Press "Enter" to skip to content

Posts published in “Threat Hunting”

PID 4 listening on Port 80 or Port 12345

johnyan 0

It was interesting during one of our Vulnerability Scanning. There are lots of machines listening on port 12345, and it does has lots of connection on it. Also, PID is 4, which is system process or service. Same thing also found on http port 80. Here are netstat command outputs. Symptoms C:\Windows\system32>netstat -tabno | find “:80”   TCP    0.0.0.0:80 …

Vulnerability: SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL

johnyan 0

Recent during a vulnerability scan , there is RC4 cipher found using on SSL/TLS connection at port 3389. The solution in the Qualys report is not clear how to fix. This post is going to record some searching results found online how to fix this SSL/TLS RC4 Cipher Vulnerability. SSL/TLS use of weak RC4(Arcfour) cipher port 3389/tcp over SSL QID:…

Bulk IP Reputation Check using Security Websites and Open Source Scripts

johnyan 0

This topic has been haunted in my mind for quite a while. As an information security guy, we got tons of reports about end point activities. One of them is the website ip or urls they were accessing. A typical network abnormal behaviour for an infected or compromised end point is huge amount of accessing malicious ip or bad reputation…

Find Real IP of a Website Behind CDN

johnyan 0

There are more and more websites using CDN (Content Delivery Network) to help deliver their contents to end users. It is faster, safer and more reliable. At the same time, CDN such as cloudflare company hides your real ip behind their public ip. Is there a way we can bypassing CDN and find out those websites’ real ip addresses.

Windows Remote Command Line Troubleshooting Tips and Tricks

johnyan 0

Here are some scripts and methods to do remote troubleshooting or running some commands in remote machines. I found they are very useful especially in a enterprise environment if you have your domain admin account. Prerequisites to run remote commands: Install .NET Framework 4.5.2 from \\shareserver\it\$Install\Scripting prerequisites\NDP452-KB2901907-x86-x64-AllOS-ENU.exe or from https://www.microsoft.com/en-ca/download/details.aspx?id=42642 Install Windows Management Framework 5.1:  copy the folder \\shareserver\it\$Install\Scripting prerequisite\Windows Management…

Sysinternals Tool Sysmon Usage Tips and Tricks

johnyan 0

Microsoft Sysinternals tool Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting. Sysinternals from Web Browser: https://live.sysinternals.com/ Basic Sysmon Usage commands: Installation: sysmon -i -accepteula [options] Extracts binaries into %systemroot% Registers event log manifest Enables default configuration

Threat Hunting Tools

johnyan 0

Here are some collections from Internet about Threat Hunting tools, information and resources. 1. Kansa GitHub – Davehull/Kansa http://trustedsignal.blogspot.com/search/label/Kansa http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/ Kansa: A PowerShell-based incident response framework

How to Find Out Windows Process Sending Traffic, Especially ICMP Packets

johnyan 0

There are a number of different ways to find out which process is sending tcp / udp traffic in computer systems, but not much for icmp traffic. Here is a summary for the ways to do it. 1. Install a local firewall You could always try installing a firewall that blocks outgoing traffic or use the Windows Firewall. When the…

Basic Procedures to Troubleshoot an Infected Computer

johnyan 0

Today received a report from user, computer is slow and seems have been infected with unknown virus or malware. No special symptoms except slow. 1. Check task manager and resource monitor There is a process smss.exe which description is “Microsoft ? Console Based Script Host ” using almost 75% CPU all the time. From task manager, I found system was…