In this blog post, we will explore how Zeek detects SSH brute forcing. We will explore the SSH handshake to understand how it works. Next, I will demonstrate several test cases of Zeek detecting SSH brute forcing. Finally, this post will lay down the foundation to implement active defense controls with Zeek in future posts.
Monitoring your home network can be challenging without enterprise-grade equipment. Although monitoring your home network can prove to be difficult, Proxmox and Zeek provide the perfect solution to monitor your home network. This blog post will cover how to setup Zeek+PF_Ring to monitor network traffic on Proxmox.
This blog post is going to cover how to ingest OSquery logs with Rsyslog v8. Most setups I have come across have Rsyslog ingesting the logs from disk, but this setup will ingest logs via the system journal. OSquery supports writing logs to disk and to the system journal. This post also contains a setup via Ansible and a manual walkthrough. Lastly, explanations of Rsyslog and OSquery configs.
Graylog has released version 3 with new features and major changes. This blog post will explain how to setup up Graylog version 3 on an Ubuntu server. Once Graylog is running, we will explore setting up logging clients, logging inputs, data extractors, threat intel pipelines, Slack alerts, dashboards and more.
Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.
Deployment is commonly referred to as “the process of distributing the red team’s malware into the blue team’s machines”. Ansible provides a mechanism to connect to a Window machine, configure it, run command(s), and copy files to the target. Therefore, I often say, “If it’s good for sys admins, it’s good for red team”. In this blog post, I have provided an Ansible playbook that can be used to distribute the red team’s shenanigans to a list of targets, regardless of the red teamer’s host OS.
One of the biggest challenges for blue teams is using logs to hunt for malicious activity. Tools like BRO provide fantastic logging of the events that transpired on a network but don’t provide a mechanism to ask those logs a question. Threat hunting is the process of generating a series of hypotheses about malicious activity that might be occurring on your network. EQL provides a tool that can ingest logs and provide the threat hunter a mechanism to ask questions to prove or disprove their hypotheses. Furthermore, I have extended the EQL platform to support Zeek/BRO logs for network-based threat hunting.
For a red teamer, one of the biggest challenges is utilizing a command-and-control(C2) server without being discovered and blocked. This is because the detected traffic is not coming from a trusted source. One way around this is to use CloudFlare’s free HTTP reverse proxy service as your C2. By pivoting all HTTP traffic through these proxies, it becomes much harder for a network defender to detect malicious intent.
In this blog post series, I will be covering how to setup a Tor exit node for security research. The educational goals of this series is to learn more about network security monitoring, logging, and enrichment to create a threat intelligence pipeline. My exit node will collect data that will be ingested and returned to the community as intelligence.
This past weekend, I had the pleasure of red teaming at University of Buffalo’s competition called Lockdown. It was a great competition and I had a lot of fun learning new red team tools and challenging the blue teamers on Windows. This blog post will focus on my C2 infrastructure setup for Cobalt Strike. I did a similar post last semester with PowerShell Empire, which can be found here.
Domain fronting is a new a technique to obfuscate the intended destination of HTTP(S) traffic. This allows attackers to circumvent security controls by masking the intended destination with “trusted” domains. In this blog post, I will setup AWS’s CloudFront CDN service to mask the destination of my Empire TeamServer.
In this blog post, I will be demonstrating different techniques to obtain initial access to Windows and Linux machines. Initial access is the action of using credentials or an exploitation of a remote machine to execute malicious code. In a Red vs. Blue competition, gaining initial access is one of the very first things the red team does. The dynamic of the entire competition hangs in the balance of the red team gaining initial access.
This past weekend, I had the pleasure of red teaming at University of Buffalo’s competition called Lockdown. It was a fantastic competition and I had ALOT of fun interacting/challenging the blue teamers on Windows. This blog post will focus on my C2 infrastructure setup for Powershell Empire.
In this blog post we will be installing, setting up, and utilizing Kolide Fleet as our OSQuery fleet manager. As stated by Kolide, ” Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested OSQuery project, Fleet delivers fast answers to big questions.” In future blog posts I plan on using this tool for incident response and threat hunting scenarios.
This blog post series is a culmination of my learning experience in becoming a threat hunter. Over time this learning experience helped me develop a teaching philosophy to help novices go from zero to hero threat hunter, which is what I will be using to teach the threat hunting fundamentals. This series will have a strong focus on understanding the attacker mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements. The content used here is a written adaptation of my DefCon 2020 Blue Team village workshop. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.
First, we will start by understanding the attacker mindset with the Mandiant Attack Lifecycle. To re-enforce this methodology there is a red team exercise utilizing Powershell Empire to perform an APT style attack. The outcome of this red team exercise is the creation of a story or, in this case, the creation of a fictious advanced persistent threat (APT) known as Goofball. Second, we will utilize the actions performed by Goofball to perform an informal threat hunting exercise that will hunt the artifacts generated by our fictious adversary using Sysmon and the Elastic stack.
Thirdly, we will use our informal threat hunting exercise as a foundational jumping off point to formally hunt our fictitious adversary using the Endgame threat hunting process. In addition to the Endgame threat hunting process, we will learn how to use the MITRE ATT&CK matrix to generate threat hunting hypotheses and use FleetDM + Osquery to confirm/deny our hypothesis. Lastly, we will end this blog post series with a retrospective and how to convert threat hunting findings into detections or environmental improvements.
Before we jump into these topics, we need an environment to perform our red team exercise and to collect logs from for our threat hunting exercises. This blog post contains Ansible playbooks and manual instructions to setup the Windows environment used for this series. Additionally, there is a “quick setup” to stand up an Elastic stack and import pre-collected logs from the red team exercise. This quick setup is for individuals who don’t have the hardware resources to spin up an entire network or would prefer to just utilize the logs. The take away from this blog post series should be an understanding of the attacker mindset, how to use the knowledge of attacker techniques and procedures to hunt for them, and finally how to transition successful hunts to detections.
In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!
One of the biggest trends in infosec, besides the word cyber, is threat hunting. First, I want to start by defining threat hunting as the action of “investigation without cause” and this concept is nothing new. It’s been around for years but we didn’t have a catchy marketing term associated with it. In this post, I will breakdown the Sqrrl threat hunting model, Powershell Empire for adversary activity, and instructions on setting up Graylog for log aggregation and a search platform to perform threat hunting. Finally, I would like to point out all Ansible playbooks used in this post are publicly accessible on my Github page in a repo called “AgileFalcon“.
In this post I thought I would demonstrate how to setup an environment for a red teamer. PLEASE take this environment with a gain of salt because everyone will have a different setup!!! This guide is to show the basics and hopefully a template based on the Armitage/Cobalt Strike architecture. If your interested in the pinnacle of red team setups take a look at Alex Levinson’s post about the CCDC Red team or the blog Room 362 by Rob Fuller.
For the longest time I was under the assumption a router in an AWS VPC could only have one NIC. Writing IPtables/firewall rules for one interface can be tedious!!! However, I have discovered how to setup OPSense in an AWS VPC with multiple NICs. That is right, you will have a WAN NIC(public subnet) and a NIC for each private subnet.
Visualize, analyze and search your host IDS alerts. Elastic Stack is the combination of three popular Open Source projects for log management, known as Elasticsearch, Logstash and Kibana(ELK). Together they provide a real-time and user-friendly console for your OSSEC alerts. OSSEC Wazuh integration with Elastic Stack comes with out-of-the-box dashboards for PCI DSS compliance and CIS benchmarks. You can do forensic and historical analysis of OSSEC alerts and store your data for several years, in a reliable and scalable platform. This post is updating a pervious post of mine using Wazuh 1.0 and version 2.0 of the ELK stack. This post will contain a general setup and configuration for a central logging server.