CALDERA

The folks at MITRE have created yet another awesome tool.  CALDERA uses the ATT&CK model to simulate adversary behavior. It’s a great way to generate logs for hunting, or see how your detection stacks up.  Here’s how I got it going. I pretty much just followed along with the instructions Read more…

Forensic Challenge

Information: A user reported strange computer activity to their support staff. Support was so good that the first thing they did was to snap a memory image before the computer was rebooted. Once the technical staff acquired the memory, they were also able to grab an image of the system Read more…

Opencanary

I love honeypots and wanted to give opencanary a shot cause I kept hearing how cool it was.  It’s written in python, and very easy to configure and extend. The idea is to stick these in various places in your network with fake services similar to what’s around it.  In Read more…

Bro 2.5.1 and ELK

Software versions: Bro 2.5.1 – on Debian 8.9 bro server Logstash 2.2.4 on Debian 8.9 bro server Elasticsearch 2.4.6 on Debian 8.9 ELK server Kibana 4.3.0.9369 on Debian 8.9 ELK server   First install Java on both systems: sudo add-apt-repository -y ppa:webupd8team/java sudo apt-get update sudo apt-get -y install oracle-java8-installer   Read more…

Awesome .htaccess

This .htaccess blocks bots, search engine index, wget, curl, and access to itself. Enable via /etc/apache2/sites-available/whateversite.conf. <Directory “/var/www/html/whateversite”> AllowOverride All </Directory>   .htaccess file. <Files .htaccess> deny from all </Files> RewriteEngine on RewriteBase / RewriteCond %{HTTP_USER_AGENT} AhrefsBot [OR] RewriteCond %{HTTP_USER_AGENT} Baiduspider [OR] RewriteCond %{HTTP_USER_AGENT} Ezooms [OR] RewriteCond %{HTTP_USER_AGENT} MJ12bot [OR] Read more…

Defeating MITM

There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and is the groundwork for all this.  It builds a database of bindings and specifies where Read more…

Malware Challenge

This challenge has two phases. The first one involves creative thinking and research. The second one is live malware and reversing. Instructions and hints are built in. Rules and things you’ll need: 1. You need an isolated environment with a Windows Vista/7/10 VM guest, and a snapshot. On the VM, Read more…

DNS over HTTPS

Google and others have been working on implementing DNS over HTTPS. https://tools.ietf.org/id/draft-hoffman-dns-over-https-00.html This allows bypass of things like RPZ, DNS blackholes, and other protections.  All the more reason to start thinking about SSL inspection.  The right to privacy is understandable, but protecting users, assets, and data is more important.  This Read more…

Secured By miniOrange