Blog Entries

02. 07. 2025 Daniel Degasperi Blue Team, Log-SIEM, SEC4U

Discovery and Credential Access via Kerberos & NTLM: A Detection-Focused Approach

Introduction Windows environments rely heavily on authentication protocols like NTLM and Kerberos. While these protocols serve critical security purposes, they are also commonly abused during malicious activities. This article explains how to detect suspicious behaviors related to Domain Account Discovery and Credential Access, specifically focusing on Enumeration, Brute Force, and Password Spraying attempts via NTLM…

Read More
25. 06. 2025 Mirko Ioris Blue Team, SEC4U

A Practical Guide to Working with Windows Authentication Logs – Part 1

If you’ve ever worked with Windows authentication logs, you know they can be a chaotic mess. Even when you’re looking for something apparently simple and useful – like tracking admin logins – you quickly find yourself in a sea of redundant entries, some of them logged for no apparent reason, and poorly documented details. I’ve…

Read More
18. 06. 2025 Luca Zeni Blue Team, CTF Writeups

Hack The Box Business CTF 2025 – Nexus Breach Journey

Stepping Deeper into the CTF World It seems that this year, I’m a step further into the world of Capture The Flag (CTF) competitions: not sure why but I don’t regret it. We’re only halfway through the year, and I’ve already participated in three events. Not a huge amount, but a noticeable jump considering that…

Read More
14. 03. 2025 Daniel Degasperi Blue Team, Log-SIEM, SEC4U

A Practical Approach to Detect Suspicious Activity in MS SQL Server

This article gives an overview and offers a practical tips to detecting some suspicious activities in Microsoft SQL Server, from configuring audit policies to leveraging Elastic for effective monitoring and threat detection. Introduction Microsoft SQL Server is one of the most widely used relational databases in the enterprise landscape, managing critical data and supporting essential…

Read More
31. 12. 2024 Luca Zeni Blue Team, SEC4U

That Time I Brought a Velociraptor and a Chainsaw into the SOC

Yes, you read that title right. Today I’m going to tell you about the time I went on a hunt to bring a velociraptor and a chainsaw into the Würth Phoenix Security Operations Center. I know that it might sound strange to many and few will believe it, but I’m sure that once you get…

Read More
30. 12. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Red and Blue Team Cooperation: Attack to Improve

Nowadays attacks evolve over time and threat actors are following different ways to reach the same objectives. This could represent a problem on the defensive side. How can you always be up-to-date and ready to detect, but then when a vulnerability is exploited be able to act in several ways depending on the threat actor?…

Read More
08. 11. 2024 Luca Zeni Blue Team, SEC4U, Threat Intelligence

SATAYO And SOC: Exchanging Data For Better Insight

In this post, we’ll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example of integration between our SIEM and SATAYO, the CTI platform we use in our SOC….

Read More
10. 09. 2024 Massimo Giaimo Blue Team, SEC4U, SOCnews

SOC News | September 10 – New RaaS Group BloodForge

The team behind the popular underground forum BlackForums has announced, on its Telegram channel, that it has formed a new pact with the BloodForge group. From this pact was born The Brotherhood, an organization that aims to provide a RaaS (Ransomware as a Service). The new BloodForge channel then presented the features and capabilities of…

Read More
30. 08. 2024 Daniel Degasperi Blue Team, SEC4U

A Concrete Example of ES|QL and SOC Detection Rules

The purpose of this article is to show a real-life case study of the integration of the new Elastic ES|QL language within the detection rules used by the SOC to detect cyber threats. Overview ES|QL (Elasticsearch Query Language) is an SQL-like query language developed by Elastic specifically for querying time series and event data stored…

Read More
16. 07. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Automate Business Processes with APIs: python-gvm

Have you already read this blog post Adding soar features to the soc part 1 vulnerability management? If not, you have to! It explains the SOAR features leveraged by the Würth Phoenix SOC and how we implement our Vulnerability Management process.  In this article, I’ll take a step back, focusing on what happens before the…

Read More
07. 06. 2024 Luca Zeni Blue Team, SEC4U

Akira Ransomware: How to Make an Efficient Detection Rule

In this article, we’re going to explore an example of the process used to perform the initial steps of creating ad hoc detection rules based on specific events that mark the world of cyber security. Specifically, starting from a real case, we’ll see the study and analysis carried out to create a rule to monitor…

Read More
24. 05. 2024 Daniel Degasperi Blue Team, SEC4U

How To Detect a Chromium Browser Stealer With Elastic

In this blog, I’ll propose and describe a solution for detecting potential infostealers targeting Chromium-based browsers, taking a cue from the research exposed by Google’s Chrome Security Team (Detecting browser data theft using Windows Event Logs). Obviously a solution using Elastic 🙂 ! What is an Infostealer (in a nutshell) ? In the realm of…

Read More
15. 03. 2024 Luca Zeni Blue Team, SEC4U

SATAYO and SOC: in the New Midlands

This article explains how the Cyber Threat Intelligence platform SATAYO serves as a powerful resource to optimize processes and strengthen threat coverage within the Würth Phoenix Attacker Centric SOC. We will analyze the utilization of SATAYO’s internal resources for creating Detection Rules and managing SOC alerts. Additionally, we will examine how the logs in SIEM…

Read More
04. 01. 2024 Mirko Ioris Blue Team, SEC4U

Hacker Group Activities and Cyber Security Concerns | Second Semester 2023

A Security Operation Center (SOC) is a service where the customer is an active participant. Establishing a good relationship with the customer is an important requirement for handling security incidents more efficiently. Our SOC analysts produce and deliver several reports, most of them on a monthly basis. They are usually presented to clients during a…

Read More
30. 10. 2023 Mirko Ioris Blue Team, Red Team, SEC4U

Adding SOAR Features to the SOC – Part 1: Vulnerability Management

Security Orchestration, Automation and Response (SOAR) is a set of functionalities used by the SOC team to automate security activites, improve workflow management and share threat intelligence data. Security Operation Centres (SOCs) can leverage SOAR to gain in-depth knowledge of the threats they face, trigger automatic responses to security issues and achieve better efficiency. In this…

Read More

Search by technology

Contact

Contact us
Serviceportal

Archive