https://hexpysya.github.io/tags/true-positive/Recent content in True Positive on bubka hacks stuffHugo -- gohugo.ioen-usTue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-lumma-stealer---dll-side-loading-via-click-fix-phishing/A Click Fix phishing email impersonating Microsoft lured Dylan into visiting a malicious site, which executed a disguised PowerShell command launching mshta.exe to download Lumma Stealer payload from overcoatpassably.shop. The host was contained before confirmed data exfiltration.https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/Tue, 14 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-macro-has-been-executed/A phishing email from <a href="mailto:jake.admin@cybercommunity.info" >jake.admin@cybercommunity.info</a> delivered a ZIP-archived Word macro document, which executed a PowerShell downloader fetching messbox.exe from greyhathacker.net. The host Jayne was contained after execution was confirmed.https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-javascript-code-detected-in-requested-url/An external IP performed XSS reconnaissance against the /search/ endpoint, cycling through multiple injection payloads. All requests except the first returned HTTP 302, indicating server-side sanitization blocked execution. The attack did not succeed.https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-passwd-found-in-requested-url---possible-lfi-attack/An external Tencent Cloud IP sent a single LFI request targeting /etc/passwd via path traversal. The server returned HTTP 500 with an empty response body, confirming the attack did not succeed.https://hexpysya.github.io/blue_team/ld-idor/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-idor/External IP enumerated the /get_user_info/ endpoint via sequential IDOR requests, all returning HTTP 200 - confirming successful data exfiltration across five user accounts.https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/Thu, 02 Apr 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-whoami-command-detected-in-request-body/An external attacker from a CHINANET-hosted IP (61.177.172.87) exploited a command injection vulnerability on WebServer1004, executing five OS commands via the ?c= parameter against /video/ - including cat /etc/passwd and cat /etc/shadow - all of which returned HTTP 200 with distinct response sizes, confirming successful remote code execution. The case was escalated to Tier 2.https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/Tue, 31 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919/An attacker exploited CVE-2024-24919 against a Check Point Security Gateway, successfully reading /etc/passwd via a path traversal payload. A second request targeting /etc/shadow from a related IP was blocked. The attack succeeded and the endpoint was escalated to Tier 2.https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-cve202553770-sharepoint-toolshell-auth-bypass-and-rce/An attacker exploited CVE-2025-53770 against a SharePoint server, achieving unauthenticated RCE via .NET deserialization. The attacker extracted the MachineKey, compiled and dropped a payload, planted a webshell in the SharePoint layouts directory, and established a reverse connection to the attacker-controlled server.https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/Sun, 22 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-possible-sql-injection-payload-detected/An external IP hosted on DigitalOcean performed a manual SQL injection reconnaissance against an internal web server, cycling through classic SQLi payloads. All requests returned HTTP 500, confirming the attack did not succeed.https://hexpysya.github.io/blue_team/ld-phishing-alert/Tue, 17 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-phishing-alert/A phishing email with a password-protected ZIP delivered AsyncRAT via a SILENTBUILDER dropper. The victim executed the payload, establishing an active C2 channel and triggering full host reconnaissance before containment.https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-malicious-attachment-detected---phishing-alert/Investigation of a phishing email delivering a malicious Excel attachment exploiting CVE-2017-11882, leading to payload download and privilege escalation via JuicyPotatohttps://hexpysya.github.io/blue_team/thm-phishing-unfolding/Mon, 16 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/thm-phishing-unfolding/https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/Sat, 14 Mar 2026 00:00:00 +0000https://hexpysya.github.io/blue_team/ld-soc153---suspicious-powershell-script-executed/User Tony downloaded and executed a malicious PowerShell script (payload_1.ps1 / agent3.ps1) classified as trojan.powershell/boxter (Azorult family). The script bypassed execution policy, then fetched and invoked a second-stage payload from kionagranada.com (161.22.46.148), establishing a two-stage C2 chain with a final pivot to 91.236.116.163.