Forem: a.infosecflavour

SIEM-themed portfolio

a.infosecflavour — Sat, 31 Jan 2026 23:12:20 +0000

This is a submission for the New Year, New You Portfolio Challenge Presented by Google AI

About Me

I am Yo Wise, a "Vibe Coding" enthusiast with a heavy focus on system resiliency and observability. I believe that a developer's portfolio should be a demonstration of how they monitor, protect, and scale their work. I built this SIEM-themed dashboard to express my commitment to high-integrity development and defensive architecture.

Portfolio

My portfolio is a little of everything:

SIEM dashboard
Software Developer profile
3 projects listed inside the profile - all focusing on different topics
Cybersecurity inspired functionalities

My philosophy - No domain must exist in vacuum. By building this portfolio, I blended AI, software development, cybersecurity, education, career development and tourism. Check it out to convince yourself!

How I Built It

The application is built using Google AI Studio, with React 19, Typescript and Tailwind CSS, using Lucide Icons for the "Cyber-Ops" aesthetic and Recharts for real-time telemetry visualization.

Gemini 3 Flash (Heuristic Scanner): Powers the Asset Integrity Scanner. Flash identifies technological fingerprints (frameworks, databases, architectural patterns) and returns them as structured JSON telemetry.
Google Search Grounding: The scanner utilizes Search Tooling to verify the live status of domains, ensuring that complexity scores and tech-stack detections are grounded in real-time network data.
Telemetry & Observability Layer Data Visualization: Utilizing Recharts, development velocity and resource allocation are rendered via Area and Bar Charts. This treats professional growth as a stream of system metrics rather than a static list.
Node Health System: The skills section is mapped to a resource monitoring metaphor (CPU/Memory utilization), indicating the stability and "uptime" of each technology within my stack.
Zero-Trust Methodology: Each UI component is treated as an isolated module (Scanner, Analyst, Logs), ensuring that the data flow is compartmentalized and modular.
Enterprise SIEM Aesthetic: I opted for a "Slate/Blue" color palette to maintain the professional look of enterprise software.

What I'm Most Proud Of

I’m most proud of the "Log Ingestion" paradigm. Most portfolios use "Recent Projects" or "My Projects" sections; I used a SIEM Unified Event Stream. Every project is an "Event" with a timestamp, source domain, and severity level.

ん, and?

a.infosecflavour — Tue, 19 Aug 2025 22:35:15 +0000

I recently came across a LinkedIn post about a typo squatting attack which transcended the well-known IDN homograph attacks (e.g: Latin, Greek, Cyrillic). The malicious actor was using the Japanese character ん.

Intrigued by the meaning of this, I made a research and discovered it translates into "yes" (that's why title "ん, and?", similar to Ariana Grande's viral song "Yes, And?").

It all starts with phishing

The victims receives a phishing email which seems to originate from Booking. In fact, the adversaries masqueraded (T1036) the legitimate company.

According to a data breach report issued by Verizon, phishing (T1566) is the 3rd technique to obtain initial access (TA0001), being involved in 17% of breaches.

Analyzing the e-mail, one can observe elements such as:

general greeting (Dear Partner)
the same greeting used in a sentence (Dear Partner, the level of guest service...)
the same greeting formula is used again in a sentence (Dear Partner, kindly note that a buildup...)
the message doesn't sound natural
sentence ending in both "." and ":" (All unresolved complaints are available for review here)
sentence lacking in punctuation mark (which should have been a "." We suggest that you carefully review the documentation and suggested solutions provided)
while at a first glance the link wouldn't raise concerns, hovering over would reveal the URL is in fact hxxps[://]account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ (the punycode domain is account[.]booking[.]xn--comdetailrestric-access-ge5vga[.]www-account-booking[.]com)

One could be easily tricked due to various reasons:

getting lured by the masquerade
lack of attention
tiredness
lack of cyber-education
accidental click
eyesight issues
panic
unfriendly dimension of the device screen

Once the first stage is accomplished, the user is redirected to the following webpage:

Suspicious signs all the way

What does the redirection page have to do with the received e-mail? The message was about complaints and then an account takeover was identified? That's how panic overtakes the critical thinking and the victim clicks on Terminate access!

After clicking on the button, the victim must complete a Captcha challenge. After selecting the correct photos, the user is prompted to perform the following steps:

Open Run
Press CTRL+ V
Press Enter

Once these steps are performed, a PowerShell script gets executed.

Sandbox detonation

Note: The following information serves for educational purposes only!

I decided to detonate the malicious URL in tria.ge sandbox.

Given the page was already categorized as malicious (e.g: Radar Cloudflare, urlscan.io, VirusTotal) as it can be observed in the capture below,

there is a page warning the visitor that the website is a suspected phishing. This can be bypassed by resolving the challenge and clicking on Ignore & Proceed button (not solving the challenge would redirect the user to the page captured below which can also be encountered when analyzing the URL via urlscan.io)

Clicking on the Terminate access button translates into solving a captcha challenge. If user tries to interact with the link below the button, there is no visible redirect. Opening a separate tab would result into showing the same page.

Although the correct images are selected, the captcha is invalid, so the user must execute the following verification steps:

Once the steps are executed, a PowerShell process is spawned, alongside other malicious background processes which can be observed in the below screenshots:

All of a sudden, I was prompted with a Windows Installer dialogue for... Vaquero!🤠

Other malicious processes: TurIndex.exe, BeaconFab.exe, PortalClien.exe, AdaptConductor.exe, NavigatorCobalt.exe. An exhaustive list can be extracted by investigating the malicious URL in a dedicated sandbox.
During the analysis, the malware took control over the behaviour, closing the Task Manager and getting stuck in a loop of selecting the files present on desktop and randomly selecting the properties option, thusmaking user interaction impossible to be performed (for example, trying to run Start)

Note that, the payload can be pasted in a Notepad (this is to be done during the faux verification steps described earlier), just like you would paste it in the run command. Make sure you do this quickly enough.

Tria.ge report conclusions

A full report can be generated by interacting with the malicious URL in the Tria.ge dedicated sandbox. The results contain the following, but are not limited to:

Suspicious use of NtCreateUserProcessOtherParentProcess
Hijack loader detected
Blocklisted process makes network requests
Modified trusted root certificate store through registries
Clipboard data
Dropped EXE executed
Dropped DLL loaded

Of course, you can run the URL in any other sandbox service, such as any.run, hybrid-analysis.com.

Beware of phishing

With that said, make sure you stay safe online.

Install a paid antivirus.
Pay attention to anything suspicious. Hover the links.
If on the tablet/ phone, press and hold the links (don't click!!).
Make use of the critical thinking- was the e-mail expected? Why do I receive that?
If you want to get in touch with a representative, do so through official means (do not contact the sources expressed in the message like phone numbers or e-mail addresses!).
Report the e-mail as phishing.

Building RoamSense: AI-powered accommodation review analysis for Romania

a.infosecflavour — Tue, 15 Jul 2025 21:54:25 +0000

Hi all,

You're thinking about ✨that holiday✨ for which you've been waiting for so long. Or perhaps it's something spontaneous like a city-break. Whichever the scenario is, accommodation plays an important part of the experience.

Meet RoamSense: Make an Informed Decision

🎯 The technical challenge: To build an application that provides an objective, data-driven analysis of accommodation reviews across Romania, cutting through the noise with intelligence.

🫡 The mission: To empower travelers to make informed decisions by reading behind the reviews and stars.

Diving into the Fundamentals & Features

At its core, RoamSense is designed to simplify accommodation selection in Romania.

1. Smart review processing engine

This is where the magic happens. I built my review processing engine using Google AI Studio – and honestly, it was a game-changer. Here's how it works:

Gemini API Integration: I leveraged the Gemini API for natural language processing (NLP) and sentiment analysis. This wasn't just about positive/negative; it was about understanding nuanced opinions and extracting structured data from unstructured text.
Prompt engineering: A significant part of the challenge was designing prompts to extract structured, comparable insights from unstructured, often colloquial, reviews.
Pre-trained models: Google's pre-trained models handled the heavy lifting, allowing me to focus on extracting specific patterns relevant to accommodation quality.
API-first approach: This design allows for real-time processing of reviews without me needing to manage complex ML infrastructure myself.

2. User-Centric design

While the AI is under the hood, the user experience is paramount. I focused on:

Intuitive interface: Nobody wants to read documentation for a travel app. It had to feel natural.
Responsive design: Works seamlessly on any device.

3. Not sure where to go? Let RoamSense surprise you

If you're unsure where to start, you can pick a random city like Brașov, Iași, or Bucharest, and RoamSense will randomly display a series of accommodations with their insights. Just throw a dart at the map!

4. Comparison Feature

One of the most technically challenging features was the comparison system. Users can compare accommodations either by:

Manual input: Traditional user-driven selection.
Pre-generated Lists: Algorithm-suggested comparisons based on user preferences and my data-driven insights.

5. Comprehensive Feature Set

On RoamSense.io, you'll find:

A powerful Search function to roam through all the analyzed Romanian accommodation reviews.
Input lists for organizing and comparing your selections.
Multi-language Support: The possibility to switch between EN and RO, addressing both local and international populations.
A Security Guide, specifically designed to protect your digital identity when booking an accommodation – a crucial, yet often overlooked, aspect.
A Checklist with questions to ask yourself before booking an accommodation.
The Manifesto, which articulates the WHY behind RoamSense's existence.

Demo

I decided to use StoryLane for the demo experience. Honestly, it's the first time I use StoryLane and I must say it's definitely a tool that speaks more than 1000 words. I really admire how the AI agent just understands the topic of presentation.

Technical Learnings & My Development Experience

Building RoamSense taught me some invaluable lessons about user-focused development and leveraging modern AI:

AI Efficiency is Real: Leveraging Google AI Studio and Gemini API dramatically cut down on development time for complex NLP tasks. I focused on prompt engineering and integration rather than building models from scratch, which saved months.
Data, not drama: This core principle became paramount. Effective review processing means extracting meaningful, actionable insights (the "data") rather than just sifting through large volumes of raw, often subjective feedback (the "drama")

What's Next for RoamSense

RoamSense is still evolving, but the core systems are robust. The next phases involve:

API optimization for even faster response times.
Mobile-first improvements and dedicated app development.
Advanced ML models for even deeper review analysis.
User Login & AI-Analyzed Reporting: Introducing a login system to allow users to directly report accommodations' pros and cons, with all submissions being AI-analyzed to further enrich the data with objective, community insights.

Connect & Collaborate on RoamSense

If you're working on travel tech, location-based services, review analysis systems, or anything involving AI for real-world problems, I'd love to connect and share insights. The intersection of travel and technology has huge potential.

Ready to experience smarter travel planning? Visit RoamSense.io and explore the demo in action!

Drop your thoughts or questions in the comments below – have you tackled similar challenges with review analysis or travel tech?

You can find other ways to connect at the end of the article.

Tech Stack

Here's the stack I used for RoamSense:

AI/ML: Google AI Studio with Gemini API for review analysis
Frontend: React
Backend: Serverless functions (leveraging APIs for specific data processing needs)
Database: serverless data storage (focused on efficient retrieval of analyzed insights)
Infrastructure: Managed cloud services

Connect & Support RoamSense

Enjoyed this deep dive into RoamSense? There are more ways to connect and support my journey:

All My Links: Find everything RoamSense in one place on my Linktree.
Buy Me a Coffee: If you appreciate my work, you can support my development efforts on Ko-fi.
Follow My Journey: Stay updated with visual content and product developments on my Instagram.

What are your thoughts on AI-powered review analysis? Have you built similar travel tech solutions? Let's discuss in the comments! 👇

Build a SOC simulator using Google AI Studio

a.infosecflavour — Thu, 03 Jul 2025 17:50:54 +0000

Hi! 🌟

Inspired by the #learningaistudio challenge, I decided to leverage the capabilities of Google AI Studio by building a SOC simulator.

Why a Security Operations Center simulator?

Having a robust Security Operations Center is a critical point for any organization which aims to become security mature. While this benefits the organization as a whole, focusing on a micro-perspective, it helps the cybersecurity analysts to properly manage the alerts.
Probably you stumbled across the term alert fatigue. This represents a common undesired situation, which can be avoided by having a well-built SOC. Give a search on Google and you'll find a lot of content related to this phenomenon.

Using the Build function in Google AI Studio, I offered this prompt
Imagine you are a SOC professional with 10 years experience. Build a SOC simulator having capabilities similar to Splunk and Elastic.

Here's what you can find:

On the left- pane side, there's the alert queue, showing 5 alerts of different severity levels: critical, high, medium and low. It's displayed also the corresponding status New, Investigating Resolved.
On the top, 4 tiles display the number of total alerts, of new incidents, of critical alerts and that of high- severity alerts
In the center there is the alert title, details and log, AI incident response book which gives the possibility to check each step (massive help for self-organization) -On the top right corner of the central pain, the analyst can select the status.

Improvements

While the result is impressive, certain improvements could be done:

assign a responsible
classify the alert as false positive or true positive
write an incident report checked by AI
export statistics in CSV, PDF, JSON

Final thoughts

Pretty impressive what you can reach with Google AI Studio. The AI playbooks are handy so the responder can fully concentrate on the actions to be done.

Let me know your thoughts about this!

Build an app with Google AI Studio | Comic Creator

a.infosecflavour — Thu, 03 Jul 2025 12:40:12 +0000

This post is my submission for DEV Education Track: Build Apps with Google AI Studio.

What I Built

Thanks to Google AI Studio, I built a short and sweet comic page (rather than comic book). User is able to provide input and in a few moments, the content is ready. Meet Comic Creator!

Demo

Here is my prompt:

please create a 4 panel comic page called Comic Creator which allows the user to provide an input. Use Perspective API and Gemini for the input filtering. Use Imagen for image generation and Gemini for text generation.
provide consistency and logic

Examples:

Posted on GitHub? Checked! ✅

My Experience

It's essential to know what you want- then adapt! One idea flows after another. That's the beauty of creation. While significant improvements can be made in terms of the result, I believe this is a good way to bring ideas to life.

Dreaming | TryHackMe

a.infosecflavour — Mon, 30 Jun 2025 21:00:00 +0000

🟩 Level of the challenge: Easy

Tools used:

Nmap
GoBuster
SSH
MySQL
Python

Starting in 3, 2 1...

Welcome to the world of dreams! The "Dreaming" challenge from TryHackMe is a beautifully crafted fantasy-themed box that takes us on a journey through the realm of Lucian, Death and Morpheus.
What makes this box special isn't just the technical aspects - it's how the creators wove together Greek mythology with cybersecurity concepts.

Initial Enumeration

I initiated the assessment using

nmap -A -v [target-ip]
to discover the following open ports:
SSH (22) - Our potential gateway once we find some credentials
HTTP (80) - A web service running Apache

Given that port 80 is open, let's follow the path of...

Web Enumeration

Down the rabbit hole, I was greeted by... drumroll please... the Apache default page!

You know that feeling when you see a default page? It's like opening a book and finding the first page blank - there's definitely more to the story, but you need to dig deeper. This was clearly a job for directory enumeration.

Directory Brute-forcing with GoBuster

I continued by using GoBuster:
gobuster dir -u http://[target-ip] -w [wordlist]
The /app directory was found.

I accessed the page and discovered a folder called pluck-4.7.13/

Web Application Analysis

Navigating to /app, I was greeted by a page containing a quote:

Bottom it can be observed the admin page. Where is that going to bring us to...?

The login page. In this situation, we can either perform some trial and error or to go for some OSINT and look for the default password of this CMS. Exploring mode activated! 🕵️

After some digging through documentation and forums, I found the default credentials.

That moment when the credentials work and you are actually inside the application? Pure magic! I spent a good amount of time just clicking around, understanding the application's structure. This isn't just about rushing to the next step - it's about understanding your environment.

Discovering the upload page was exactly what I needed. All I had to do was to surf on the web and search in exploit db (or searchsploit if you prefer CLI) a payload tailored for file upload vulnerability found in pluck-4.7.13. Exploit 49909 was the one.

Once the shell spawned, checked whoami and what the directory I was in contained.

And then changed directory to root (/)

The /opt directory caught my attention because, that's where optional software typically lives.
I discovered two Python scripts:
-getDreams.py
-test.py

I wonder what's inside the script getDreams. Am I dreaming? These are Death's MySQL credentials! Or are they? We could test them or check test.py. I'd rather go on with checking the script, because based on the order of flag retrievals, we definitely must get Lucien's flag and then Death's.

Looking at the code, the following vulnerability is observed Command Injection. The combination between the user input and shell=True results into a high risk of command injection. Basically, as a malicious actor can alter the integrity of the database by creating the name of the dreamer and instead of a legitimate input (like, the dream- Want to become a famous singer 🎤), would provide a command, with the final result of breaching the confidentiality. We'll see that in action a bit later. Let's move on to test.py.

In test.py, we literally found one Lucien's password. But I keep it redacted:

Finding credentials hardcoded in scripts is like finding a $20 bill in an old jacket - unexpected but incredibly welcome! The developers had left Lucian's password right there in the Python code. 🤩
It's a classic security mistake that we see all too often in real-world scenarios. Developers think, "It's just a test script" or "Only we have access to this."- however this translates into Insecure Credential Storage.

Lateral Movement

ssh lucian@[target-ip]
That satisfying moment when SSH accepts your credentials and you get your first proper shell! No more web application limitations - now we're on the actual system. I will look around and grab that user flag! At the same time- let's be conscious: it's not over yet! We still have two other characters whose flags can't just escape. So, after grabbing my first treasure, I will have a look into the first file, i.e .bash_history.

This is where things got really interesting. Not only have we discovered MySQL credentials [password redacted], but it can be deducted there was a privilege escalation at some point.

I connected on the MySQL database using the credentials found

The first step after connecting is performing reconnaissance by using the command show tables;, followed by select* from dreams;. Given the data obtained- remember the Command Injection vulnerability detailed earlier? Now it's time to exploit that, by inserting a new row in the table which contains a script for shell spawning.
The next step is checking the sudo capabilites of lucien. We discover that the user doesn't need a password to perform the command outlined in the screenshot. Essentially, the current user can execute getDreams.py script as death and become that user. As it can be observed, the manual entry provided earlier is not visible.

We're going to ensure lucien has the privilege to run getDreams.py script by running chmod 777 getDreams.py. Essentially, this gives read, write, execute permissions, thus establishing persistence.

That's an optional step, by the way.

Password and Mythology

I would like to ask you: did you know that Democritus trained himself for this inevitable event by going into solitude and often visiting the palms? What's Democritus' business in this whole challenge? You will get that when you see death's password 😉. I won't be revealing it here, but access getDreams.py from /death and not from /opt and you'll get there.
I love how this challenge weaves philosophical references throughout the technical content. It's not just about exploitation - it's about the journey, the preparation, the patience required to succeed. Democritus understood that mastery comes through deliberate practice and isolation from distractions. Kind of like how we need to focus deeply when we're working through complex privilege escalation paths!

By the way, here is the flag:

The Python Script mystery

Here's where the challenge got really clever. The getdreams Python script in the current directory wasn't the same as the one in /opt. This kind of PATH confusion is a common real-world privilege escalation vector. The system would execute the local script with elevated privileges because of how the permissions were set up.

Privilege Escalation

The God of Dreams Guards His Secrets.
Of course, Morpheus saved the best for him. Only in our dreams we could have accessed the file by being someone else than the God of Dreams and the son of Hypnos.

I checked whether might be temporary assignments...however, nothing came to avail.

Thus, I leveraged the power of find, to find files with SUID set

The Final Modification

The final step involved modifying the shutil.py) to grant us the permissions we needed. Notice the line in green brackets: that's what we need to add so we can elevate the privileges.

And here is the flag:

This was an astonishing tour in Lucian, Death and Morpheus world. It's time to wake up for the next challenge. Let my know your thoughts!

My first portfolio in Figma

a.infosecflavour — Fri, 27 Jun 2025 18:21:27 +0000

Good day,

I'm proudly announcing you that my first Figma portfolio is ready!
🗣️: What, are you a web-designer now?

No! You don't have to be a web-designer to create a portfolio in Figma. In fact, I illustrated my cyber security learning journey through it.

Check it out here.

While indeed- it's a prototype and not actually published to Figma Community, the portfolio is ready to be explored.🌐

🗣️: Why did you create it in Figma?

Because I find the platform extremely interesting! Based more on visuals than on writing, you can create a beautiful narration through images, animations and external links, with no code.

Landing page

The first moment you access the portfolio, you'll recognize pop-art elements. I wanted to express myself through this style, breaking free from the usual cyber security themed patterns.

The screenshot below illustrates a glimpse of the landing page, presenting the first section.

Website sections

Curious what you can find in my portfolio? On the landing page, I created three sections two of them being divided in other sub-sections. Each of the section has its own flavour.

Walk through

➡️DEV blog (yes, I am showcasing my blog!)
➡️Projects
➡️Token info

Curriculum Vitae, Certifications & Professional Contact
What languages do I know?

👉 Technologies
👉 Foreign languages

Let's take everything step-by-step. 🪜

Walk through

This section hosts a compilation of write-ups and projects + an about me type of page. Walk through the path of my learning journey. 👟
The moment you click on DEV blog section, a new tab will open with a prompt message announcing you are about to leave Figma. With that said, the redirect is not automatic, unless you'll check the box under the message so that on your 2nd visit the DEV.to page will open directly. Projects represents the reference for my Notion.so projects.
Where you can get a short identity description of whoami and how to get in touch with me is on the suggestive page titled Token info.

Curriculum Vitae, Certifications & Professional Contact

What would be a portfolio without pointing out the course of life (English for curriculum vitae) and formal acknowledges of life- long development? The documents themselves are hosted externally and can be provided upon request. Click on the link referenced in the section, to find out more!

What languages do I know?

A technology is like a foreign language. Whether you try to learn Spanish or demystify GCP, when you first encounter that you won't understand a thing! Progressively, the S3 and EC2 will be a piece of cake, as the German articles. 📎

Under Technologies, you can find the tech stack I operate with, while under Foreign languages I showcase my knowledge level in English, German and French.
Technologies steals the show by being constructed with star- rating animation in mind. Thanks to Star Maker plugin and this tutorial, I managed to breathe life into my idea.🌠
On the stage performs as no other Foreign languages , with a progress bar type of animation, due to this wonderful design. By the way, which of these animations do you like the most? Let me know in the comments!

What's your input so far? Have you ever done a portfolio on Figma? Add your value to the discussion and hit the submit button. 😎
For getting in touch, have a look here.

SOC167 - LS Command Detected in Requested URL | Letsdefend.io

a.infosecflavour — Wed, 25 Jun 2025 06:16:00 +0000

Hi everyone! Are you up for an easy blue team challenge? 🔷🔹🔷

Detection

While browsing through my daily alarms, I found this high- severity alert SOC167 - LS Command Detected in Requested URL. So I decided to take ownership on it.

Event ID: 117
Event Time: Feb, 27, 2022, 12:36 AM
Rule: SOC167 - LS Command Detected in Requested URL
Level: Security Analyst
Hostname: EliotPRD
Destination IP Address: 188.114.96.15
Source IP Address: 172.16.17.46
HTTP Request Method: GET
Requested URL :
hxxps[://]letsdefend[.]io/blog/?s=skills
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Alert Trigger Reason: URL Contains LS
Device Action: Allowed

My first guess is that the alert triggered because of the word "skills", which contains "ls" (the reason the alert triggered for). But what's special at "ls"?

The ls command is used to list files or directories in Linux and other Unix-based operating systems (source). If you want to find out more how malicious actors leverage the Linux commands to conduct attacks, then it's worth reading this article.

As I deep into analysis stage, first and foremost I start the playbook.

Even if listed earlier these artifacts, I want to do so again in order to translate the information into something friendlier.

Event Time: Feb, 27, 2022, 12:36 AM

Hostname: EliotPRD

Destination IP Address: 188.114.96.15

Source IP Address: 172.16.17.46

HTTP Request Method: GET

Requested URL: hxxps[://]letsdefend[.]io/blog/?s=skills

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

Device Action: Allowed

It was observed on 27th of February 12:36 that host EliotPRD, which is belongs to IP 172.16.17.46, sent a GET request to the web-browser Mozilla Firefox version 24.0 for Ubuntu hxxps[://]letsdefend[.]io/blog/?s=skills which is belongs to IP 188.114.96.15.

You can find out more about the User-Agent if you leverage the search capabilities of the Internet. In this situation, the User-Agent is not suspect, but in others, using an old version of User-Agent could be correlated to a malicious activity.

In simpler words, the
Source (EliotPRD) asked the browser (Mozilla Firefox)

to go to the Destination (hxxps[://]letsdefend[.]io/blog/?s=skills) and fetch the "Skills" section.

Considering the hostname EliotPRD, this endpoint is a machine used in production environment. It is the live environment where the software is deployed for end-users.

Collecting data about the endpoint device implied in this event, we discover the following:

it's a client (not a server)
uses Ubuntu 16.04.4
it's on letsdefend.local domain
primary user: eliot
last login: Feb, 27, 2022, 12:00 AM

There is no process running.

The established connections are to a single IP address.

There was used a command date on 27th of February 01:11 AM. This command is used to display the system date and time.

And we discover the following URLs accessed:

We can correlate the URLs discovered in the Browser History with the IPs from Network Action.

Did you see that? At 27.02.2022 00:36,
hxxps[://]letsdefend[.]io/blog/?s=skills (IP: 188.114.96.15) was accessed!

So now that we gathered the evidence we can surely confirm it is an outbound connection (internal to external).

Now, let's gather data about 188.114.96.15.

As VirusTotal reveals, no AV vendor detected it as malicious.

But it there are 9 detected files communicating with the IP address, and there is a comprehensive list of graph containing. I will list here only those associated prior to the event:

We also check AbuseipDB and find the following (please note that the searches are done at the moment of writing this article, which is ~3 years after the event 😉).

The IP is static, owned by Cloudflare, which is not primarily a web hosting provider.
The IP reputation is neutral.

Further into our analysis, let's examine the HTTP traffic by checking the logs in Log Management section.

It can be observed the date, the type of log (proxy), the source address (172.16.17.46), the source port (46843), the destination address (188.114.96.15) and the destination port (443).

It can be also noticed that there is a total of 7 HTTP requests.

We can take each log and analyze the connections (example in the screenshot below):

It can be safely confirmed there is no malicious traffic between the source and the destination.

Therefore, the alarm is False Positive. It was triggered by the presence of "ls" in the word "skills".

What are your thoughts? 😉

Playing with CSV and PowerShell | Switch between columns

a.infosecflavour — Mon, 23 Jun 2025 22:24:00 +0000

Hello everyone 🤗

PowerShell mode: ON ✅

If you ever wondered how you can switch between two columns WITHOUT using Excel to do the actions, here you find the answer!

Else if you never wondered...well, stay here because you'll learn something valuable!

Else if you already know...is it the same method? 😏

Else...I'll still advise you to read the whole article! 😉

Case

In this article, you'll recognize the same file as used in Why is my CSV file messed up?.
What if we want to switch between column A (called Date and Time) and column B (called Dividend). We can do this using the power of...PowerShell!



$inputFilePath = "C:\path\KO_stock_dividend (1).csv"


$fileContent = Get-Content -Path $inputFilePath


$fileData = $fileContent | ConvertFrom-Csv


$swappedData = $fileData | ForEach-Object {
    $temp = $_."Date and Time"
    $_."Date and Time" = $_."Dividend"
    $_."Dividend" = $temp
    $_
}


$swappedCsv = $swappedData | ConvertTo-Csv -NoTypeInformation


$swappedCsv[0] = $swappedCsv[0] -replace 'Date and Time', 'tempHeader'
$swappedCsv[0] = $swappedCsv[0] -replace 'Dividend', 'Date and Time'
$swappedCsv[0] = $swappedCsv[0] -replace 'tempHeader', 'Dividend'


$swappedCsv | Set-Content -Path $inputFilePath

Write-Output "Columns and values swapped, and file saved to $inputFilePath"

And this is the output:

➡️➡️➡️Pseudocode⬅️⬅️⬅️

1. Set inputFilePath to the path of the CSV file.
2. Read fileContent from the CSV file at inputFilePath.
3. Convert fileContent to structured data (fileData).
4. For each row in fileData:
    a. Store "Date and Time" value in a temporary variable (temp).
    b. Assign "Dividend" value to "Date and Time".
    c. Assign temp value to "Dividend".
    d. Return the modified row.
5. Convert swappedData to CSV format (swappedCsv) without type information.
6. Replace "Date and Time" with a temporary header name.
7. Replace "Dividend" with "Date and Time".
8. Replace temporary header name with "Dividend".
9. Save swappedCsv back to the CSV file at inputFilePath.
10. Output "Columns and values swapped, and file saved to inputFilePath".

You probably noticed that the file will be over-written. The code can be modified so the integrity of the original file is kept.
Option A) Make sure you back-up your file before executing the script

Option B) Use PowerShell 👓


$inputFilePath = "C:\path\KO_stock_dividend (1).csv"
$outputFilePath = "C:\path\KO_stock_dividend_(1)_modified.csv"


$fileContent = Get-Content -Path $inputFilePath


$fileData = $fileContent | ConvertFrom-Csv


$swappedData = $fileData | ForEach-Object {
    $temp = $_."Date and Time"
    $_."Date and Time" = $_."Dividend"
    $_."Dividend" = $temp
    $_
}


$swappedCsv = $swappedData | ConvertTo-Csv -NoTypeInformation


$swappedCsv[0] = $swappedCsv[0] -replace 'Date and Time', 'tempHeader'
$swappedCsv[0] = $swappedCsv[0] -replace 'Dividend', 'Date and Time'
$swappedCsv[0] = $swappedCsv[0] -replace 'tempHeader', 'Dividend'


$swappedCsv | Set-Content -Path $outputFilePath

Write-Output "Columns and values swapped, and file saved to $outputFilePath"

And that's it!

Now you know how to switch/ swap two columns.

Note: Make sure to replace the path with the one you actually use. Perhaps your file is under "C:\Users\user1\Documents\Reports".

Why is my CSV file messed up?

a.infosecflavour — Mon, 23 Jun 2025 18:22:40 +0000

Hello 👋

Say you download a CSV file and your data is not formatted in a readable manner.

It can be frustrating, especially when it you need to execute the same steps all over again. Data that must be on separate columns shares the same space... And in certain cases, the data format is compromised and you need to employ other methods to obtain the desired result.

I've been there. The time I spent brushing up the file could have been used in other ways. 🕛🔵🕧

Until one day when I discovered that Excel actually has a plenty of configurable options! 😀

In your wonderful Excel file, go to
File-> Options-> Advanced and make sure the box next to the Use system separators option is unticked, just like in the image below:

Let's see an actual example:

BEFORE (i.e box ticked)

AFTER (i.e box unticked)

‼️After you applied the settings, the effect applies to the next CSV file created/ downloaded.

Almost forgot! Be sure that the Regional Settings have the format below:

Of course, this shouldn't affect your applications/ products- so take this into consideration.

And one last thing: make sure you save someone by sharing this article with them.

Do you know another method? Let me know in the comments!

LetsDefend.io | SOC202- FakeGPT Malicious Chrome Extension

a.infosecflavour — Sun, 22 Jun 2025 22:26:45 +0000

Hello 👋

Let's have a taste of LetsDefend.io challenges. Today we're studying SOC202- FakeGPT Malicious Chrome Extension. 🕵️

As it can be deducted from the alert, here are details about the event:

Severity => High
Date => May, 29, 2023, 01:01 PM
Rule name => SOC202 - FakeGPT Malicious Chrome Extension
EventID => 153
Type => Data Leakage
Hostname => Samuel
IP => 172[.]16[.]17[.]173
File name => hacfaophiklaeolhnmckojjjjbnappen.crx
File path =>
C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx
File hash =>
7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669
Command executed =>
chrome.exe --single-argument C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx
Device action => allowed

We need to check:
-> the reputation of the file hash
-> suspicious processes
-> commands executed
-> network connections
-> browser history
-> log entries indicating C2 communication

If we confirm the alert is true positive, then the endpoint will be immediately contained. Also, this means the event resulted into an incident.

Investigation

As it can be observed in the alarm details, the endpoint's hostname is Samuel. The IP address is 172[.]16[.]17[.]173. The execution was allowed, which means the .crx file was not quarantined. I proceed with checking the reputation of the given hash and then start looking for evidence of execution.

File hash check

According to VirusTotal, the hash is not flagged by any of the AV vendors.
However, the community score is negative 5. This represents an evidence which suggests the file is malicious.

Suspicious processes

The alarm was triggered on 29th of May 2023, at 01:01 PM. I am looking for processes running around the indicated time.

These are all the processes running before, during and after the event:

One of particular interest is chrome.exe.
ProcessID is 5756. Its parent process is OpenWith.exe, whose ProcessID is 7074 which in turn was executed using explorer.exe (ParentProcess). The fact that it was executed with explorer.exe means it's an action performed by the user.

I researched about OpenWith.exe and discovered it's a legitimate executable, invoked when a user tries to open a file with an extension which is not linked to a specific program. Also known as Pick an App, it typically runs from %windir%\System32\OpenWith.exe (source: Medium).
Malicious actors often rely on masquerading to evade detection, so checking the name alone is not enough. We need to see where it runs from and look for suspicious commands. Based on the process details, the process is indeed legitimate, because it ran from its usual location.

Moving to chrome.exe, it also ran from its legitimate location: C:\Program Files\Google\Chrome\Application\chrome.exe". The command line indicates a chrome extension as being run from the user's desktop: -- single-argument C:\Users\LetsDefend\Desktop\hacfaophiklaeolhnmckojjjjbnappen.crx.

Network action

After the extension execution, the endpoint communicated with 3 IPs:

52[.]76[.]101[.]124
18[.]140[.]6[.]45
172[.]217[.]17[.]142

I conducted a research on VirusTotal and discovered the IP was not flagged as malicious by any of the vendor. Checked the Community tab and found references to scam entities.

Looked also on AbuseIPDB and discovered the IP was not found in any database.

The hostname indicates it's an Amazon EC2 (Elastic Cloud Compute) instance, a virtual machine running on Amazon. The associatedregion is Singapore.

Checked the next IP. Virus Total doesn't indicate any vendor which flags the IP as malicious. However, the Community tab indicates the same scam references.

The IP was not found on AbuseIPDB. It is another EC2 instance running in Singapore.

So far, it's discovered the endpoint communicated after the event with two EC2 instances located in Singapore. While no entry indicates these are suspicious, the community details point them as being a scam.

Verified the reputation of the 3rd listed IP. No AV vendor flags it as malicious. The Community tab contains references as being associated to malicious activities.

Checked it on AbuseIPDB and found it was reported 10 times. It is mostly associated with Probe Scanning activities. Also used in DDOS attacks.

Browser history

According to the browser history, the user triggered the download of the extension at 13:01:44. The warnings were ignored. At 13:02:01, the extension was opened. The use accessed hxxps[://]chat[.]openai[.]com which is a legitimate activity. After that, most likely, the purpose of authenticating into OpenAI was to establish the link with the malicious extension.

Log investigation

Checking the log entries associated with the affected IP indicate various outbound and inbound connections are discovered:

It can be observed the endpoint established a connection with version[.]chatgpt4google[.]workers[.]dev

It is flagged as malicious by 3/94 vendors.

Next check indicates another suspicious destination host (www[.]chatgptforgoogle[.]pro)

It is flagged as malicious by 3/94 AV vendors, with a community score of -1.

Another proxy log entry indicates a connection to www[.]chatgptgoogle[.]org. A check on Virus Total indicates it's been flagged by 10/94 AV vendors. Also, the community entry relates to same info found earlier when investigating the IP in Virus Total.

The final IP points to a connection to chrome[.]google[.]com.

It can be noticed that all the connections to the external IPs were established through port 80, corresponding to protocol HTTP, which is insecure.

Based on the findings associated to the mentioned IP, the endpoint established communications with C2 infrastructure.

Containment

The endpoint is immediately contained.

Endpoint contained:

Indicators of Compromise:

SHA-256 hash:

7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669

Malicious IPs:

52[.]76[.]101[.]124
18[.]140[.]6[.]45
172[.]217[.]17[.]142

Malicious domains:

www[.]chatgptgoogle[.]org
www[.]chatgptforgoogle[.]pro
version[.]chatgpt4google[.]workers[.]dev

Malicious URL:

hxxps[://]chrome[.]google[.]com/webstore/detail/chatgpt-for-google/hacfaophiklaeolhn
mckojjjjbnappen

Recommendations

Remove the malicious extension
Re-image the affected endpoint
Check for the organizational widespread
Provide training to the affected user in relation to the usage of external software
Establish technical controls to prohibit the usage of un-approved browser extensions
Blacklist the malicious IPs, domains and URL

Splunk Boss of the SOC- Corelight trickbot ctf

a.infosecflavour — Fri, 28 Feb 2025 20:25:53 +0000

Hello everyone! It's been a while since I last posted but you know it's better later than never. 😏

During this time, I came across the following challenge: Corelight trickbot ctf.

It is available on BOSS of the SOC.

Spoiler alert ➡️You need to create an account first. You'll then discover more "games" and learning rooms. I was grateful when I discovered this site, because it teaches you how to use Splunk SIEM in a more advanced way. It's totally worth it!

Now let's dive into Corelight Partner Experience! 😎

101. How many total Suricata alerts were generated in this index?

index="corelight" sourcetype=* "suricata"
| dedup sourcetype
| table sourcetype

index="corelight"sourcetype="corelight_suricata_corelight"

47

102. Most of the alerts are being generated by a single source host. What is its IP address?

index="corelight" sourcetype="corelight_suricata_corelight"

10.0.0.31

103. What's the name of the malware family identified by these alerts?

index="corelight" sourcetype="corelight_suricata_corelight" alert.signature="ET MALWARE Win32/Trickbot Data Exfiltration"

trickbot

malware family source

104. Let's take a closer look at the "ET MALWARE Win32/Trickbot Data Exfiltration" alerts. You'll notice that three of the alerts share a single UID, meaning they all occured on a single TCP stream. What is that UID?

index="corelight"  sourcetype="corelight_suricata_corelight" "Win32/Trickbot Data Exfiltration"

CAoNRI62m9CRqS0R2

Note: The UID (Unique Identifier) in this context is used to uniquely identify a specific TCP stream or connection. When multiple alerts share the same UID, it means they are part of the same network communication session. This can be useful for correlating related events and understanding the full scope of an attack or suspicious activity.

105. What is the IP address of the malicious server involved in the alerts for this stream?

index="corelight" sourcetype="corelight_suricata_corelight" "alert.signature"="ET MALWARE Win32/Trickbot Data Exfiltration" uid=CAoNRI62m9CRqS0R2 | table src, dest

Exfiltration activity= destination
103.16.104.83

106. What layer 7 protocol is the traffic in the previous question flowing over that generates the alerts?

Layer 7 protocol = Application

Therefore, the field app comes handy.

Splunk documentation

That's intended to be the application involved in the event. For example, a user attempting to login to an SSH service would be an example of an authentication event, and the "app" would be "SSH" or "SSHD" or something along those lines.

The answer is http.

107. Taking the UID mentioned in the previous question and searching for it across the index, we see that a corelight_notice log was also generated. What is the number of the MITRE ATT&CK TTP referenced in the notice?

index="corelight" CAoNRI62m9CRqS0R2 sourcetype=corelight_notice

S0266

108. What User-Agent string was sent as part of the Trickbot HTTP requests?

index="corelight" uid=CAoNRI62m9CRqS0R2 sourcetype=corelight_http | table http_user_agent

Ghost

109. What is a process name that is repeated within the POST body of these HTTP requests?

svchost.exe

Few things about svchost.exe:

Image Path will always be: %SystemRoot%\system32\svchost.exe
Parent process: services.exe
Number of instances: many (generally at least 10, and often more than 50)
Runs with the -k parameter to differentiate/services => the absence of this parameter is a strong indication that something is off.
It's used to run service DLLs.
Pay attention to name misspells.

110. Let's look at what happened after the malware was dropped. Looking at Suricata alerts following the Trickbot alert, a popular scanning tool appears to have been used for reconnaissance. What is the name of that tool?

index="corelight" sourcetype="corelight_suricata_corelight" | stats values(alert.signature)

nessus

111. One of the alerts generated by our infected host could result in command execution on a wireless access point. Looking at the response from the remote system, however, it's pretty clear that the attack failed. How many bytes did the target send back to the attacker on this connection?

index="corelight" sourcetype="corelight_suricata_corelight" | stats values(alert.signature)

index="corelight" sourcetype="corelight_suricata_corelight" "ETPRO Exploit Possible Asus WRT LAN Backdoor Command Execution"

index="corelight" ChGTlJ1zd2PRktosx5 sourcetype=corelight_conn

0

112. Looking at the layer 7 services used by the infected host after the Trickbot alerts above, we see an SSH connection made to an internal host. What is the IP address of that host?

index="corelight" src=10.0.0.31 sourcetype=corelight_ssh auth_success=true | table dest

10.0.0.72

113. What is the PCR (producer/consumer ratio) of that SSH session?

index="corelight" CLn5mqsd7SVfTn10g sourcetype=corelight_conn

`-0.9959339475461754`

The Producer-Consumer Ratio (PCR)
measures the “shape” of a system’s pattern
of network use. Significant shifts in PCR
may indicate unusual data movement
(staging or exfil). (source)

114. Examining the inferences section of the SSH log associated with that session, one code indicates a behavior that explains the PCR we just observed. Which code is it?

index="corelight" CLn5mqsd7SVfTn10g sourcetype=corelight_ssh

LFD
LFD stands for Login Failure Daemon.
Login Failure Daemon is a continuously running process that runs all the time (Every Second) and scans all the login attempts against your server using log file entries and blocks all the entries that fail within a short period of time. These types of attacks are also known as “Brute-Force Attacks“. The Daemon process runs every second and responds very quickly to these patterns and blocks all the offending IPs quickly. (source)

115. The owner of the infected workstation had no credentials to log into 10.0.0.72 over SSH. However, there was another connection between those hosts over HTTP. What attack type was sent over that connection?

index="corelight" src=10.0.0.31 dest=10.0.0.72 sourcetype=corelight_http | table uri

(source)

index="corelight" src=10.0.0.31 dest=10.0.0.72 sourcetype=corelight_http

SQL Injection

116. What parameter of the index.php script did the infected system attempt to use for SQL injection?

username

117. What was the HTTP status code from the targeted server?

200

118. Did this SQL injection attack generate any Suricata alerts? (Yes/No)

No

119. Returning to SSH connections made by our infected host, we see a second one being made to a country the organization has no business relationship with. What country is that connection going to?

index="corelight" src=10.0.0.31 sourcetype=corelight_ssh auth_success=true

Thailand

120. Judging by the PCR (producer/consumer ratio) of this connection, data was definitely exfiltrated to this external system. What is the SSH host key of that system?

1c:6e:58:a2:57:98:33:f4:53:e8:63:46:df:a2:31:ef

121. How many payload bytes were sent over that connection?

index="corelight" CPxHxI3uiHLgH2I196 sourcetype=corelight_conn

128105745

122. The challenge author's favorite SSL certificate organization name - a default out of many certificate generation tools - is present in this index, highlighted by a Suricata alert. What is that organization name?

index="corelight" sourcetype="corelight_suricata_corelight"  | stats values(alert.signature)

Internet Widgits Pty Ltd

What are your thoughts? 😇
What do you say, will you give it a shot and be Boss of the SOC? 😎