Wow, the last time I really used the Elastic Stack it was called the ELK stack, and it was version 2.0. A lot of things have changed since then, so I am going to do an updated post on installing and setting up the Elastic stack.
HoldMyBeer
Cause every great story starts with "Hold my beer"
Category Archives: Tools
Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal
This blog post will explore how to set up a simple logging pipeline to detect maliciously downloaded files. This setup will utilize technologies such as Osquery, Rsyslog, Kafka, Docker, Python3, and VirusTotal for a logging pipeline. If this pipeline detects a malicious file, a Slack alert will be triggered.
Detecting SSH brute forcing with Zeek
In this blog post, we will explore how Zeek detects SSH brute forcing. We will explore the SSH handshake to understand how it works. Next, I will demonstrate several test cases of Zeek detecting SSH brute forcing. Finally, this post will lay down the foundation to implement active defense controls with Zeek in future posts.
Part 1: Install/Setup Zeek + pf_ring on Ubuntu 18.04 on Proxmox 5.3 + openVswitch
Monitoring your home network can be challenging without enterprise-grade equipment. Although monitoring your home network can prove to be difficult, Proxmox and Zeek provide the perfect solution to monitor your home network. This blog post will cover how to setup Zeek+PF_Ring to monitor network traffic on Proxmox.
Logging OSquery with Rsyslog v8 – Love at first sight
This blog post is going to cover how to ingest OSquery logs with Rsyslog v8. Most setups I have come across have Rsyslog ingesting the logs from disk, but this setup will ingest logs via the system journal. OSquery supports writing logs to disk and to the system journal. This post also contains a setup via Ansible and a manual walkthrough. Lastly, explanations of Rsyslog and OSquery configs.
Install/Setup Graylog 3 on Ubuntu 18.04 – Zeeks logs + threat intel pipeline
Graylog has released version 3 with new features and major changes. This blog post will explain how to setup up Graylog version 3 on an Ubuntu server. Once Graylog is running, we will explore setting up logging clients, logging inputs, data extractors, threat intel pipelines, Slack alerts, dashboards and more.
Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals
Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.
Tales of a red teamer: Deploying shenanigans to Windows with Ansible
Deployment is commonly referred to as “the process of distributing the red team’s malware into the blue team’s machines”. Ansible provides a mechanism to connect to a Window machine, configure it, run command(s), and copy files to the target. Therefore, I often say, “If it’s good for sys admins, it’s good for red team”. In this blog post, I have provided an Ansible playbook that can be used to distribute the red team’s shenanigans to a list of targets, regardless of the red teamer’s host OS.
Part 1: Threat hunting with BRO/Zeek and EQL
One of the biggest challenges for blue teams is using logs to hunt for malicious activity. Tools like BRO provide fantastic logging of the events that transpired on a network but don’t provide a mechanism to ask those logs a question. Threat hunting is the process of generating a series of hypotheses about malicious activity that might be occurring on your network. EQL provides a tool that can ingest logs and provide the threat hunter a mechanism to ask questions to prove or disprove their hypotheses. Furthermore, I have extended the EQL platform to support Zeek/BRO logs for network-based threat hunting.
PoC: Using Cloudflare as an HTTP C2 with Powershell Empire
For a red teamer, one of the biggest challenges is utilizing a command-and-control(C2) server without being discovered and blocked. This is because the detected traffic is not coming from a trusted source. One way around this is to use CloudFlare’s free HTTP reverse proxy service as your C2. By pivoting all HTTP traffic through these proxies, it becomes much harder for a network defender to detect malicious intent.