Tales of a Red Teamer: How to setup a C2 infrastructure for Powershell Empire – UB 2018

This past weekend, I had the pleasure of red teaming at University of Buffalo’s competition called Lockdown. It was a fantastic competition and I had ALOT of fun interacting/challenging the blue teamers on Windows. This blog post will focus on my C2 infrastructure setup for Powershell Empire.

Continue reading

Install/Setup Kolide Fleet + Graylog + OSQuery with Windows and Linux deployment

In this blog post we will be installing, setting up, and utilizing Kolide Fleet as our OSQuery fleet manager. As stated by¬†Kolide, ” Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested OSQuery project, Fleet delivers fast answers to big questions.” In future blog posts I plan on using this tool for incident response and threat hunting scenarios.

Continue reading

Part 2a: Intro to Threat Hunting with Kolide Fleet, OSQuery, Powershell Empire, and Caldera – Setup environment

In this blog post series, I am documenting my novice pursuit for knowledge to become a threat hunter. This series has a strong focus on utilizing OSQuery to hunt for different techniques used by adversaries. The first post of this series, will consist of instructions to set up a lab environment. The second post of this series will be walking through red team scenarios with Powershell Empire, and MITRE’s cyber adversary emulation system called Caldera.

The third post in this series, will utilize OSQuery to hunt red team activity by discovering artifacts and modifications made to the system. The fourth post in this series, will integrate our successful hunts into Graylog for logging and alerting. Lastly, this series will be generating threat-hunting playbooks and scoring our detection capabilities using Cyb3rWard0g’s system.

Continue reading

Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Continue reading

Part 1: Intro to Threat Hunting with Powershell Empire, Windows event logs, and Graylog

One of the biggest trends in infosec, besides the word cyber, is threat hunting. First, I want to start by defining threat hunting as the action of “investigation without cause” and this concept is nothing new. It’s been around for years but we didn’t have a catchy marketing term associated with it. In this post, I will breakdown the Sqrrl threat hunting model, Powershell Empire for adversary activity, and instructions on setting up Graylog for log aggregation and a search platform to perform threat hunting. Finally, I would like to point out all Ansible playbooks used in this post are publicly accessible on my Github page in a repo called “AgileFalcon“.

Continue reading

Part 3: How to Red Team – Setting up a red team infrastructure

In this post I thought I would demonstrate how to setup an environment for a red teamer. PLEASE take this environment with a gain of salt because everyone will have a different setup!!! This guide is to show the basics and hopefully a template based on the Armitage/Cobalt Strike architecture. If your interested in the pinnacle of red team setups take a look at Alex Levinson’s post about the CCDC Red team or the blog Room 362 by Rob Fuller.

Continue reading

Setup/Configure OPNsense router in AWS VPC

For the longest time I was under the assumption a router in an AWS VPC could only have one NIC. Writing IPtables/firewall rules for one interface can be tedious!!! However, I have discovered how to setup OPSense in an AWS VPC with multiple NICs. That is right, you will have a WAN NIC(public subnet) and a NIC for each private subnet.

Continue reading

Install/Setup Wazuh 2.0, ELK 5.0, and client deployment

Visualize, analyze and search your host IDS alerts. Elastic Stack is the combination of three popular Open Source projects for log management, known as Elasticsearch, Logstash and Kibana(ELK). Together they provide a real-time and user-friendly console for your OSSEC alerts. OSSEC Wazuh integration with Elastic Stack comes with out-of-the-box dashboards for PCI DSS compliance and CIS benchmarks. You can do forensic and historical analysis of OSSEC alerts and store your data for several years, in a reliable and scalable platform. This post is updating a pervious post of mine using Wazuh 1.0 and version 2.0 of the ELK stack. This post will contain a general setup and configuration for a central logging server.

Continue reading

Install/Setup Doorman + OSQuery on Windows, Mac OSX, and Linux deployment

In this post I am going to explore the tool OSquery. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. It is a tool that is used by system administrators, incident responders, and ole mighty threat hunters. However, in this post I will not be posting how to use OSquery for threat hunting. I hope to utilize the tool in my environment and write a later post :).

Continue reading

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Continue reading