https://hexpysya.github.io/tags/edr/Recent content in EDR on bubka hacks stuffHugo -- gohugo.ioen-usTue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/A phishing email from <a href="mailto:jake.admin@cybercommunity.info" >jake.admin@cybercommunity.info</a> delivered a ZIP-archived Word macro document, which executed a PowerShell downloader fetching messbox.exe from greyhathacker.net. The host Jayne was contained after execution was confirmed.https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/An external IP performed XSS reconnaissance against the /search/ endpoint, cycling through multiple injection payloads. All requests except the first returned HTTP 302, indicating server-side sanitization blocked execution. The attack did not succeed.https://hexpysya.github.io/blue_team/ld-ls-command-detected-in-requested-url/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-ls-command-detected-in-requested-url/Alert triggered on the string &rsquo;ls&rsquo; found in a legitimate search query parameter. The traffic originated from an internal IP to letsdefend.io and contains no malicious payload. False positive - rule lacks context awareness for partial string matches.https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/An external Tencent Cloud IP sent a single LFI request targeting /etc/passwd via path traversal. The server returned HTTP 500 with an empty response body, confirming the attack did not succeed.https://hexpysya.github.io/blue_team/ld-idor/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-idor/External IP enumerated the /get_user_info/ endpoint via sequential IDOR requests, all returning HTTP 200 - confirming successful data exfiltration across five user accounts.https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/An external attacker from a CHINANET-hosted IP (61.177.172.87) exploited a command injection vulnerability on WebServer1004, executing five OS commands via the ?c= parameter against /video/ - including cat /etc/passwd and cat /etc/shadow - all of which returned HTTP 200 with distinct response sizes, confirming successful remote code execution. The case was escalated to Tier 2.https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/Tue, 31 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/An attacker exploited CVE-2024-24919 against a Check Point Security Gateway, successfully reading /etc/passwd via a path traversal payload. A second request targeting /etc/shadow from a related IP was blocked. The attack succeeded and the endpoint was escalated to Tier 2.https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/An attacker exploited CVE-2025-53770 against a SharePoint server, achieving unauthenticated RCE via .NET deserialization. The attacker extracted the MachineKey, compiled and dropped a payload, planted a webshell in the SharePoint layouts directory, and established a reverse connection to the attacker-controlled server.https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/An external IP hosted on DigitalOcean performed a manual SQL injection reconnaissance against an internal web server, cycling through classic SQLi payloads. All requests returned HTTP 500, confirming the attack did not succeed.https://hexpysya.github.io/blue_team/ld-phishing-alert/Tue, 17 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-phishing-alert/A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotatohttps://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/Sat, 14 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.https://hexpysya.github.io/blue_team/wazuh-injection/Mon, 09 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh-injection/Detected a SQL Injection attack, observed 85 alerts across 6 rule IDs, and configured automated IP blocking via active response.https://hexpysya.github.io/blue_team/wazuh+suricata-malware-traffic/Mon, 02 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh+suricata-malware-traffic/Replayed a malicious PCAP file containing Hancitor dropper traffic that deployed Cobalt Strike, Dridex, and Ficker Stealer. Analyzed 423 Suricata alerts in Wazuh, reconstructed the full infection chain, and mapped findings to MITRE ATT&amp;CK.https://hexpysya.github.io/blue_team/wazuh_ssh-brute-force/Fri, 20 Feb 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/wazuh_ssh-brute-force/Simulated an SSH brute force attack using Hydra, observed Wazuh detection across 7 rule IDs, identified a gap in default alerting (max level 10), wrote a custom rule to escalate severity to level 12, and configured automated IP blocking via active response.