Visualize, analyze and search your host IDS alerts. Elastic Stack is the combination of three popular Open Source projects for log management, known as Elasticsearch, Logstash and Kibana(ELK). Together they provide a real-time and user-friendly console for your OSSEC alerts. OSSEC Wazuh integration with Elastic Stack comes with out-of-the-box dashboards for PCI DSS compliance and CIS benchmarks. You can do forensic and historical analysis of OSSEC alerts and store your data for several years, in a reliable and scalable platform. This post is updating a pervious post of mine using Wazuh 1.0 and version 2.0 of the ELK stack. This post will contain a general setup and configuration for a central logging server.
HoldMyBeer
Cause every great story starts with "Hold my beer"
Author Archives: spartan2194
Install/Setup Doorman + OSQuery on Windows, Mac OSX, and Linux deployment
In this post I am going to explore the tool OSquery. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. It is a tool that is used by system administrators, incident responders, and ole mighty threat hunters. However, in this post I will not be posting how to use OSquery for threat hunting. I hope to utilize the tool in my environment and write a later post :).
Rekall memory analysis framework for Windows, Linux, and Mac OSX
Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.
Creating macOS VM on VMware Fusion
I had no idea that Mac OSX users had the ability to create Mac OSX VMs with VMware Fusion. Say that last part five times fast lol. I am going to walk you through the process of creating a macOS(Sierra) VM on my laptop. I would like to give original credit to VMware but I want to share this with my readers. The ability to create Mac OSX VMs allows me to analyze Mac OSX malware in a safe environment, whoop whoop.
Intro to Threat Intelligence with Bro and ELK
One of the biggest trends in cyber security is threat intelligence. A lot of security professionals and enterprises are asking what is threat intelligence, do I need it, and can it improve my security? First let’s start by defining threat intelligence and the rest of this guide will provide a practical use case for threat intelligence. Threat intelligence is utilizing information to detect security threats that traditional methods and technologies may not and providing decision driven incident response based off data.
Part 1: Install/Setup Bro Cluster
In this blog series I am going to show you how to setup an effective Bro cluster. In future posts I hope to be tweaking Bro to produce better detection with custom rules and utilizing open threat intelligence feeds. Bro is the perfect solution for a homegrown IDS solution because it’s free and can be distributed. In my home network I have a DNS server and proxy server that I wish to monitor with Bro. Bro allows me to setup agents(workers) to monitor my DNS and proxy servers and forward data to a Bro manager for analysis.
Part 2: How to red team – Metasploit framework
In this post I am going to briefly cover the exploitation process with the Metasploit framework. A framework is defined as a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful. The Metasploit framework allows red teamers to configure an exploit, choose a payload, an encoding technique to obfuscate the payload, and post-exploitation modules after access is gained. The next couple of sections are going to walk through the process of exploitation. I believe the Metasploit approach is a template to know because other frameworks and tools follow the same flow. Continue reading
Part 1: How to Red Team – Scanning and Enumeration
I have to be honest that my red team skills could use some improvement. I firmly believe that red teaming is a skill and a mindset that people have. I believe some people are naturally born with this mindset and others develop it, I am a developer :).Currently, I am aspiring to become an incident responder because the thrill of the hunt seems like A LOT of fun to me. But to be an effective incident responder I have to understand my adversary and their strategies.
This blog post series will include my approach of learning how to become a red teamer in a competition type of environment. Now my reasoning for this is because I have the ability to compete in multiple competitions as red teamer as a college student. Additionally, I hope to periodically return to these posts and update them with new tactics and tools that I find and use.
Install/Setup Proxmox 5.0 Beta
Being a college student is awesome because you get access to all this software for FREE! I was fortunate to have access to VMware products for free and I love playing with those tools. However, I graduate soon which means I have to transition to free(affordable) solutions for virtualization. I have decided to go with Proxmox as my solution and this guide will show you how to set it up :).
Intro to the ELK Stack on CentOS 7
This is a two part series on setting up an ELK stack to receive syslog and in the next post Bro logs. The ELK stack is an awesome collection of software but a complicated MumboJumboCombo of components. I wanted to help break that barrier for beginners and to help explain how each component works. So stick with me on this two part series! I would like to give credit to this DigitalOcean post writer for the ELK stack write-up which I’ll be referencing. Additionally my Github contains a script to setup the ELK stack for CentOS 7 64-bit based on the guide below.
VeraCrypt on Mac OSX El Captain
Veracrypt provides on-the-fly encryption and is also the predecessor and a fork of the Truecrypt project. Back in Fall of 2015 the Truecrypt maintainer’s stated the code was “not secure”. When this happened it left the security community in a huge loss and swirl of what “not secure” meant. However, after several months the internet rolled on and someone decided to pickup the torch and keep running. In this guide I am just running through the installation of Veracrypt, creating Veracrypt containers, and creating hidden Veracrypt cotnainers on Mac OSX El Captain. Continue reading
Part 1: Install/Setup Wazuh with ELK Stack
If you have been following my blog you know that I am trying to increase my Incident Response(IR) skillz and experience. For a class project we had to create/improve a piece of software in the forensic community for Windows(Windows forensic class). From my short time of searching the internet I never found a guide to setting up a logging system for Windows from start to finsh. An effective logging system has an agent/collector, a log aggregator, a data visualizer, and a good alerting mechnism.
The following sytem I have setup has Wazuh(OSSEC fork) for log collection, Wazuh Management for a log aggregator, the ELK stack for data retention and vizualiztion, and elastalert for e-mail alerting. In this guide I will walk you through on how to setup an effective logging system for all operating systems but mainly Windows for free. Additionally, we will be discussing the type of things that should be logged depending on your enviornment. As final note I have included my github repo at the bottom if you want to automated scripts for all of this.
Continue reading
RC3 Fall 2016 CTF Infrastructure
In this blog post I will be walking you through how I setup my club’s CTF infrastructure on AWS. I take great pride as the RC3 CTF infrastructure captain (with a bit of an inflated ego 🙂 ) that my infrastructure as a whole never had any downtime! Additionally, our CTF attracted a 1,000 users over the course of a weekend, which was a great stress test for my infrastructure.
This post consists of the following AWS services which are EC2, S3, VPCs, Route 53, RDS, and IAM. Our infrastructure utilized software and services such as CentOS, Ubuntu, HAProxy, Let’s Encrypt, CTFd, Bro, and Nginx/uwsgi. Please keep in mind this guide is a sys admin guide and not a security guide. Some of the security measures implemented in the infrastructure have been left out of this guide to thwart individuals from taking advantage of this build in the future. Without further ado, here we go on the wild ride of creating a CTF cloud computing infrastructure in Amazon’s Web Services (AWS) :).
Part 1: C# to Windows Meterpreter in 10mins.
In this post I will show you how to get a meterpreter session on a Windows box with C#. I give all the credit to guy in this post. I am simply sharing this cool tutorial! This guide assumes that you have a Kali Linux VM and a Windows 7 VM, additionally a method to get the malware on to the remote Windows PC. I will walk you through the process of exploitation and how the code works. I will also show you how to setup Metasploit to get a reverse shell. In part 2 I will discuss how to add functionality to your C#malware and run it as a Windows Service!!!!
Part 1: Google GRR Incident Response Tool
GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.
Windows, Mac OSX and Linux Memory Dump How To
Dumping memory from an operating system can be complicated and is not built-in feature. You also have to keep in mind that memory dumps are a snapshot in time of what is in the memory. The memory is constantly changing every second so having the right tool can be the difference between getting the data you need and having it lost forever. There are various tools for each operating system to accomplish memory dumps. Some tools are easier to setup and use than others and some tools are portable apps. I have provided links at the bottom of this post to all the tools I cover within this post.
Cowire Honeypot Install and Setup
Kippo is typically the go to application for information security researchers looking to set up an SSH honeypot. Likewise the Cowire honeypot is forked from the Kippo project. I personally believe that Cowire is better than Kippo and has fixed some common issues within Kippo. Below I go through a simple instillation of Cowire on Ubuntu 14.04. Within the coming posts I will show some of the common ways attackers detect a Cowire/Kippo instance, and its short comings. Please keep in mind that I mean no disrespect to the developers of the Kippo honeypot! They have provided the most used honeypot on the internet today and have truly done a remarkable job.