AI) will make identity management even more challenging in 2026 as attackers use;

1. Deep fakes and synthetic identities including fake voices, videos, images. This will make such identity management systems as biometrics less reliable.
2. Social engineering will be enhanced by enabling the attacker to personalize phishing attacks by replicating the writing style, voice, or social media presence of a trusted colleague.
3. As AI-generated content becomes increasingly ubiquitous, it will become harder and harder to distinguish between AI agents and real humans.

2026 may be the year you will need to implement AI to determine if someone is actually a human.

Cloud Security Complexity

Cloud is the top cybersecurity threat organizations feel least prepared to manage. Multi-cloud environments face sophisticated malware, insider threats, mis-configurations, and supply chain vulnerabilities. Organizations are struggling with “tool sprawl”—managing dozens of separate security tools that create blind spots and conflicting configurations.

Quantum Computing Threats

Quantum computing is coming! Probably not in 2026, but on the near horizon the threat looms of quantum computing breaking your encryption. Quantum computers can easily break the most widely used asymmetric cryptography and 2026 should be the year you begin to prepare with quantum-resistant devices and cryptography.

Geopolitical Impact

Wars are raging around the planet and these conflicts will lead to additional geopolitical risk. Some 60% of business and tech leaders rank cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty. State-sponsored cyberattacks, disrupted supply chains, fractured alliances, and telecom infrastructure vulnerabilities are reshaping threat landscapes and business strategies.

Ransomware Evolution

Ransomware-as-a-Service (RaaS) is making sophisticated attacks more accessible. AI-driven ransomware can instantly detect vulnerabilities with increased focus on vital industries like finance, healthcare, and energy. The average data breach cost has reached $4.4 million in 2025.

Multi-stage ransomware with data theft, harassment, and long‑tail extortion remains the most disruptive form of cybercrime, and we predict record incident volumes projected into 2026.

Cybercrime ecosystems are moving more of their infrastructure and monetization on‑chain (crypto, mixers, DeFi), making take-down and attribution harder and enabling more resilient RaaS affiliate models.

Talent and Skills Shortages

Workforce gaps remain a critical barrier. Knowledge and skills shortages are the top obstacles to implementing AI-enabled cyber defense. Over half of all organizations are turning to AI tools and managed security services to compensate for missing expertise.

Remote Work Security

With hybrid work as the default, securing remote access has become paramount. Cyber criminals are exploiting remote sessions through phishing, credential theft, and AI-powered impersonation attacks, expanding the attack surface of your organization significantly.

Proactive resilience and continuous adaptation are no longer optional but essential for survival in 2026’s threat landscape.

Physical Security

If you attacker is within your perimeter defenses, GAME OVER! An attacker who can enter your facility and sit down to a computer may be one of the least anticipated attacks. This applies to the disgruntled insider as well. You can have the very best perimeter defenses, but if the attacker is inside your walls, that will all be for naught.

In 2026, make certain to secure your physical perimeter and test all your systems against such as attacks as RFID smart card attacks and social engineering.

Summary

We predict that 2026 will be another very challenging year for those of us cybersecurity. It is essential that you understand the coming threats and the methods to the thwart them. Hackers-Arise will address each of these issues in 2026 both in this blog and in our 2026 trainings.

Join us to advance your cybersecurity career!

The post What Will Be Key Cybersecurity Issues in 2026? first appeared on Hackers Arise.

Welcome back, aspiring digital forensic investigators!

The world of cybercrime continues to grow every year, and attackers constantly discover new opportunities and techniques to break into systems. One of the most dangerous and well-organized ransomware groups in recent years was Conti. Conti operated almost like a real company, with dedicated teams for developing malware, gaining network access, negotiating with victims, and even providing “customer support” for payments. The group targeted governments, hospitals, corporations, and many other high-value organizations. Their attacks included encrypting systems, stealing data, and demanding extremely high ransom payments.

For investigators, Conti became an important case study because their operations left behind a wide range of forensic evidence from custom malware samples to fast lateral movement and large-scale data theft. Even though the group officially shut down after their internal chats were leaked, many of their operators, tools, and techniques continued to appear in later attacks. This means Conti’s methods still influence modern ransomware operations which makes it a valid topic for forensic investigators.

Today, we are going to look at a ransomware incident involving Conti malware and analyze it with Splunk to understand how an Exchange server was compromised and what actions the attackers performed once inside.

Splunk

Splunk is a platform that collects and analyzes large amounts of machine data, such as logs from servers, applications, and security tools. It turns this raw information into searchable events, graphs, and alerts that help teams understand what is happening across their systems in real time. Companies mainly use Splunk for monitoring, security operations, and troubleshooting issues. Digital forensics teams also use Splunk because it can quickly pull together evidence from many sources and show patterns that would take much longer to find manually.

Time Filter

Splunk’s default time range is the last 24 hours. However, when investigating incidents, especially ransomware, you often need a much wider view. Changing the filter to “All time” helps reveal older activity that may be connected to the attack. Many ransomware operations begin weeks or even months before the final encryption stage. Keep in mind that searching all logs can be heavy on large environments, but in our case this wider view is necessary.

Index

An index in Splunk is like a storage folder where logs of a particular type are placed. For example, Windows Event Logs may go into one index, firewall logs into another, and antivirus logs into a third. When you specify an index in your search, you tell Splunk exactly where to look. But since we are investigating a ransomware incident, we want to search through every available index:

index=*

This ensures that nothing is missed and all logs across the environment are visible to us.

Fields

Fields are pieces of information extracted from each log entry, such as usernames, IP addresses, timestamps, file paths, and event IDs. They make your searches much more precise, allowing you to filter events with expressions like src_ip=10.0.0.5 or user=Administrator. In our case, we want to focus on executable files and that is the “Image”. If you don’t see it in the left pane, click “More fields” and add it.

Once you’ve added it, click Image in the left pane to see the top 10 results. 

These results are definitely not enough to begin our analysis. We can expand the list using top: 

index=* | top limit=100 Image

Here the cmd.exe process running in the Administrator’s user folder looks very suspicious. This is unusual, so we should check it closely. We also see commands like net1, net, whoami, and rundll32.

In one of our articles, we learned that net1 works like net and can be used to avoid detection in PowerShell if the security rules only look for net.exe. The rundll32 command is often used to run DLL files and is commonly misused by attackers. It seems the attacker is using normal system tools to explore the system. It also might be that the hackers used rundll32 to stay in the system longer.

At this point, we can already say the attacker performed reconnaissance and could have used rundll32 for persistence or further execution.

Hashes

Next, let’s investigate the suspicious cmd.exe more closely. Its location alone is a red flag, but checking its hashes will confirm whether it is malicious.

index=* Image="C:\\Users\\Administrator\\Documents\\cmd.exe" | table Image, Hashes

Copy one of the hashes and search for it on VirusTotal.

The results confirm that this file belongs to a Conti ransomware sample. VirusTotal provides helpful behavior analysis and detection labels that support our findings. When investigating, give it a closer look to understand exactly what happened to your system.

Net1

Now let’s see what the attacker did using the net1 command:

index=* Image=*net1.exe

The logs show that a new user was added to the Remote Desktop Users local group. This allows the attacker to log in through RDP on that specific machine. Since this is a local group modification, it affects only that workstation.

In MITRE ATT&CK, this action falls under Persistence. The hackers made sure they could connect to the host even if other credentials were lost. Also, they may have wanted to log in via GUI to explore the system more comfortably.

TargetFilename

This field usually appears in file-related logs, especially Windows Security Logs, Sysmon events, or EDR data. It tells you the exact file path and file name that a process interacted with. This can include files being created, modified, deleted, or accessed. That means we can find files that malware interacted with. If you can’t find the TargetFilename field in the left pane, just add it.

Run:

index=* Image="C:\\Users\\Administrator\\Documents\\cmd.exe"

Then select TargetFilename

We see that the ransomware created many “readme” files with a ransom note. This is common behavior for ransomware to spread notes everywhere. Encrypting data is the last step in attacks like this. We need to figure out how the attacker got into the system and gained high privileges.

Before we do that, let’s see how the ransomware was propagated across the domain:

index=* TargetFileName=*cmd.exe

While unsecapp.exe is a legitimate Microsoft binary. When it appears, it usually means something triggered WMI activity, because Windows launches unsecapp.exe only when a program needs to receive asynchronous WMI callbacks. In our case the ransomware was spread using WMI and infected other hosts where the port was open. This is a very common approach. 

Sysmon Events

Sysmon Event ID 8 indicates a CreateRemoteThread event, meaning one process created a thread inside another. This is a strong sign of malicious activity because attackers use it for process injection, privilege escalation, or credential theft.

List these events:

index=* EventCode=8

Expanding the log reveals another executable interacting with lsass.exe. This is extremely suspicious because lsass.exe stores credentials. Attacking LSASS is a common step for harvesting passwords or hashes.

Another instance of unsecapp.exe being used. It’s not normal to see it accessing lsass.exe. Our best guess here would be that something used WMI, and that WMI activity triggered code running inside unsecapp.exe that ended up touching LSASS. The goal behind it could be to dump LSASS every now and then until the domain admin credentials are found. If the domain admins are not in the Protected Users group, their credentials are stored in the memory of the machine they access. If that machine is compromised, the whole domain is compromised as well.

Exchange Server Compromise

Exchange servers are a popular target for attackers. Over the years, they have suffered from multiple critical vulnerabilities. They also hold high privileges in the domain, making them valuable entry points. In this case, the hackers used the ProxyShell vulnerability chain. The exploit abused the mailbox export function to write a malicious .aspx file (a web shell) to any folder that Exchange can access. Instead of a harmless mailbox export, Exchange unknowingly writes a web shell directly into the FrontEnd web directory. From there, the attacker can execute system commands, upload tools, and create accounts with high privileges.

To find the malicious .aspx file in our logs we should query this:

index=* source=*sysmon* *aspx

We can clearly see that the web shell was placed where Exchange has web-accessible permissions. This webshell was the access point.

Timeline

The attack began when the intruder exploited the ProxyShell vulnerabilities on the Exchange server. By abusing the mailbox export feature, they forced Exchange to write a malicious .aspx web shell into a web-accessible directory. This web shell became their entry point and allowed them to run commands directly on the server with high privileges. After gaining access, the attacker carried out quiet reconnaissance using built-in tools such as cmd.exe, net1, whoami and rundll32. Using net1, the attacker added a new user to the Remote Desktop Users group to maintain persistence and guarantee a backup login method. The attacker then spread the ransomware across the network using WMI. The appearance of unsecapp.exe showed that WMI activity was being used to launch the malware on other hosts. Sysmon Event ID 8 logged remote thread creation where the system binary attempts to access lsass.exe. This suggests the attacker tried to dump credentials from memory. This activity points to a mix of WMI abuse and process injection aimed at obtaining higher privileges, especially domain-level credentials. 

Finally, once the attacker had moved laterally and prepared the environment, the ransomware (cmd.exe) encrypted systems and began creating ransom note files throughout these systems. This marked the last stage of the operation.

Summary

Ransomware is more than just a virus, it’s a carefully planned attack where attackers move through a network quietly before causing damage. In digital forensics we often face these attacks and investigating them means piecing together how it entered the system, what tools it used, which accounts it compromised, and how it spread. Logs, processes, file changes tell part of the story. By following these traces, we understand the attacker’s methods, see where defenses failed, and learn how to prevent future attacks. It’s like reconstructing a crime scene. Sometimes, we might be lucky enough to shut down their entire infrastructure before they can cause more damage.

If you need forensic assistance, you can hire our team to investigate and mitigate incidents. Additionally, we provide classes on digital forensics for those looking to expand their skills and understanding in this field. 

Welcome back, aspiring cyberwarriors!

In today’s highly targeted environment, a well-designed Security Operations Center (SOC) isn’t just an advantage – it’s essential for a business’s survival. In addition to that, the job market has far more jobs on the blue team than the red team. Getting into a SOC is often touted as one of the more accessible entry points into cybersecurity.

This article will delve into some of the key concepts of SOC.

Step #1: Purpose and Components

The core purpose of a Security Operations Center is to detect, analyze, and respond to cyber threats in real time, thereby protecting an organization’s assets, data, and reputation. To achieve this, a SOC continuously monitors logs, alerts, and telemetry from networks, endpoints, and applications, maintaining constant situational awareness.

Detection involves identifying four key security concerns.

Vulnerabilities are weaknesses in software or operating systems that attackers can exploit beyond their authorized permissions. For example, the SOC might find Windows computers needing patches for published vulnerabilities. While not strictly the SOC’s responsibility, unfixed vulnerabilities impact company-wide security.

Unauthorized activity occurs when attackers use compromised credentials to access company systems. Quick detection is important before damage occurs, using clues like geographic location to identify suspicious logins.

Policy violations happen when users break security rules designed to protect the company and ensure compliance. These violations vary by organization but might include downloading pirated media or transmitting confidential files insecurely.

Intrusions involve unauthorized access to systems and networks, such as attackers exploiting web applications or users getting infected through malicious websites.
Once incidents are detected, the SOC supports the incident response process by minimizing impact and conducting root cause analysis alongside the incident response team.

Step #2: Building a Baseline

Before you can detect threats, you must first understand what “normal” looks like in your environment. This is the foundation upon which all SOC operations are built.

Your baseline should include detailed documentation of:

Network Architecture: Map out all network segments, VLANs, DMZs, and trust boundaries. Understanding how data flows through your network is critical for detecting lateral movement and unauthorized access attempts. Document which systems communicate with each other, what protocols they use, and what ports are typically open.

Normal Traffic Patterns: Establish what typical network traffic looks like during different times of day, days of the week, and during special events like month-end processing or quarterly reporting. This includes bandwidth utilization, connection counts, DNS queries, and external communications.

User Behavior Baselines: Document normal user activities, including login times, typical applications accessed, data transfer volumes, and geographic locations. For example, if your accounting department typically logs in between 8 AM and 6 PM local time, a login at 3 AM should trigger an investigation. Similarly, if a user who normally accesses 5-10 files per day suddenly downloads 5,000 files, that’s a deviation worth investigating.

System Performance Metrics: Establish normal CPU usage, memory consumption, disk I/O, and process execution patterns for critical systems. Cryptocurrency miners, rootkits, and other malware often create performance anomalies that stand out when compared against baselines.

Step #3: The Role of People

Despite increasing automation, human oversight remains essential in SOC operations. Security solutions generate numerous alerts that create significant noise. Without human intervention, teams waste time and resources investigating irrelevant issues.

The SOC team operates through a tiered analyst structure with supporting roles.

Level 1 Analysts serve as first responders, performing basic alert triage to determine if detections are genuinely harmful and reporting findings through proper channels. When detections require deeper investigation, Level 2 Analysts correlate data from multiple sources to conduct thorough analysis. Level 3 Analysts are experienced professionals who proactively hunt for threat indicators and lead incident response activities, including containment, eradication, and recovery of critical severity incidents escalated from lower tiers.

Supporting these analysts are Security Engineers who deploy and configure the security solutions the team relies on. Detection Engineers develop the security rules and logic that enable these solutions to identify harmful activities, though Level 2 and 3 Analysts sometimes handle this responsibility. The SOC Manager oversees team processes, provides operational support, and maintains communication with the organization’s CISO regarding security posture and team efforts.

Step # 4: The Detection-to-Response Pipeline

When a potential security incident is detected, every second counts. Your SOC needs clearly defined processes for triaging, investigating, and responding to alerts.

This pipeline typically follows these stages:

Alert Triage: Not all alerts are created equal. Your SOC analysts must quickly determine which alerts represent genuine threats versus false positives. Implement alert enrichment that automatically adds context—such as asset criticality, user risk scores, and threat intelligence—to help analysts prioritize their work. Use a tiered priority system (P1-Critical, P2-High, P3-Medium, P4-Low) based on potential business impact.

Investigation and Analysis: Once an alert is prioritized, analysts must investigate to determine the scope and nature of the incident. This requires access to multiple data sources, forensic tools, and the ability to correlate events across time and systems. Document your investigation procedures for common scenarios (phishing, malware infection, unauthorized access) to ensure consistent and thorough analysis. Every investigation should answer the five Ws: what happened? where it occurred? When did it take place? Why did it happen? And how did it unfold?

Containment and Eradication: When you confirm a security incident, your first priority is containment to prevent further damage. This might involve isolating infected systems, disabling compromised accounts, or blocking malicious network traffic.

Recovery and Remediation: After eradicating the threat, safely restore affected systems to normal operation. This may involve rebuilding compromised systems from clean backups, rotating credentials, patching vulnerabilities, and implementing additional security controls.

Post-Incident Review: Every significant incident should conclude with a lessons-learned session. What went well? What could be improved? Were our playbooks accurate? Did we have the right tools and access? Use these insights to update your procedures, improve your detection capabilities, and refine your security controls.

Step #5: Technology

At a minimum, a functional SOC needs several essential technologies working together:

SIEM Platform: The central nervous system of your SOC that aggregates, correlates, and analyzes security events from across your environment. Popular options include Splunk, for which we offer a dedicated course.

Endpoint Detection and Response (EDR): Provides deep visibility into endpoint activities, detects suspicious behavior, and enables remote investigation and response.

Firewall: A firewall functions purely for network security and acts as a barrier between your internal and external networks (such as the Internet). It monitors incoming and outgoing network traffic and filters any unauthorized traffic.

Besides those core platforms, other security solutions such as antivirus, SOAR, and various niche tools each play distinct roles. Each organization selects technology that matches its specific requirements, so no two SOCs are exactly alike.

Summary

A Security Operations Center (SOC) protects organizations from cyber threats. It watches networks, computers, and applications to find problems like security weaknesses, unauthorized access, rule violations, and intrusions.

A good SOC needs three things: understanding what normal activity looks like, having a skilled team with clear roles, and following a structured process to handle threats. The team works in levels – starting with basic alert checking, then deeper investigation, and finally threat response and recovery.

If you want to get a deep understanding of SIEM and SOC workflow, consider our SOC Analyst Lvl 1 course.

The post Security Operations Center (SOC):Getting Started with SOC first appeared on Hackers Arise.

Welcome back, aspiring forensic and incident response investigators.

Today we are going to learn more about a branch of digital forensics that focuses on networks, which is Network Forensics. This field often contains a wealth of valuable evidence. Even though skilled attackers may evade endpoint controls, active network captures are harder to hide. Many of the attacker’s actions generate traffic that is recorded. Intrusion detection and prevention systems (IDS/IPS) can also surface malicious activity quickly, although not every organization deploys them. In this exercise you will see what can be extracted from IDS/IPS logs and a packet capture during a network forensic analysis.

The incident we will investigate today involved a credential-stuffing attempt followed by exploitation of CVE-2022-25237. The attacker abused an API to run commands and establish persistence. Below are the details and later a timeline of the attack.

Intro

Our subject is a fast-growing startup that uses a business management platform. Documentation for that platform is limited, and the startup administrators have not followed strong security practices. For this exercise we act as the security team. Our objective is to confirm the compromise using network packet captures (PCAP) and exported security logs.

We obtained an archive containing the artifacts needed for the investigation. It includes a .pcap network traffic file and a .json file with security events. Wireshark will be our primary analysis tool.

Analysis

Defining Key IP Addresses

The company suspects its management platform was breached. To identify which platform and which hosts are involved, we start with the pcap file. In Wireshark, view the TCP endpoints from the Statistics menu and sort by packet count to see which IP addresses dominate the capture.

This quickly highlights the IP address 172.31.6.44 as a major recipient of traffic. The traffic to that host uses ports 37022, 8080, 61254, 61255, and 22. Common service associations for these ports are: 8080 for HTTP, 22 for SSH, and 37022 as an arbitrary TCP data port that the environment is using.

When you identify heavy talkers in a capture, export their connection lists and timestamps immediately. That gives you a focused subset to work from and preserves the context of later findings.

Analyzing HTTP Traffic

The port usage suggests the management platform is web-based. Filter HTTP traffic in Wireshark with http.request to inspect client requests. The first notable entry is a GET request whose URL and headers match Bonitasoft’s platform, showing the company uses Bonitasoft for business management.

Below that GET request you can see a series of authentication attempts (POST requests) originating from 156.146.62.213. The login attempts include usernames that reveal the attacker has done corporate OSINT and enumerated staff names.

The credentials used for the attack are not generic wordlist guesses, instead the attacker tries a focused set of credentials. That behavior is consistent with credential stuffing: the attacker uses previously leaked username/password pairs (often from other breaches) and tries them against this service, typically automated and sometimes distributed via a botnet to blend with normal traffic.

A credential-stuffing event alone does not prove a successful compromise. The next step is to check whether any of the login attempts produced a successful authentication. Before doing that, we review the IDS/IPS alerts.

Finding the CVE

To inspect the JSON alert file in a shell environment, format it with jq and then see what’s inside. Here is how you can make the json output easier to read:

bash$ > cat alerts.json | jq .

Obviously, the file will be too big, so we will narrow it down to indicators such as CVE:

bash$ > cat alerts.json | jq .

Security tools often map detected signatures to known CVE identifiers. In our case, alert data and correlation with the observed HTTP requests point to repeated attempts to exploit CVE-2022-25237, a vulnerability affecting Bonita Web 2021.2. The exploit abuses insufficient validation in the RestAPIAuthorizationFilter (or related i18n translation logic). By appending crafted data to a URL, an attacker can reach privileged API endpoints, potentially enabling remote code execution or privilege escalation.

Now we verify whether exploitation actually succeeded.

Exploitation

To find successful authentications, filter responses with:

http.response.code >= 200 and http.response.code < 300 and ip.addr == 172.31.6.44

Among the successful responses, HTTP 204 entries stand out because they are less common than HTTP 200. If we follow the HTTP stream for a 204 response, the request stream shows valid credentials followed immediately by a 204 response and cookie assignment. That means he successfully logged in. This is the point where the attacker moves from probing to interacting with privileged endpoints.

After authenticating, the attacker targets the API to exploit the vulnerability. In the traffic we can see an upload of rce_api_extension.zip, which enables remote code execution. Later this zip file will be deleted to remove unnecessary traces.

Following the upload, we can observe commands executed on the server. The attacker reads /etc/passwd and runs whoami. In the output we see access to sensitive system information.

During a forensic investigation you should extract the uploaded files from the capture or request the original file from the source system (if available). Analyzing the uploaded code is essential to understand the artifact of compromise and to find indicators of lateral movement or backdoors

Persistence

After initial control, attackers typically establish persistence. In this incident, all attacker activity is over HTTP, so we follow subsequent HTTP requests to find persistence mechanisms.

The attacker downloads a script hosted on a paste service (pastes.io), named bx6gcr0et8, which then retrieves another snippet hffgra4unv, appending its output to /home/ubuntu/.ssh/authorized_keys when executed. The attacker restarts SSH to apply the new key.

A few lines below we can see that the first script was executed via bash, completing the persistence setup.

Appending keys to authorized_keys allows SSH access for the attacker’s key pair and doesn’t require a password. It’s a stealthy persistence technique that avoids adding new files that antivirus might flag. In this case the attacker relied on built-in Linux mechanisms rather than installing malware.

When you find modifications to authorized_keys, pull the exact key material from the capture and compare it with known attacker keys or with subsequent SSH connection fingerprints. That helps attribute later logins to this initial persistence action.

Post-Exploitation

Further examination of the pcap shows the server reaching out to Ubuntu repositories to download a .deb package that contains Nmap. 

Shortly after SSH access is obtained, we see traffic from a second IP address, 95.181.232.30, connecting over port 22. Correlating timestamps shows the command to download the .deb package was issued from that SSH session. Once Nmap is present, the attacker performs a port scan of 34.207.150.13.

This sequence, adding an SSH key, then using SSH to install reconnaissance tools and scan other hosts fits a common post-exploitation pattern. Hackers establish persistent access, stage tools, and then enumerate the network for lateral movement opportunities.

During forensic investigations, save the sequence of timestamps that link file downloads, package installation, and scanning activity. Those correlations are important for incident timelines and for identifying which sessions performed which actions.

Timeline

At the start, the attacker attempted credential stuffing against the management server. Successful login occurred with the credentials seb.broom / g0vernm3nt. After authentication, the attacker exploited CVE-2022-25237 in Bonita Web 2021.2 to reach privileged API endpoints and uploaded rce_api_extension.zip. They then executed commands such as whoami and cat /etc/passwd to confirm privileges and enumerate users.

The attacker removed rce_api_extension.zip from the web server to reduce obvious traces. Using pastes.io from IP 138.199.59.221, the attacker executed a bash script that appended data to /home/ubuntu/.ssh/authorized_keys, enabling SSH persistence (MITRE ATT&CK: SSH Authorized Keys, T1098.004). Shortly after persistence was established, an SSH connection from 95.181.232.30 issued commands to download a .deb package containing Nmap. The attacker used Nmap to scan 34.207.150.13 and then terminated the SSH session.

Conclusion

During our network forensics exercise we saw how packet captures and IDS/IPS logs can reveal the flow of a compromise, from credential stuffing, through exploitation of a web-application vulnerability, to command execution and persistence via SSH keys. We practiced using Wireshark to trace HTTP streams, observed credential stuffing in action, and followed the attacker’s persistence mechanism.

Although our class focused on analysis, in real incidents you should always preserve originals and record every artifact with exact timestamps. Create cryptographic hashes of artifacts, maintain a chain of custody, and work only on copies. These steps protect the integrity of evidence and are essential if the incident leads to legal action.

For those of you interested in deepening your digital forensics skills, we will be running a practical SCADA forensics course soon in November. This intensive, hands-on course teaches forensic techniques specific to Industrial Control Systems and SCADA environments showing you how to collect and preserve evidence from PLCs, RTUs, HMIs and engineering workstations, reconstruct attack chains, and identify indicators of compromise in OT networks. Its focus on real-world labs and breach simulations will make your CV stand out. Practical OT/SCADA skills are rare and highly valued, so completing a course like this is definitely going to make your CV stand out. 

We also offer digital forensics services for organizations and individuals. Contact us to discuss your case and which services suit your needs.

Learn more: https://hackersarise.thinkific.com/courses/scada-forensics

The post Network Forensics: Analyzing a Server Compromise (CVE-2022-25237) first appeared on Hackers Arise.

The internet is full of opportunities — but also traps. From fake online shops to phishing pages that mimic your bank, scams are evolving faster than most people can keep up. A single click can mean lost money or stolen data.

The scale of the problem is staggering (source):

• An estimated 3.4 billion phishing emails are sent every day, making up about 1.2% of all global email traffic.
• Google blocks around 100 million phishing emails daily, yet millions still slip through.
• Since the COVID-19 pandemic, phishing attacks have more than doubled in frequency.
• Phishing sites increased from 110,000 in 2019 to over 1 million in 2024 — and the trend is still rising.

With the help of AI, scams now look more realistic than ever. Professional-looking sites, convincing emails, and manipulative tactics make it harder than ever to know who to trust. That’s why reliable resources for checking websites before you interact with them are essential.

That’s where ScamRaven comes in.

What is ScamRaven?

ScamRaven.com publishes human-verified scam reports. Instead of relying only on automated scans or blacklists, ScamRaven investigates suspicious domains, checks technical signals, reviews their content, and cross-references public feedback.

The result is a detailed, structured report that anyone can read before deciding whether to trust a site. Each report includes:

• Technical background
• Content analysis
• Public feedback
• A final verdict — Scam, Suspicious, or Legitimate

How is this different than other scanners?

Most “scam checkers” act like instant virus scans: type in a URL, and they return a one-line safe/unsafe label. While fast, these tools often miss newer or more sophisticated scams. ScamRaven takes a different approach:

• Manual verification — every report is reviewed and validated by humans, not just automated filters.
• Evidence-based — reports include screenshots, technical traces, and links to external discussions.
• Transparency — all reports are archived and searchable, so users can check history and patterns.

In short: ScamRaven values accuracy and trust over speed.

Why it matters

Scams are getting more professional every year. Many sites look polished, copy real brands, and advertise aggressively on social media. With phishing attacks rising 150% year-over-year from 2019 to 2022 — and still climbing — gut feeling is no longer enough.

By combining automation, AI, and community input, ScamRaven makes scam detection accessible to everyone, not just cybersecurity experts.

---

Before you buy from an unfamiliar shop or click a suspicious link, make it a habit to check ScamRaven first. If a report exists, you’ll see clear evidence to help you decide whether to proceed or steer clear. Safer browsing starts with trusted information.

ScamRaven is currently in beta, with a public scanner in development — but the reports are already available for anyone who wants to browse smarter and stay safer.

The post How to Trust a Website: Scam Raven for Safer Browsing appeared first on Bug Hacking.

Proximity access cards have been a popular target for hackers. These key cards allow a hacker to clone, replicate, or produce a copy of the original card without the user’s knowledge. When the clone has been activated, they will have access to a facility. These cards are very popular choice for the physical access. And that’s for a reason – it is cheap to buy them, and easy to use. We have some of best access card readers for ethical hackers on the article, so keep reading to find out.

Now, a random thief shouldn’t be able to manually clone proximity access cards. This is a pretty technical process that requires knowledge, and tools. However, just like there are many other hacking tools, cloning/reading devices are being available for buy.

Card cloning became a thriving industry because to these low-cost, easy-to-use gadgets.

What Are the RFID Cards?

A magnetic card reader is a piece of hardware that reads the information recorded on the magnetic stripe found on the back of a plastic badge or identification card. Credit, debit, or any other kind of card may be used to make these badges.

An embedded code is found on the back of these cards, and with the aid of the magnets that are integrated in the hardware device, a magnet card reader is able to read these codes and therefore allow the card to be accessible. The gadget is intended to lower the amount of effort required by the user while simultaneously saving time. Because of these readers, there is no longer any need to manually input data, and you can just swipe the card into the reader to have access to the information. They are used by ethical hackers to carry out physical penetration testing.

Can RFID cards can be cloned by hackers?

Because proximity access cards just include a password, they are very simple to duplicate. Unlike a bank card, which stores PIN numbers within, these devices store them outside? It may be difficult to keep up with all of the new developments and technology in the security sector. There are two common technologies that you may not have realized are integrated in our daily lives, ranging from hotel access control to car parks to logistics, so let’s have a look. While these two phrases are commonly used interchangeably, there are some crucial differences and uses that we’ll examine in this article.

To clone a proximity access card using a duplicating machine, you must bring the reader as near as possible to the targeted card. This is how it is easy to clone a RFID card.

The cloning (i.e. copying) of an RFID card without the user’s knowledge is another common attack method used by attackers to defeat RFID access systems. If an RFID card can be cloned without physical access, the attacker has succeeded. An attacker can, in fact, use off-the-shelf components to read an RFID card’s encoded data and then write the data to a blank compatible RFID card several feet away. Large RFID readers used in parking garages and other places where a user cannot get close to the card scanner to scan their card are frequently the source of these cloning devices.

It is possible for an attacker to use one of these low-cost cloning devices as they walk past a worker on the street or in a coffee shop. At your facility, the cloned data from an attacker’s RFID card can be used to gain access to your property. In the workplace, it is generally preferable for employees to wear their RFID card in the open, as it can reveal their identity at times. There are a few ways to protect against a long-range cloning attack in the workplace, including:

• RFID cards should not be used to access personal identification information, such as a photo ID. RFID-blocking sleeves or wallets can be used to keep an employee’s identification safe while they work.

• Employees should wear their credentials above their waist, such as a lapel clip, if the RFID card’s identification details cannot be separated from the card. As a result of this, it is more likely that an employee will notice someone attempting to clone the employee’s card.

RFID card protection is significantly more difficult in public places or while employees are out for lunch than it is in the office, where employees are more likely to notice suspicious activity. Workers should keep their cards in a secure location (e.g., in their vehicle) so that they are out of harm’s way from potential attackers. Employees who cannot leave their badges in a safe place should use an RFID blocking sleeve.

Best RFID Card Readers for Ethical Hackers

If you are a professional penetration tester, there is a chance you have to perform a physical penetration testing. Your main goal might be to get into the office. After having an access, you then can perform other objectives, such as getting the sensitive information, or reaching restricted area. And this can be made by using the correct tools. In this case – best magnetic stripe RFID card copiers for ethical hackers.

MSR90 USB Swipe Magnetic Credit Card Reader

This is one of the best selling card readers for ethical hackers on Amazon. It is really simple to use it, and it also can be connected to the PC via USB.

With the reader you can read up to 3 tracks of information, it supports the most popular card data formats, such as AAMVA, CA DMV, ISO7811. The reader has LED indicator that shows the current state of the reader.

The minimalist design and simple usage are definitely good features of the product However, the core features makes the device a perfect fit. It has the bi-directional swipe reading, superior reading of high hitter, and the device supports up to 1 000 000 card swipes.

Deftun Bluetooth MSR-X6(BT) MSRX6BT Magnetic Stripe Card Reader

While the price of this one is on the high end, it is really worth the money. This is considered being as the world’s only wireless Bluetooth magnetic stripe credit card reader. The best hing about it is that it is small and portable.

It has three tracks, and has read, write, and erase functions. Just like the other readers, it has a LED indicator that shows the current phase of the card reading. Deftun Bluetooth MSR-X6 also supports the ISO 7811-6 standard.

Another great feature of this access card reader, is that it can be used on different platforms: Windows, Android, Mac, iPhone, and iPad. There is a special application that helps to communicate with the device. However, while for the PCs it is free, if you want to have it on your Android on iOS device, you have to pay extra.

The reader comes with 20 blank magnetic cards that you can use for experimenting.

ETEKJOY USB 3-Track Magnetic Stripe Card Reader POS Credit Card Reader Swiper MagStripe Swipe Card Reader ET-MSR90

This is another affordable access card reader that suits the goal of cloning RFID cards, perfectly. It has the USB interface and is being detected as a keyboard. You do not need to use any additional software.

ETEKJOY reader reads data from three tracks, supports ISO7811, AAMVA, CA DMV and other widely used magnetic card data formats.

It can be used on almost any platform. All you need to have is the USB port, and you will be able to control the device from Windows, Mac, or other OS.

MSR605 & 206 Magnetic Card Reader

While more expensive that the most basic access card readers, MSR605 is a high quality reader that will last long. It support different OS, and the software of the reader is even backward compatible with operating systems, such as Windows 98, Me, XP, or Vista.

The reader is capable of writing data to all 3 tracks. The device has single direction swipe. It also comes with 20 blank cards.

OSAYDE PRO USB Silver Magnetic Credit Card Reader Writer Encoder

OSAYDE Pro, as the name implies, is the reader for professional usage. While it surely can be used if you are a hobbyist, if you are a pentester and looking for a best access card reader for ethical hackers, this one is surely way to go.

The device has a high-grade design, and has the main functions. You can easily manipulated with the data in the card: write, rewrite, erase, copy, compare, write to/from file, setup and change password.

The software supports most of the Windows distributions, including the legacy Windows 98, Me, and XP. It also does not have any problem working with the newest Windows versions.

As this is a high-end product it also has built-in over voltage, over current, leakage, short circuit, and anti-interference protection module inside. The reader can be used for 1 000 000 swipes.

Keep in mind that the software works on Windows only, so you might have trouble on Linux and macOS.

How Does the RFID Cards Work and Where Are These Cards Used?

Many contactless smart cards employ radio frequency identification technology (RFID). RFID Cards have a chip built right into them to save all of your personal and financial information. Microprocessor or comparable intelligence and internal memory are built in to the chip. Added security is provided via an antenna built inside the card’s plastic shell. For communication between the reader and the card, RFID induction technology is used. At a distance of less than four inches, this RFID technology is effective. As a result, the card has to be kept as close to the reader as possible. There are antennas placed in the reader and the card that interact with each other utilizing radio waves.

There is no way for a non-certified RFID reader to read the data on an RFID smart card, making them safe. In order to decrypt data stored on a card, the reader program would need access to the card’s secret keys. Attempts to access data on the chip may be prevented if the encryption keys do not match. Similarly, the card and reader’s communication may be encrypted. For example, a user’s application may dictate the degree of security. An authorized user with access to the card’s keys may write data to its smart card memory only with their consent.

Most people utilize RFID technology in their daily lives without even realizing it. Today, we’re going to look at some examples of where it may be found. You may be amazed at how many times you use RFID technology in your daily life.

• Item level inventory Tracking

A wide range of businesses may benefit from item-level asset tracking, but the retail industry offers the greatest potential for RFID adoption.

• Asset management

Today’s most contemporary and productive firms are adopting RFID technology to automate the tracking of their valuable assets. There are various issues with manual tracking that may be avoided using RFID systems. When things are tracked using a radio-frequency identification (RFID) system, they are more secure and accurate.

• WAREHOUSES AND Inventories

The primary goal of using RFID in warehouses is to reduce labor and logistical expenses while increasing warehouse efficiency. Similarly, a precise inventory of items with all kinds of information, such as size, quality, country, and so on, can be obtained promptly. The need for costly and imprecise physical inventory counts has passed. This saves you money and time.

• ANIMAL IDENTIFICATION WORKS

RFID tagging animals is an essential tool for a farmer in order to identify each animal with its origin, lineage, medical data, and other relevant information..” Additionally, with the aid of software, it is possible to maintain the information up to date by uploading fresh data, such as veterinarian appointments.

• SURGERIES

A hospital’s inventory, access control, personnel and patients’ tracking and tracking tools, disposable consumables and large/expensive equipment are some of the most prevalent RFID uses.

How to Prevent RFID Hacking?

There are many best access readers for ethical hackers, however, not always they are being used for ethical reasons. Hence, how can you prevent RFID signals from being picked up? Metal and water are the most effective ways to block radio signals to and from your RFID chip, respectively. The RFID tag can no longer be read if this signal is blocked.

• Equip your wallet and pocket to stop RFID signals

Aluminum foil can be used to block RFID signals at a low cost. A wallet blocker you make at home can be as simple as a wad of foil or cardboard. Aluminum foil, on the other hand, does not completely block the signal, and it will eventually wear out. Because of this, it’s a bad idea.

There are even RFID protected wallets that might be used to protect your card from cloning. For example:

Zitahli Wallet for Men Slim Larger Capacity with 20 slots:

TNevertheless, an RFID wallet does not guarantee that your card will be safe from fraud. If you’re irresponsible and lose the card, an ATM skimmer may still obtain your personal information. In other words, even if you have an RFID-blocking wallet, you should keep up your excellent credit card security habits.

• Double check your RFID security

It’s also possible to make sure your security strategy doesn’t solely rely on RFID. Your credit card company, for example, may be able to block RFID-only purchases on your card. It’s unlikely that your card would be stolen even if the RFID tag was cloned. If your workplace relies on RFID door passes, for example, you need put in place an additional, more powerful security mechanism.

Consider building your own RFID reader and using it to check your home on a regular basis to see what is readable and how well your RFID security is functioning if you are worried about being tracked by RFID. Periodic sweeps to check for changes are an option for the very paranoid.

For taking care of your belongings, a great choice is to use a faraday cage, that block the RF signals.

• Defending Yourself against Invisible Threats

RFID, as demonstrated by hackers, is not impenetrable. There are inexpensive methods to create a scanner, which may then be used to scan tags for sensitive data. If you’re concerned about this kind of assault, it’s still important to learn how to protect yourself in the event that it does happen.

Always remain vigilant about your access cards. If a suspicious person is trying to get next to your card, make sure you do not let him to get a low hanging fruit and clone it. The access card reader might be in his bag, and all it takes to clone your card, is to get near you.

Final Words

If you are a pentester, we hope that our list of the best access card readers for ethical hackers helped you to find the best one for you. Everyone, from hobbyist, to a professional ethical hacker might choose the reader suiting their needs. After all, the best reader is the one that can be used for writing/reading data. Every other function is extra.

And if you are using RFID cards, you might take the necessary precautions. Despite the fact that you don’t anticipate individuals to leave their access cards hanging from their back pockets, a motivated thief and a negligent keycard bearer are all that is needed.

The post Best Access Card Readers for Ethical Hackers appeared first on Bug Hacking.