Category Archives: IR

My Intrusion Detection Honeypot

Leave a reply

Please note that some of the links below may be affiliate links. As an Amazon Associate I earn from qualifying purchases.

For the last several years, I’ve been working on a honeypot system to detect “east to west” internal traffic that doesn’t go “north to south” to the internet. The reason is to detect potential threat actors moving laterally in the network. While this doesn’t catch all internal to internal traffic, it does alert on internal traffic to the device. The need for such a device came from a job several years ago.

At a place where I worked, the managers would comment that we could see North-South traffic to and from the internet. But we couldn’t detect potentially malicious East-West traffic internally between systems. We could see East-West between Zones, but not systems in the same zone.

Which lead to the suggestion of Honeypots. Both Management and Legal said we can’t have a honeypot because they believe them to be entrapment devices. Management also didn’t want to give threat actors a beachhead device to take over and use to attack other devices.

What was needed was a device that could act like an alarmed/monitored door, that would alert when used. Something that had next to zero interaction. It took a couple of years but I found a workable solution with Chris Sanders’ Intrusion Detection Honeypots (affiliate link).

Continue reading

Always remember to document with screenshots when doing investigations

Leave a reply

I’ve been looking for a job. I applied to one recently and came across something a little scammy. Seconds after getting a thank you for applying email, I got an email saying I had to run software to prove I met the requirements to work from home. Plug the computer into the modem and run their test. Wasn’t happening on my daily driver. I ran it through some VMs.

The link in the email was for what looks like a head hunter software firm. It redirected to the company’s website. The company I applied to. I tested with Flare Vm running on Proxmox on an old I3 server I have. The Flare VM passed everything but the processor test. It wanted an i5 or higher. I didn’t bother to get screenshots, because I thought I’d run it again on something with a newer processor.

I spent today (the day I wrote the blog post, not the day it was published) setting up a Flare VM on my laptop. I loaded up the Flare VM, and started Wireshark, Regshot, and Procmon. I started Edge, went to the link again, only to get a blank page with no option to test. Note: The site said after I ran the test to try again from another computer. But there was nothing there to run this time.

There were two takeaways from this.

1. I should have built some Flare VMs sooner, because they take a while to build. Build them before you want to use them.

2. Follow the rules of getting screenshots and taking notes as you work because it would have made a great blog post walking through the steps.

Prepping for a project

Leave a reply

I’m getting ready for a fun little project with a friend. Several years ago, while doing my undergrad, I got a copy of Chris Sander’s “Applied Network Security Monitoring.” I was going to do a book study group at school when it came out, but it turns out it was a required text for my Incident Response course.

Sadly, that class was a mess, and I don’t think we used the book in it at all. A different friend and I referenced the book to build a project for one of our other classes. We used it to build several honey pots, with what was supposed to be centralized logging. That, however, failed due to the Data Center we put the logging server in. The DC we picked for the log server didn’t allow logging to that DC for some reason. The other ones through the VPS provider would have worked fine. Just not that one. No clue why. We did complete the project with the honey pots but had to monitor each one instead of having central logs.

Anyway, talking about burnout recently with friend one mentioned above, we both feel burnt out. We don’t want to do anything computer-related after work. Studying, Udemy, Coursera, Hack-in-The-Box, Try Hack Me, scripting, blogging, etc. To get around this, we’re going to work through Applied Network Monitoring, and we’re also going to blog about it.
Before confirming this was the book and project we would do, we asked Chris Sanders via Twitter if the book material was still relevant. He said the concepts would be, but the tools would be different now.

It should be fun.

Once my friend gets his blog set up, I’ll link to it too. And yes, I know I still have some OpenFAIR/CTI/OSINT related content I want to blog about; see the comment about being burnt out above.

Intelligence – Garbage In, Gospel Out

Leave a reply

I don’t remember which podcast or who said it, but “Garbage In Gospel Out” is so true. Especially when talking about Cyber Threat Intelligence. I talked a little about this before, both in conference talks and in Validate Data Before Sharing.

But here it is, three years later, and the problem remains. I’m willing to say it is getting worse. We’re not running full life cycles, either Intelligence or Incident Response. We get to the collection phase and call it done. NixIntel has a good post on that at their blog.

Continue reading

Docker and Remux part 2

Leave a reply

In my last post I talked about how I played with docker on a VM I constantly re-stage to original state. Some of what is below can be found on my Peerlyst post too.

Considering how long it took to download the images, I decided on a fresh revert, to install the remnux images after updating the box, and installing docker.io.

Using the thug image, I found that the container image doesn’t work match the directions on the Remnux site, Docker Hub page or on the Github page.

However reading the docker file gives the needed information.

The first thing wrong is the way thug is ran now.  To run thug one has to do

But before that, to run the container, and be able to get logs, the following has to be used.

/tmp/thug/logs is the current working directory in the Dockerfile on Github.

scripts to decode base64 and hex

Leave a reply

About a month ago, I added a couple shell scripts to my DFIR Github repository. Three of the four scripts are used at work daily in either a Linux terminal, or a Cygwin terminal. The fourth script is something I use to help with quarantined mail, and not really DFIR based.

b64Decode.sh and hexConvert.bash take command line arguments and reports back the result. For example:

Continue reading

Script(s) to extract HTTP Host data from file

Leave a reply

A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.

The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.

Continue reading

Different ways to use TOR

Leave a reply

While catching up on SANS’ Internet Storm Center Storm Cast during my drive, I heard this episode. In it Johannes Ullrich was mentioned this article about using DRM Decloaking TOR users. Short version, users running the Tor Browser Bundle click a link, and Microsoft Windows launches the media player not using the TOR network, exposing the user’s real IP address.

This attack could be mitigated by using TAILS or something else that forces all traffic through TOR. Which made me think I should share all the ways I use TOR.

Continue reading

Script(s) to ping a computer

Leave a reply

I re-wrote a script I use at work. It was a messy bit of Python 3 previously. While it’s still not the cleanest of python scripts, it scratches my itch. It was originally just a straight line of commands with lots of repeated code. I made some functions and made it a little more modular. I know I need to learn PEP8, and start following it. This was just to improve something that I wrote previously with things I learned from Automate the Boring Stuff with Python.

I’ve shared it via my GitHub repository for DFIR scripts. They’re clean (not tied to any company). There is only Computer Ping for right now. There are 3 scripts all based on the same idea.

Ping a computer, if it is down, keep trying every 10 minutes for 1 hour. Pop an “alert” if the target is up, or the script finished before it came up.

  • 1 version for Windows running python (wComputerPing.py)
  • 1 version for Windows running Cygwin (cwComputerPing.py)
  • 1 version for boxes running Linux. (lComputerPing.py).

I’ll write others and upload to the repository as I have time / re-write stuff I use. They might not all be Python, but my goal is to be more Python than not.