Creating my first Osquery extension to generate CommunityIDs with Osquery-python on Windows

Osquery is my favorite open-source security tool and Python is my favorite programming language so fusing them together allows us to engineer tools to detect threats. This blog post will build an Osquery-python extension to calculate the CommunityID of a network connection utilizing the Osquery-polylogyx extension pack to monitor network connections. In blog posts to follow, we will correlate network-based events generated by Zeek and host-based events generated by Osquery using the CommunityID. So follow me as your adventure guide on this development journey to make an Osquery extension with osquery-python.

Continue reading

Install/Setup MISP on Ubuntu 18.04 with an intro to PyMISP

In this blog post, we are going to cover how to install MISP on Ubuntu 18.04. Once MISP is installed, we will do an introduction to the PyMISP API to store indicators of compromise (IOCs) in MISP and query IOCs from MISP. This blog post will serve as the foundation for future blog posts moving forward.

Continue reading

Part 2: Intro to Threat Hunting – Understanding the attacker mindset with Powershell Empire and the Mandiant Attack Lifecycle

In this blog post, I continue my pursuit of knowledge to become a threat hunter. This blog post will introduce the following concepts: understanding the attacker mindset with the Mandiant Attack Lifecycle, performing a red team exercise to demonstrate the tools and techniques used by attackers with Powershell Empire, and observing how attacker activity leaves behind a trail of artifacts. These concepts will create the foundation we will use in future blog posts to hunt for malicious activity.

Continue reading

Tagged

PoC: Mail.app the boomerang of reverse shells on macOS

This blog post is going to demonstrate a proof of concept (PoC) of sending an e-mail to trigger the Mail app (mail.app) to create a reverse shell. The Mail app has built-in functionality that can trigger an Applescript to execute code when certain conditions (new e-mail in inbox from bob, deletion of e-mail, or an e-mail containing certain text) occur within the Mail app. This functionality provides a method to initiate a reverse shell without user interaction or placing a persistent mechanism in a well-known location. The method below will utilize this functionality to monitor e-mails from a particular user, upon receiving an e-mail from said user, a reverse shell will call back to our Powershell Empire server.

Continue reading

PoC: Exfiltrating data on macOS with Folder Actions

This blog post is going to demonstrate a proof of concept (PoC) to exfiltrate data from macOS with a built-in functionality called Folder Actions. The Folder Actions functionality triggers Applescripts to execute code when certain conditions (creating files, deleting files, etc.) occur by interactions with Finder. This functionality provides a method to exfiltrate data without the need for a shell to execute the actions. The Applescript provided below will utilize this functionality to monitor for new files in the user’s Download folder and, upon detection of a new file, exfiltrate a copy of the file to a remote server.

Continue reading

Part 1: Learning web security – Reflected Cross-site Scripting (XSS)

As part of my personal growth, I decided to learn web security. This blog post is going to demonstrate one of OWASP’s top ten vulnerabilities called “Cross-site scripting”. The exercises in this blog post demonstrate the vulnerability within code. Take part in my journey as I learn the web with this vulnerability known as cross-site scripting.  Continue reading

My journey for upgrading Proxmox VE 5.4 to 6.0

Most guides on the internet show you how to upgrade Proxmox 5.4 to 6.0 via the built-in mechanism. However, for major version upgrades, I prefer to do an installation from scratch, NOT applying the update via apt-get upgrade. This method of upgrading allows me to clean up any crud that has accumulated over the years. Lastly, this guide will cover how to backup your VMS before upgrading to Proxmox 6.0. Continue reading

PoC: Monitoring user browser activity with Osquery

This proof-of-concept (PoC) will demonstrate how to use Osquery to monitor the browser activity of users. Not only will this PoC collect browser activity, but it will also use VirusTotal to rank each URL to detect malicious activity. In addition to VirusTotal, this PoC will utilize Rsyslog, Osquery, Kafka, Splunk, Virustotal, Python3, and Docker as a logging pipeline. Once this pipeline has been implemented, your security team will have the ability to protect your user’s from today’s most serious threats on the web.

Continue reading

Back in the saddle: Install/Setup Elastic stack 7.0 on Ubuntu 18.04

Wow, the last time I really used the Elastic Stack it was called the ELK stack, and it was version 2.0. A lot of things have changed since then, so I am going to do an updated post on installing and setting up the Elastic stack.

Continue reading

Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal

This blog post will explore how to set up a simple logging pipeline to detect maliciously downloaded files. This setup will utilize technologies such as Osquery, Rsyslog, Kafka, Docker, Python3, and VirusTotal for a logging pipeline. If this pipeline detects a malicious file, a Slack alert will be triggered.

Continue reading