Incident Response | HoldMyBeer

Oct 11 2019

Incident Response, Logging, Network Security, PoC, Tools

PoC: Monitoring user browser activity with Osquery

This proof-of-concept (PoC) will demonstrate how to use Osquery to monitor the browser activity of users. Not only will this PoC collect browser activity, but it will also use VirusTotal to rank each URL to detect malicious activity. In addition to VirusTotal, this PoC will utilize Rsyslog, Osquery, Kafka, Splunk, Virustotal, Python3, and Docker as a logging pipeline. Once this pipeline has been implemented, your security team will have the ability to protect your user’s from today’s most serious threats on the web.

Continue reading →

May 01 2019

7 Comments

Incident Response, Logging, Tools

Back in the saddle: Install/Setup Elastic stack 7.0 on Ubuntu 18.04

Wow, the last time I really used the Elastic Stack it was called the ELK stack, and it was version 2.0. A lot of things have changed since then, so I am going to do an updated post on installing and setting up the Elastic stack.

Continue reading →

Apr 25 2019

Leave a comment

Incident Response, Logging, PoC, Tools

Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal

This blog post will explore how to set up a simple logging pipeline to detect maliciously downloaded files. This setup will utilize technologies such as Osquery, Rsyslog, Kafka, Docker, Python3, and VirusTotal for a logging pipeline. If this pipeline detects a malicious file, a Slack alert will be triggered.

Continue reading →

Mar 27 2019

3 Comments

Incident Response, Logging, Threat Intelligence, Tools

Install/Setup Graylog 3 on Ubuntu 18.04 – Zeeks logs + threat intel pipeline

Graylog has released version 3 with new features and major changes. This blog post will explain how to setup up Graylog version 3 on an Ubuntu server. Once Graylog is running, we will explore setting up logging clients, logging inputs, data extractors, threat intel pipelines, Slack alerts, dashboards and more.

Continue reading →

Feb 27 2019

2 Comments

Incident Response, Malware Analysis, Tales of a Blue Teamer, Tools, Uncategorized

Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals

Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.

Continue reading →

Feb 20 2019

Leave a comment

Incident Response, Network Security, Threat Hunting, Tools

Part 1: Threat hunting with BRO/Zeek and EQL

One of the biggest challenges for blue teams is using logs to hunt for malicious activity. Tools like BRO provide fantastic logging of the events that transpired on a network but don’t provide a mechanism to ask those logs a question. Threat hunting is the process of generating a series of hypotheses about malicious activity that might be occurring on your network. EQL provides a tool that can ingest logs and provide the threat hunter a mechanism to ask questions to prove or disprove their hypotheses. Furthermore, I have extended the EQL platform to support Zeek/BRO logs for network-based threat hunting.

Continue reading →

Jan 13 2018

7 Comments

ForFunAndWumbos, Incident Response, Red Teaming, Threat Hunting, Tools

Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Continue reading →

Sep 08 2017

2 Comments

Incident Response, System Administration, Tools

Install/Setup Wazuh 2.0, ELK 5.0, and client deployment

Visualize, analyze and search your host IDS alerts. Elastic Stack is the combination of three popular Open Source projects for log management, known as Elasticsearch, Logstash and Kibana(ELK). Together they provide a real-time and user-friendly console for your OSSEC alerts. OSSEC Wazuh integration with Elastic Stack comes with out-of-the-box dashboards for PCI DSS compliance and CIS benchmarks. You can do forensic and historical analysis of OSSEC alerts and store your data for several years, in a reliable and scalable platform. This post is updating a pervious post of mine using Wazuh 1.0 and version 2.0 of the ELK stack. This post will contain a general setup and configuration for a central logging server.

Continue reading →

Aug 17 2017

6 Comments

Incident Response, System Administration, Tools

Install/Setup Doorman + OSQuery on Windows, Mac OSX, and Linux deployment

In this post I am going to explore the tool OSquery. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. It is a tool that is used by system administrators, incident responders, and ole mighty threat hunters. However, in this post I will not be posting how to use OSquery for threat hunting. I hope to utilize the tool in my environment and write a later post :).

Continue reading →

Jul 29 2017

2 Comments

Incident Response, Malware Analysis, Memory Forensics, Threat Hunting, Tools Image

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Continue reading →

Jun 25 2017

2 Comments

Incident Response, Threat Intelligence, Tools

Intro to Threat Intelligence with Bro and ELK

One of the biggest trends in cyber security is threat intelligence. A lot of security professionals and enterprises are asking what is threat intelligence, do I need it, and can it improve my security? First let’s start by defining threat intelligence and the rest of this guide will provide a practical use case for threat intelligence. Threat intelligence is utilizing information to detect security threats that traditional methods and technologies may not and providing decision driven incident response based off data.

Continue reading →

Jan 24 2017

Leave a comment

ForFunAndWumbos, Incident Response, System Administration, Tools

Intro to the ELK Stack on CentOS 7

This is a two part series on setting up an ELK stack to receive syslog and in the next post Bro logs. The ELK stack is an awesome collection of software but a complicated MumboJumboCombo of components. I wanted to help break that barrier for beginners and to help explain how each component works. So stick with me on this two part series! I would like to give credit to this DigitalOcean post writer for the ELK stack write-up which I’ll be referencing. Additionally my Github contains a script to setup the ELK stack for CentOS 7 64-bit based on the guide below.

Continue reading →

Dec 05 2016

3 Comments

Incident Response, System Administration, Tools

Part 1: Install/Setup Wazuh with ELK Stack

If you have been following my blog you know that I am trying to increase my Incident Response(IR) skillz and experience. For a class project we had to create/improve a piece of software in the forensic community for Windows(Windows forensic class). From my short time of searching the internet I never found a guide to setting up a logging system for Windows from start to finsh. An effective logging system has an agent/collector, a log aggregator, a data visualizer, and a good alerting mechnism.

The following sytem I have setup has Wazuh(OSSEC fork) for log collection, Wazuh Management for a log aggregator, the ELK stack for data retention and vizualiztion, and elastalert for e-mail alerting. In this guide I will walk you through on how to setup an effective logging system for all operating systems but mainly Windows for free. Additionally, we will be discussing the type of things that should be logged depending on your enviornment. As final note I have included my github repo at the bottom if you want to automated scripts for all of this.
Continue reading →

Jun 25 2016

15 Comments

Incident Response, Tools

Part 1: Google GRR Incident Response Tool

GRR Rapid Response is an incident response framework focused on remote live forensics. It based on client server architecture, so there’s an agent which is installed on target systems and a Python server infrastructure that can manage and communicate with the agents.

Continue reading →

Tagged Google Grr

HoldMyBeer

Cause every great story starts with "Hold my beer"

Category Archives: Incident Response

PoC: Monitoring user browser activity with Osquery

Back in the saddle: Install/Setup Elastic stack 7.0 on Ubuntu 18.04

Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal

Install/Setup Graylog 3 on Ubuntu 18.04 – Zeeks logs + threat intel pipeline

Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals

Part 1: Threat hunting with BRO/Zeek and EQL

Install/Setup MITRE Caldera the automated cyber adversary emulation system

Install/Setup Wazuh 2.0, ELK 5.0, and client deployment

Install/Setup Doorman + OSQuery on Windows, Mac OSX, and Linux deployment

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Intro to Threat Intelligence with Bro and ELK

Intro to the ELK Stack on CentOS 7

Part 1: Install/Setup Wazuh with ELK Stack

Part 1: Google GRR Incident Response Tool