While working on my TOR relay project I was trying to compile Suricata with pf_ring but couldn’t find any documentation for the latest releases. This blog post will provide instructions to compile the latest stable version of Suricata and pf_ring. In addition, this blog post contains instructions for the infrastructure-as-code written in Ansible to automate the installation and step-by-step instructions for a manual installation.
While working on my osquery-file-carve-server project I determined my application needed authentication. However, I didn’t want to pigeon hole my application to a single platform/service for authentication. After some research, I decided to implement support for Vault into my application because it provides the ability for users to authenticate using various methods. However, during my research, I had a hard time understanding how the various Vault components connected to create this functionality.
This blog post will provide an understanding of the Vault components used to implement this functionality. In addition, it will demonstrate the relationship between the various Vault components: authentication backends, entities, groups, and policies. The final result of combining these Vault components is a system that can authenticate a single user using different authentication services.
Do you know if your Osquery client is connecting to the right server? Do you know if your Kolide server is accepting requests from rogue devices? If you have answered “I don’t know” to either of these questions then this blog post is for you. This blog post will be demonstrating how to setup Kolide + Osquery with mutual TLS (mTLS). Mutual TLS is a mechanism that can be implemented to verify the identity of the server and clients. Continue reading
Hashicorp Vault (Vault) is an open-source tool for managing secrets. This blog post will demonstrate how to use Vault to generate a root CA for trusted TLS communication and how to generate client certificates for mutual TLS communication. Not only does this blog post contain a high-level overview of Vault, it includes working infrastructure-as-code and step-by-step tutorial.
In incident response, time is precious and something you can never get back. Typically, when I receive a security alert about an endpoint, it requires manual lookups on multiple data sources for critical pieces of information. These manual lookups can be time-consuming, create fatigue, and don’t use the power of technology to your advantage. This blog post will demonstrate a proof-of-concept (POC) by using the power of a network community ID hash by Corelight to fuse endpoint and network-based data sources.
KSQL by Confluent provides the ability to enrich independent data sources by correlating common attributes. In this POC, we are going to use Sysmon or Osquery to monitor the endpoint and Zeek to monitor the network. Not only will this blog post serve as a POC but it will discuss the architecture, design decisions, working infrastructure-as-code, and the knowledge I accumulated from this project. The hope is that this POC will serve as a framework for the infosec community to use to perform log enrichment. Lastly, I will demonstrate the power of this POC by detecting a Powershell Empire agent that has been injected into explorer.exe.
While working on another logging project, I discovered a mechanism to generate CommunityIDs with Sysmon and Winlogbeat. Winlogbeat provides a feature called processors which can enrich log events before they are sent to the SIEM/logging server. This blog post will demonstrate a proof-of-concept (PoC) to enrich Sysmon network logs with a Community ID Network Flow Hash.
Just like my latest post on my logging pipeline, people want to know more about my Docker set up to learn from or replicate. This blog post is my attempt to share my Docker set up as a framework for newcomers. The hope is that the explanation of the architecture, design decisions, working infrastructure-as-code, and the knowledge I accumulated over the years will be beneficial to the community.
In incident response, there is a disconnect between a security alert being generated and a user’s confirmation of the security alert. For example, generating an alert every time a user runs “curl” on a production system would generate a bunch of false positives that can lead to what is called “alert fatigue”. But if we extend our incident response capabilities to include the user as part of the triage process we could reduce the number of alerts. This blog post is going to demonstrate AskJeevesSecBot which is an open-source proof of concept (POC) of how to integrate Slack and user responses into your security pipeline, specifically during the triage phase of the incident response process. In addition to a PoC, this blog post will also provide a deep dive into the architecture of this project, design decisions, and lessons learned as an evolving threat detection engineer.
Over the years I have built several logging pipelines within my homelab and each used different technologies and methodologies but now I have finally built a pipeline that suites my needs. When I tell people about my pipeline they usually ask if I have a blog post on it because they want to know more or replicate it. This blog post is my attempt to share my logging pipeline as a framework for newcomers. The hope is that the explanation of the architecture, design decisions, working infrastructure-as-code, and the knowledge I accumulated over the years will be beneficial to the community. Continue reading
For several years I have always wanted to write an Osquery extension to perform memory dumps and analysis. I never got the time to do a deep dive into my idea but since I have been creating some Osquery-go extensions lately, I decided to take a crack at my idea. This blog post will provide a high overview of the architecture of these Osquery extensions for this project, how to generate memory dumps, and how to remotely analyze these memory dumps with Osquery. Follow me with another threat detection engineering experience with Osquery-go.
This blog post is going to cover an Osquery extension that I engineered with osquery-go to eradicate malware. This extension has the ability to delete files, kill processes, delete directories, and can be used with the builtin YARA table. This blog post will act as documentation for the setup and operation of this Osquery extension.
Here we go again! This blog post is tangential to my previous blog post on creating an Osquery extension with Python but this time we are using golang. Osquery is my favorite open-source security tool and golang is becoming a popular programming language so fusing them together allows us to engineer tools to detect threats. This blog post will build an Osquery-go extension to calculate the CommunityID of a network connection utilizing the Osquery-polylogyx extension pack to monitor network connections. In blog posts to follow, we will correlate network-based events monitored by Zeek and host-based events generated by Osquery using the CommunityID. So follow me again as your adventure guide on this development journey to make an Osquery extension with osquery-go.
Osquery is my favorite open-source security tool and Python is my favorite programming language so fusing them together allows us to engineer tools to detect threats. This blog post will build an Osquery-python extension to calculate the CommunityID of a network connection utilizing the Osquery-polylogyx extension pack to monitor network connections. In blog posts to follow, we will correlate network-based events generated by Zeek and host-based events generated by Osquery using the CommunityID. So follow me as your adventure guide on this development journey to make an Osquery extension with osquery-python.
In this blog post, we are going to cover how to install MISP on Ubuntu 18.04. Once MISP is installed, we will do an introduction to the PyMISP API to store indicators of compromise (IOCs) in MISP and query IOCs from MISP. This blog post will serve as the foundation for future blog posts moving forward.
In this blog post, I continue my pursuit of knowledge to become a threat hunter. This blog post will introduce the following concepts: understanding the attacker mindset with the Mandiant Attack Lifecycle, performing a red team exercise to demonstrate the tools and techniques used by attackers with Powershell Empire, and observing how attacker activity leaves behind a trail of artifacts. These concepts will create the foundation we will use in future blog posts to hunt for malicious activity.
This blog post is going to demonstrate a proof of concept (PoC) of sending an e-mail to trigger the Mail app (mail.app) to create a reverse shell. The Mail app has built-in functionality that can trigger an Applescript to execute code when certain conditions (new e-mail in inbox from bob, deletion of e-mail, or an e-mail containing certain text) occur within the Mail app. This functionality provides a method to initiate a reverse shell without user interaction or placing a persistent mechanism in a well-known location. The method below will utilize this functionality to monitor e-mails from a particular user, upon receiving an e-mail from said user, a reverse shell will call back to our Powershell Empire server.
This blog post is going to demonstrate a proof of concept (PoC) to exfiltrate data from macOS with a built-in functionality called Folder Actions. The Folder Actions functionality triggers Applescripts to execute code when certain conditions (creating files, deleting files, etc.) occur by interactions with Finder. This functionality provides a method to exfiltrate data without the need for a shell to execute the actions. The Applescript provided below will utilize this functionality to monitor for new files in the user’s Download folder and, upon detection of a new file, exfiltrate a copy of the file to a remote server.
Most guides on the internet show you how to upgrade Proxmox 5.4 to 6.0 via the built-in mechanism. However, for major version upgrades, I prefer to do an installation from scratch, NOT applying the update via apt-get upgrade. This method of upgrading allows me to clean up any crud that has accumulated over the years. Lastly, this guide will cover how to backup your VMS before upgrading to Proxmox 6.0. Continue reading
This proof-of-concept (PoC) will demonstrate how to use Osquery to monitor the browser activity of users. Not only will this PoC collect browser activity, but it will also use VirusTotal to rank each URL to detect malicious activity. In addition to VirusTotal, this PoC will utilize Rsyslog, Osquery, Kafka, Splunk, Virustotal, Python3, and Docker as a logging pipeline. Once this pipeline has been implemented, your security team will have the ability to protect your user’s from today’s most serious threats on the web.
Wow, the last time I really used the Elastic Stack it was called the ELK stack, and it was version 2.0. A lot of things have changed since then, so I am going to do an updated post on installing and setting up the Elastic stack.