Author Archives: spartan2194

PoC: Mail.app the boomerang of reverse shells on macOS

This blog post is going to demonstrate a proof of concept (PoC) of sending an e-mail to trigger the Mail app (mail.app) to create a reverse shell. The Mail app has built-in functionality that can trigger an Applescript to execute code when certain conditions (new e-mail in inbox from bob, deletion of e-mail, or an e-mail containing certain text) occur within the Mail app. This functionality provides a method to initiate a reverse shell without user interaction or placing a persistent mechanism in a well-known location. The method below will utilize this functionality to monitor e-mails from a particular user, upon receiving an e-mail from said user, a reverse shell will call back to our Powershell Empire server.

Continue reading

PoC: Exfiltrating data on macOS with Folder Actions

This blog post is going to demonstrate a proof of concept (PoC) to exfiltrate data from macOS with a built-in functionality called Folder Actions. The Folder Actions functionality triggers Applescripts to execute code when certain conditions (creating files, deleting files, etc.) occur by interactions with Finder. This functionality provides a method to exfiltrate data without the need for a shell to execute the actions. The Applescript provided below will utilize this functionality to monitor for new files in the user’s Download folder and, upon detection of a new file, exfiltrate a copy of the file to a remote server.

Continue reading

Part 1: Learning web security – Reflected Cross-site Scripting (XSS)

As part of my personal growth, I decided to learn web security. This blog post is going to demonstrate one of OWASP’s top ten vulnerabilities called “Cross-site scripting”. The exercises in this blog post demonstrate the vulnerability within code. Take part in my journey as I learn the web with this vulnerability known as cross-site scripting.  Continue reading

My journey for upgrading Proxmox VE 5.4 to 6.0

Most guides on the internet show you how to upgrade Proxmox 5.4 to 6.0 via the built-in mechanism. However, for major version upgrades, I prefer to do an installation from scratch, NOT applying the update via apt-get upgrade. This method of upgrading allows me to clean up any crud that has accumulated over the years. Lastly, this guide will cover how to backup your VMS before upgrading to Proxmox 6.0. Continue reading

PoC: Monitoring user browser activity with Osquery

This proof-of-concept (PoC) will demonstrate how to use Osquery to monitor the browser activity of users. Not only will this PoC collect browser activity, but it will also use VirusTotal to rank each URL to detect malicious activity. In addition to VirusTotal, this PoC will utilize Rsyslog, Osquery, Kafka, Splunk, Virustotal, Python3, and Docker as a logging pipeline. Once this pipeline has been implemented, your security team will have the ability to protect your user’s from today’s most serious threats on the web.

Continue reading

Back in the saddle: Install/Setup Elastic stack 7.0 on Ubuntu 18.04

Wow, the last time I really used the Elastic Stack it was called the ELK stack, and it was version 2.0. A lot of things have changed since then, so I am going to do an updated post on installing and setting up the Elastic stack.

Continue reading

Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal

This blog post will explore how to set up a simple logging pipeline to detect maliciously downloaded files. This setup will utilize technologies such as Osquery, Rsyslog, Kafka, Docker, Python3, and VirusTotal for a logging pipeline. If this pipeline detects a malicious file, a Slack alert will be triggered.

Continue reading

Detecting SSH brute forcing with Zeek

In this blog post, we will explore how Zeek detects SSH brute forcing. We will explore the SSH handshake to understand how it works. Next, I will demonstrate several test cases of Zeek detecting SSH brute forcing. Finally, this post will lay down the foundation to implement active defense controls with Zeek in future posts.

Continue reading

Logging OSquery with Rsyslog v8 – Love at first sight

This blog post is going to cover how to ingest OSquery logs with Rsyslog v8. Most setups I have come across have Rsyslog ingesting the logs from disk, but this setup will ingest logs via the system journal. OSquery supports writing logs to disk and to the system journal. This post also contains a setup via Ansible and a manual walkthrough. Lastly, explanations of Rsyslog and OSquery configs.

Continue reading

Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals

Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.

Continue reading