## Alternative routes for Incident Response approach other than Windows Event Viewer?

I am currently developing an Incident Response Plan for a computer that has been hacked (no malware installed, just a system hack). My plan is to look through Windows Event Viewer to try and detect any unusual behaviour to the machine.

However, if an attacker has changed the contents of the log file or altered the time, what are the alternative routes for developing an IRP other than Windows Event Viewer?

## Using a reaction in response to reaction [on hold]

I have the following question about the situation in my session:

The monk used his action to perform “Step of the Wind”

You can spend 1 point to take the Disengage or Dash action as a bonus action on your turn, and your jump distance is doubled for the turn.

An enemy used the reaction to fire an arrow.

The monk used his reaction to Deflect Missiles.

It is possible?

Can a character use the reaction after using an action? Can a character use the reaction in response to a reaction?

## Is there any need to test if security headers are present in response from API in javascript code?

I have found in one of the client side libraries that it is checking if response contains all of the following headers with corresponding values (as a security measure):

'content-type', 'application/json' 'content-type', 'charset=utf-8' 'X-Content-Type-Options', 'nosniff' 'content-disposition', 'attachment' 'X-Frame-Options', 'DENY' 

I cannot see a reason for how it can help with security by validating those by client side library.

Anyone has an idea if this is reasonable or does not make any sense?

P.S. This is not a question of whether these headers should be set by the server.

P.P.S. I have found this out since for some reason even if the header is present I can see in logs that sometimes this exception is thrown. I don’t really know why, but I suppose either proxies removing headers or some browsers removing/not returning it in js for some reason. I’d be glad to hear why if someone knows reason.

## Why am I getting that error on Google reCAPTCHA V2 response?

it’s my first time posting here and I’m not good with such stuff as the one I’m posting right now

I have been trying to solve this issue for 2 days by now so I could use some help lol

This error “Please solve the captcha.” is showing even if the captcha is verified so it’s showing in the both cases (verified/unverified).

PHP Part:

 <?php  require_once 'db/setting.php'; require_once 'db/odbc.php';  session_start(); error_reporting(0);  if (isset($_SERVER['HTTPS']) && ($  _SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1) || isset($  _SERVER['HTTP_X_FORWARDED_PROTO']) &&     $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {$  protocol = 'https://'; } else {   $protocol = 'http://'; }$  currentDomain = $protocol.$  _SERVER[HTTP_HOST];  $API["secret_key"] = "xx";$  API["api_key"] = "xx"; $API["callback"] =$  currentDomain."/vote-reward-tok.php?return={RETURNEDCODE}"; $API["API_Domain"] = "http://api.top-kal.com";$  secretKey = 'xxx'; $captcha =$  _POST['g-recaptcha-response']; $ip =$  _SERVER['REMOTE_ADDR']; $responseData=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$  secretKey."&responseData=".$captcha."&remoteip=".$  ip); $responseKeys = json_decode($  responseData,true);  $config["db_username"] = "sa";$  config["db_password"] = "********"; $config["db_database_account"] = "kal_auth";$  config["db_database_player"] = "kal_db"; $config["db_server"] = "NAME\SQLEXPRESS";$  config["db_driver"] = "SQL Server";  $config["Reward_Name"] = "Vote Coin";$  config["MinLvl_Require"] = 30; $config["Reward_Index"] = 447;$  config["Reward_Amount"] = 10; $config["Reward_Bound"] = false;  SQL Part function insertRewards($  account_unique_id){     global $config;$  connect = odbc_connect('Driver={'.$config["db_driver"].'};Server='.$  config["db_server"].';Database='.$config["db_database_player"].';',$  config['db_username'] ,$config['db_password']); if(!$  connect)         return false;      $query = odbc_exec($  connect,"SELECT Top 1 [IID] FROM [Item] Where [IID] < 1 order by IID Desc");     if(!$query) return false;$  data = odbc_fetch_array($query); if($  data && !empty($data) && isset($  data["IID"]))         odbc_exec($connect,"INSERT INTO [Item] ([PID],[IID],[Index],[Prefix],[Info],[Num])VALUES ($  account_unique_id,".($data["IID"]+1).",".$  config["Reward_Index"].",0,".(16+($config["Reward_Bound"] ? 128 : 0)).",".$  config["Reward_Amount"].")");  }  function checkCharacters($accountUID){ global$  config;      $connect = odbc_connect('Driver={'.$  config["db_driver"].'};Server='.$config["db_server"].';Database='.$  config["db_database_player"].';', $config['db_username'] ,$  config['db_password']);      if(!$connect) return array("error" => "failed to connect to database players.");$  query = odbc_exec($connect,"SELECT [Level] FROM [Player] WHERE [UID] =$  accountUID ORDER BY [Level] DESC");     if(!$query) return array("error" => "failed to find characters in this account id."); while($  r = odbc_fetch_array($query)){ if($  r["Level"]  >= $config["MinLvl_Require"]) return array("success" =>$  accountUID);     }   return array("error" => "You should have one character at least higher than level : ".$config["MinLvl_Require"]." to vote."); } function checkAccount($  accountID){     global $config;$  connect = odbc_connect('Driver={'.$config["db_driver"].'};Server='.$  config["db_server"].';Database='.$config["db_database_account"].';',$  config['db_username'] ,$config['db_password']); if(!$  connect)         return array("error" => "failed to connect to database accounts.");      $query = odbc_exec($  connect,"SELECT TOP 1 [UID] FROM [Login] WHERE [ID] = '$accountID'"); if(!$  query)         return array("error" => "this account id not exists.");      $data = odbc_fetch_array($  query);     if(!$data || empty($  data) || !isset($data["UID"])) return array("error" => "this account id not exists."); if($  config["MinLvl_Require"] > 0)           return checkCharacters($data["UID"]); return array("success" =>$  data["UID"]); }  

Submitting Function

$response = array("error" => false , "success" => false , 'redirect' => false); function post_content($  query){ $query_array = array();foreach($  query as $key =>$  key_value )$query_array[] = urlencode($  key ) . '=' . urlencode( $key_value );return implode( '&',$  query_array ); }      global $API;$  opts = array('http' =>  array('method'  => 'POST',"header" => "Content-type: application/x-www-form-urlencoded\r\nAuthorization:".base64_encode($API["api_key"].":".$  API["secret_key"])."\r\n", "content" => post_content($content)));return stream_context_create($  opts); }  function submit(){     global $API; if(empty($  captcha) || $captcha == '' || !isset($  captcha))         return array(   "error" => "Please solve the captcha.");      if (empty($_POST['account']) || !ctype_alnum($  _POST['account']))         return array(   "error" => "Invalid account id.");      $checkAccount = checkAccount($  _POST['account']);      if (isset($checkAccount["error"])) return array("error" =>$  checkAccount["error"]);      if (isset($checkAccount["success"])){$  account_unique_id = (isset($_SESSION['kal_id'])) ?$  _SESSION['kal_id'] : $checkAccount["success"];$  result = json_decode(file_get_contents($API["API_Domain"] . '/api/generate/vote-rewards-token', false, postParams(array('callback' =>$  API["callback"],'account_unique_id' => $account_unique_id ))) , true); { echo '<br><center><h3>Please wait...</h3></center>'; } if (!empty($  result)){             if (isset($result["response"])){ if (isset($  result["response"]["error"]))                     return array("error" => $result["response"]["error"]); elseif (isset($  result["response"]["success"]))                     return array("redirect" => '<script type="text/javascript">setTimeout(function () { window.location.href = "'.$result["response"]["success"].'";}, 500)</script>'); } } } } if ($  _SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['account'])){$  response = submit();     if (isset($response['redirect']) &&$  response['redirect']){         echo $response['redirect']; die; } }elseif (isset($  _GET['return'])){     $result = json_decode(file_get_contents($  API["API_Domain"] . '/api/verify/vote-rewards-token', false, postParams(array('returned_code' => $_GET['return']))) , true); if (!empty($  result)){         if (isset($result["response"])){ if (isset($  result["response"]["error"]))                 $response['error'] =$  result["response"]["error"];             elseif (isset($result["response"]["success"])){ insertRewards($  result["response"]["account_unique_id"]);                 $response['success'] = '<b>Thank you, Your vote has been recorded and the server rank will be updated soon.<b><br />You will receive your rewards in storage of your account.<p>Your next vote in : <b>' .$  result["response"]["NextVote"] . '</b></p>';                 }             }         }     } ?>   

HTML part:

<head> <title>Vote Rewards - <?php echo $config['serverName']; ?></title> <link rel="shortcut icon" href=images/favicon.png"> <link rel="stylesheet" href="css/vote.css"> <link rel="stylesheet" href="css/fontawesome.css"> <link rel="stylesheet" href="css/fontawesomeall.css"> <script src='https://www.google.com/recaptcha/api.js'></script> </head> <body> <form class="vote-form" method="post"> <noscript><div class="isa_error">Javascript is not enabled in your browser! Please enable it or change your browser.</div></noscript> <?php if(isset($  response['error']) && $response['error']){ ?><div class="isa_error"> <?php echo$  response['error'] ;?> </div> <?php } ?> <?php if(isset($response['success']) &&$  response['success']){ ?><div class="isa_success"> <?php echo $response['success'] ;?> </div> <?php }else{ ?> <label> <span>Account ID :</span> <input type="text" name="account" maxlength="20" <?php echo (isset($  _SESSION['kal_username'])) ? 'readonly value="'.$_SESSION['kal_username'].'"' : ""; ?>" /> </label> <div class="g-recaptcha" style="margin:0 auto;" data-sitekey="xxx" data-theme="dark"></div> <label class="label_btn"> <input type="submit" class="button" value="Vote" /> </label> <?php } ?> </form> <script src="https://code.jquery.com/jquery-3.2.1.min.js"></script> </body> </html>  Sorry if the topic is way too long but I’m desperate =DD ## Getting feed response in SharePoint framework I am trying to get SharePoint feed data in SharePoint framework, tries different approach but getting different errors. var promise = new Promise((resolve, reject) => { var url = "SharepointListFeedsURL"; const httpClientOptions: IHttpClientOptions = { headers: new Headers(), method: "GET", mode: "cors" }; this.context.spHttpClient.get(url,SPHttpClient.configurations.v1,httpClientOptions) .then((results: SPHttpClientResponse): Promise<any> => { return results.json(); }).then((data: any) => {$  .each(data.data,(index)=>{               allData.push(data.data[index]);             });           }).catch((error) => {            });       });     });     return promise; 

Errors:

Blocked by CORS policy: The ‘Access-Control-Allow-Origin.

And

workbench.html:1 Access to fetch at ‘https://www.xyz.cl/api’ from origin ‘https://localhost:4321’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: It does not have HTTP ok status.

Getting below errors when running in sharepoint env

Refused to get unsafe header "SPClientServiceRequestDuration" Refused to get unsafe header "SPRequestGuid" Refused to get unsafe header "X-SERVICEWORKER-DATA-SOURCE" Refused to get unsafe header "SPRequestGuid" Refused to get unsafe header "X-ServiceWorkerFetchInfo" 

How do we solve this?

## Referer value reflected in location response?

I found a login form on a website that redirects you regardless if the insert credentials are correct or wrong (302 redirect). I noticed that the value of the header Referer: is sent to header Location: in response. So for example, if Referer is set to https://www.google.com you will be redirected to https://www.google.com. Is it possible to set an arbitrary Referer value via CSRF and redirect other users?

## Non-linear ODE from closed-loop system and Response (Part II)

I again need help with the Mathematica. We have the following affine system. I need to get expressions describing the changes of $$x_{1} \left( t \right)$$ or $$x_{2} \left( t \right)$$. The only thing that turned out to me was to build a numerical representation on the graph. 1. What command is used in Maple to get the equation of the desired output variable? I tried using the Extract command, but as an answer, the math showed just “$$x_{1} \left( t \right)$$“; 2. It is seen that the ODE is essentially nonlinear. How to present in Math not necessarily an exact solution, but at least in the form of a series at a specified time interval?

There is my code:

asys = AffineStateSpaceModel[{Subscript[x, 1]'[      t] == (Power[Subscript[x, 1][t], 2] +          Power[Subscript[x, 2][t], 2]) 0.2 Sin[4 t] - 0.2 Cos[4 t] +       Subscript[u, 1][t],     Subscript[x, 2]'[      t] == (Power[Subscript[x, 1][t], 2] +          Power[Subscript[x, 2][t], 2]) 0.3 Sin[5 t] - 0.3 Cos[5 t] +       Subscript[u, 2][t]}, {Subscript[x, 1][t],     Subscript[x, 2][t]}, {Subscript[u, 1][t],     Subscript[u, 2][t]}, {Subscript[x, 1][t], Subscript[x, 2][t]}, t]  Plot[OutputResponse[{asys, -1}, {0, 0}, {t, 0, 500}] // Evaluate, {t,    0, 500}] 

## preflight returns 401 response even though headers correct

I am trying to access a sharepoint server REST api to upload some files. Access is via our tomcat application

Although I believe I setup correctly the headers in IIS the request does not pass the preflight.

Request OPTIONS /_api/contextinfo HTTP/1.1 Accept  */* Origin  http://localhost:8080 Access-Control-Request-Method   POST Access-Control-Request-Headers  content-type, accept Accept-Encoding gzip, deflate User-Agent  Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; MAAU; rv:11.0) like Gecko Host    temp-sharepoint Content-Length  0 Connection  Keep-Alive Cache-Control   no-cache 

Response    HTTP/1.1 401 Unauthorized Content-Type    text/plain; charset=utf-8 Server  Microsoft-IIS/7.5 SPRequestGuid   8d690d9d-d06e-101d-6038-8056a7fce7c2 request-id  8d690d9d-d06e-101d-6038-8056a7fce7c2 X-FRAME-OPTIONS SAMEORIGIN SPRequestDuration   5 SPIisLatency    1 WWW-Authenticate    Negotiate WWW-Authenticate    NTLM X-Powered-By    ASP.NET MicrosoftSharePointTeamServices 15.0.0.4569 X-Content-Type-Options  nosniff X-MS-InvokeApp  1; RequireReadOnly Access-Control-Allow-Origin * Access-Control-Allow-Credentials    true Access-Control-Allow-Methods    GET,PUT,POST,DELETE,OPTIONS Access-Control-Allow-Headers    accept,content-type Date    Fri, 05 Jun 2015 15:52:01 GMT Content-Length  16 

My code to request

var url = sharepointURL + "/_api/contextinfo"; jQuery.ajax({      url: url,      type: "POST",      headers:       {         "Accept": "application/json; odata=verbose"      },      xhrFields: {             withCredentials: true     },     crossDomain: true,      contentType: "application/json;odata=verbose", 

Why is not passing the preflight? have I misconfigured the headers?

## hping3 response for every packet

Is there an option where we can receive timeouts for every lost packet when using hping3?

Also can we send 1 packets per second?

-Anoop

## Incident response to a medium scale phishing attack whereas the targets are not from our company?

Our company suffered a phishing attack yesterday. While investigating about the attacker and the potential employees of ours who might have been phished, we ended up with the attacker database of phished users.

This database include user email and passwords (~40) from multiple companies (~10) who seems to be sharing the same phishing attack as us. Moreover, it seems that the target are high profile.

So far, here is what we have been accomplishing :

• Contact targeted companies and list phished users
• Contact websites where the phishing attack is happening (it is happening on multiple hacked websites so it’s hard to stop it)

However, we’re not sure this is the best way to deal with the following situation, here is why :

• More and more users still enter their credentials and this is not our role to secure other companies users and we would like to stop wasting time on this (most of the companies following up to our email or calling us asking for more details).

• We are worried that some companies (targeted companies being in the same industry as us) might not understand us well and think we are in some way associated to that phishing attack because we are one of their competitors

• We are doing security for our competitors (so we’re spending money for them)

One solution could be to publish a blog post but it has downsides too such as being seen as a toxic player because we would be pointing fingers at our competitors security. Another solution would be not to contact this companies and let them get compromised.

What would be the best way to react to this phishing attack ?