githubfoam

## rogue dhcp detection cheat sheet
#====================================================================
#one log file per day
#script rotates daily by filename (rogue_dhcp_discover_warning_YYYY-MM-DD.log)
#Hourly cron job → appends to today’s log file.
#Next day → new file automatically created.
#Old logs (>30 days) are auto-deleted.

#!/bin/bash
# rogue_dhcp_monitor.sh
# Purpose: Detect multiple DHCP servers and log warnings or info

## nagios_core_container_experience
--------------------------------------------------------------------------------------------------
# Check if container is running
docker-compose -f docker-compose.yml.ubuntu ps


Check the container is running
docker ps
Look for your Nagios container, something like:
nagios_core   0.0.0.0:8080->80/tcp   Up   nagios:4.5.9

## wayback maschine cheat sheet
#====================================================================
Nginx config

Why search:

Nginx server configuration.
 Nginx is a popular web server, and its configuration files (nginx.conf) control
 how the server processes requests, handles proxies, and serves content. An exposed
 config file can reveal server secrets and misconfigurations.

## kill-chain model
============================================================================
The kill-chain model, originally developed by Lockheed Martin as the Cyber Kill Chain, is a framework that helps Security Operations Center (SOC) engineers analyze cyberattacks in a structured way. It breaks down an attack into stages, allowing SOC engineers to understand, detect, and respond effectively.
How a SOC Engineer Uses the Kill-Chain Model

SOC engineers use the kill-chain model to:

    Detect Threats Earlier: By recognizing attack patterns at different stages, they can stop an attack before it progresses.

    Improve Incident Response: Helps prioritize threats based on their progression within the chain.

## falco detection cheat sheet
#======================================================================
Simulated Detection Scenarios

Falco – Chmod 777

Scenario: Attacker gives full permissions to a sensitive file.

Simulate:

touch /tmp/test.sh && chmod 777 /tmp/test.sh

## wazuh cheat sheet
#======================================================================
Part 2: Simulated Detection Scenarios
✅ Wazuh – File Integrity Monitoring

Scenario: Someone modifies /etc/passwd.

Simulate:

echo "#TEST123" >> /etc/passwd

## xdr cheat sheet
#======================================================================
To make an informed decision on purchasing an XDR product, you need a structured approach to evaluating vendors and ensuring the solution meets your security needs. Here's how you can organize the process effectively:

1. Define Evaluation Goals & Success Criteria

    Establish clear objectives for adopting an XDR solution (e.g., better threat detection, improved response automation).

    Identify key security gaps that need addressing.

    Define measurable success criteria for the evaluation (e.g., ease of integration, accuracy of threat detection, response time).

## PAM - privilleged access management cheat sheet
#===================================================================================================================================
What does a Holistic Approach in PAM involve?

    Comprehensive User Access Control

        Not only managing privileged users, but also regular employees, third-party contractors, and automated system accounts.

        Example: Instead of just securing admin accounts, PAM also tracks access for interns, vendors, and service accounts across all systems

Integration with Other Systems

## eduroam cheat sheet
To uninstall the CAT (Configuration Assistant Tool) installer from eduroam on Windows 10

PS:
The CAT installer itself usually configures the network and installs certificates but does not stay as a running application, so it often doesn’t show up in Programs

Remove eduroam from Windows
https://servicedesk.msstate.edu/TDClient/45/Portal/KB/ArticleDet?ID=1625

Method 1: Using Windows Settings (Recommended)
Uninstalling the eduroam CAT Installer Configuration

## base 64 detection cheat sheet
#===================================================================================================================================
Base64-Encoded C2 Domain: Explanation & Examples
What is Base64 Encoding?

Base64 is a method of encoding binary data into ASCII text, often used to obfuscate malicious commands, URLs, or payloads to evade detection.
Why Do Attackers Use Base64 for C2 Communication?

    Evasion: Many security tools scan for known malicious domains in plaintext.

    Obfuscation: Makes malicious traffic harder to identify in logs.
	#====================================================================
	#one log file per day
	#script rotates daily by filename (rogue_dhcp_discover_warning_YYYY-MM-DD.log)
	#Hourly cron job → appends to today’s log file.
	#Next day → new file automatically created.
	#Old logs (>30 days) are auto-deleted.

	#!/bin/bash
	# rogue_dhcp_monitor.sh
	# Purpose: Detect multiple DHCP servers and log warnings or info
	--------------------------------------------------------------------------------------------------
	# Check if container is running
	docker-compose -f docker-compose.yml.ubuntu ps


	Check the container is running
	docker ps
	Look for your Nagios container, something like:
	nagios_core 0.0.0.0:8080->80/tcp Up nagios:4.5.9
	#====================================================================
	Nginx config

	Why search:

	Nginx server configuration.
	Nginx is a popular web server, and its configuration files (nginx.conf) control
	how the server processes requests, handles proxies, and serves content. An exposed
	config file can reveal server secrets and misconfigurations.
	============================================================================
	The kill-chain model, originally developed by Lockheed Martin as the Cyber Kill Chain, is a framework that helps Security Operations Center (SOC) engineers analyze cyberattacks in a structured way. It breaks down an attack into stages, allowing SOC engineers to understand, detect, and respond effectively.
	How a SOC Engineer Uses the Kill-Chain Model

	SOC engineers use the kill-chain model to:

	Detect Threats Earlier: By recognizing attack patterns at different stages, they can stop an attack before it progresses.

	Improve Incident Response: Helps prioritize threats based on their progression within the chain.
	#======================================================================
	Simulated Detection Scenarios

	Falco – Chmod 777

	Scenario: Attacker gives full permissions to a sensitive file.

	Simulate:

	touch /tmp/test.sh && chmod 777 /tmp/test.sh
	#======================================================================
	Part 2: Simulated Detection Scenarios
	✅ Wazuh – File Integrity Monitoring

	Scenario: Someone modifies /etc/passwd.

	Simulate:

	echo "#TEST123" >> /etc/passwd
	#======================================================================
	To make an informed decision on purchasing an XDR product, you need a structured approach to evaluating vendors and ensuring the solution meets your security needs. Here's how you can organize the process effectively:

	1. Define Evaluation Goals & Success Criteria

	Establish clear objectives for adopting an XDR solution (e.g., better threat detection, improved response automation).

	Identify key security gaps that need addressing.

	Define measurable success criteria for the evaluation (e.g., ease of integration, accuracy of threat detection, response time).
	#===================================================================================================================================
	What does a Holistic Approach in PAM involve?

	Comprehensive User Access Control

	Not only managing privileged users, but also regular employees, third-party contractors, and automated system accounts.

	Example: Instead of just securing admin accounts, PAM also tracks access for interns, vendors, and service accounts across all systems

	Integration with Other Systems
	To uninstall the CAT (Configuration Assistant Tool) installer from eduroam on Windows 10

	PS:
	The CAT installer itself usually configures the network and installs certificates but does not stay as a running application, so it often doesn’t show up in Programs

	Remove eduroam from Windows
	https://servicedesk.msstate.edu/TDClient/45/Portal/KB/ArticleDet?ID=1625

	Method 1: Using Windows Settings (Recommended)
	Uninstalling the eduroam CAT Installer Configuration
	#===================================================================================================================================
	Base64-Encoded C2 Domain: Explanation & Examples
	What is Base64 Encoding?

	Base64 is a method of encoding binary data into ASCII text, often used to obfuscate malicious commands, URLs, or payloads to evade detection.
	Why Do Attackers Use Base64 for C2 Communication?

	Evasion: Many security tools scan for known malicious domains in plaintext.

	Obfuscation: Makes malicious traffic harder to identify in logs.